Marks and Spencer cyber attack insurance claim could hit £100m

Marks and Spencer could be set to claim as much as £100m from its cyber insurance policy following a the Easter cyber attack that disrupted operations, compromised customer data, stopped online sales, halted recruitment and even emptied physical shelves at the Leeds-founded retail giant.

The retailer admitted on Tuesday that personal information, including customer contact details, dates of birth, and online order histories, were accessed by hackers in a breach that crippled its online system for nearly three weeks, although M&S stressed that payment details and account passwords were not compromised.

The Financial Times has now reported that M&S’s cyber insurance policy, arranged by WTW, allows claims of up to £100m. German insurer Allianz is reportedly the primary carrier on the policy, and will be expected to cover the first £10m of the claim. Lloyd’s of London insurer Beazley is also among those exposed to the claim.

The FTSE 100 retailer’s full year results are due next week, and an update on the financial impact of the attack is to be expected at the same time – one cyber security expert told Prolific North it could take as long as three years for the retailer to fully recover.

READ MORE: Tim Davie: BBC licence fee is not over, and Gary Lineker needs to follow social media policy

Based on average daily revenue, analysts have estimated that the retail giant may have lost over £60m in online sales so far.

The hack also disrupted operations in physical shops, where some outlets struggled to maintain normal stock levels.

The attack has also damaged investor confidence, with M&S shares falling about 16 per cent, wiping around £1.3bn off the company’s market value, since the breach on 22 April.

M&S’s payout, which looks likely to be one of the largest in UK retail history, could serve as a crucial test case for the industry. The FT quoted senior insurance figures who said that the policy would likely pay out in full for both direct business losses and third party liabilities, if a third party vendor was ultimately found to be responsible for the breach.

Cyber attacks have cost UK businesses an estimated £44m in lost revenue over the past five years, according to a report by broker Howden, with over half of all UK firms experiencing at least one attack during that time.