This article is by Chloe Derrick, Partner, Policyholder Disputes, at Stewarts.
Yet again, 2025 was an unprecedented year for high-profile cyber incidents, with attacks on several household names hitting headlines nationwide. This has led to rising concern over the UK’s ability to withstand increasing cyber threats, and with good reason: the Cyber Security Breaches Survey 2025 reported that in the last year alone, 45% of businesses have experienced a cyber incident. The wide-ranging financial and operational impact of cyber events means that cyber security is now an enterprise risk, as opposed to an IT risk. Despite this, an overwhelming 57% of businesses are reported to be uninsured for cyber risks. In a recent speech to the Corporation of the City of London, Nikhil Rathi, CEO of the Financial Conduct Authority, voiced his fear that the nation was “massively underinsuring” when it came to cyber risks.
It is unsurprising that against this background, cyber insurance continues its growth trajectory as the fastest-growing global insurance product, with 41% of large enterprises planning to purchase cyber coverage for the first time within the next five years. Cyber coverage, however, remains a relatively new line of business, and the scope of coverage available can vary significantly, particularly on coverage for business interruption, for example. The recent highly publicised attacks on the retail sector have sparked increasing debate around how cyber insurance may respond (if purchased) to cover large-scale business interruption losses.
In 2024, the CrowdStrike incident drew attention to coverage issues arising from single point of failure loss events, including coverage for non-malicious events, waiting period conditions and potentially relevant exclusions. In the event, the Crowdstrike outage did not in most cases result in extended operational outages, meaning that large volumes of notifications did not crystallise into claims for covered losses. The question of how the market will respond to a systemic cyber event therefore remains very much live.
Since then, 2025 has been rife with malicious attacks by cyber criminals on the retail sector, with a number of household names including Marks & Spencer, Jaguar Land Rover, Harrods and the Co-op on the front line.
In April 2025, the Co-op found itself the target of a sophisticated, large-scale cyber-attack, reported to have cost it £206m in lost sales. Alongside the operational impact, the Co-op subsequently reported that the personal data of 6.5 million of its members was stolen during the incident. It was reported to have only had limited insurance cover in place for immediate cyber response, rather than back-end losses.
Similarly, another major UK retailer, Marks & Spencer, was hit by a large-scale cyber incident that suspended its online shopping and disrupted operations over the Easter weekend. Online sales only resumed after 46-days of disruption, causing a reported business interruption loss of £300m, of which only £100m was said to be insured. Customer data was also stolen.
In August 2025, Jaguar Land Rover (“JLR”) was targeted by cyber-criminals, forcing it to shut down its computer networks. Vehicle production was suspended for approximately five weeks across major UK plants, causing losses of £50m per week. JLR was reported to be in an even more unfortunate position than M&S and Co-op, having failed to conclude its cyber insurance placement shortly before the incident took place. JLR was therefore reported to be entirely uncovered for its losses.
The Cyber Monitoring Centre estimates the UK financial impact of the JLR attack to be in the region of £1.9bn across 5,000 UK organisations, likely making it the most economically damaging cyber incident ever experienced in the UK, with all financial losses arising from operational disruption. The scale of the incident prompted the UK government to intervene with a £1.5bn loan guarantee to help stabilise the company and its supply chain. JLR has since reported that sensitive payroll data for its current and former employees was stolen during the attack, potentially putting thousands of staff at risk of identity fraud. In addition to potential data breach claims that may follow, it remains to be seen whether a potential shareholder action might also be pursued against JLR directors for their decision not to purchase cyber insurance before the breach.
The attack wave on UK retailers continued in September 2025, with cyber criminals infiltrating the IT system of Harrods, stealing the data of over 400,000 customers.
The takeaways? Each of the attacks likely started with sophisticated “social engineering” attacks, whereby hackers impersonate employees to deceive internal personnel, or IT help desk personnel, into resetting passwords or sharing information. This is a risk that will only increase as AI tools and “deep fakes” become more sophisticated and widespread.
The lesson learned? Operational disruption poses the biggest cyber risk for most businesses, far outweighing potential losses caused by data breach incidents. Cyber has now become a first party coverage protecting the business’s core assets, and it is time for most businesses to regard cyber insurance as an essential, not luxury, purchase. Recent experience shows that not only are some major enterprises entirely uninsured for these acute risks, but those that do carry insurance are typically materially underinsured.
Companies should brace themselves for the increased risk of disruptive attacks on their operations. While some industry experts argue that the UK government should backstop cyber insurance, guarantees such as those provided to JLR are likely to be few and far between, particularly for SMEs. Companies should therefore ensure that not only is cyber insurance in place, but that they are adequately covered for business interruption losses arising out of operational disruption, alongside immediate incident response costs. This requires a careful review not only of limits and sums insured, but also of policy wordings, which are far from standardised in the market, and which so far are entirely untested in the English courts.
Be the first to comment