Two months after it was hit by a crippling cyber attack Marks and Spencer has returned to taking orders online.  

As analysts estimate the retailer lost £43 million a week in sales, the company expects a £300 million hit to its operating profit, denting them by one third, with online disruption continuing throughout June and July.  

As a constituent of the FTSE 100, M&S is not a private company. But the bizarre story of the retailer’s Easter weekend cyber attack carries important lessons for private equity investors. Here are just a few of them:  

1. Increasingly sophisticated threat actors  

The group behind the attack, DragonForce, offers Ransomware-as-a-Service, collaborating with criminal affiliates on their darknet site in exchange for a 20% cut of any ransoms collected. They reputedly gained access to M&S systems using social engineering techniques against one of the retailer’s third parties.   

DragonForce directly emailed M&S’s CEO, Stuart Machin, using an employee’s compromised account to demand a ransom. The techniques were that of a sophisticated and well-informed threat actor group, and they pose a significant risk to private companies. Read more here: ‘Dear Sir, your organisation has been hacked’.   

While Marks & Spencer had cyber insurance in place, the policy will likely cover only a third of its estimated £300 million losses. The remaining shortfall will be managed through cost-cutting measures, according to the CEO, describing the loss as “a one-off number.”  

M&S aims to claim £100 million for both first-party and third-party losses under its cyber insurance policy, arranged by WTW, with Allianz as the primary carrier and Beazley as a specialist underwriter. 

Although the breach originated via a third-party supplier in M&S’s supply chain, the company anticipates a full payout. However, this incident could have longer-term implications: M&S’s annual cyber insurance premium, currently under £5 million, could double at renewal unless they can demonstrate cyber risk management improvements. 

Compared to the premiums that companies paid during the post-covid ransomware spike, the cyber insurance market remains soft. Will this remain the case? In some ways, it doesn’t matter.  

Cases like M&S show the potential limitations of insuring a risk rather than adequately mitigating it: data loss, reputation loss and customer loyalty all suffer when a retailer suffers such significant down-time.  

These uninsurable risks and the possibility that M&S’ insurance policy might only pay out one third of its financial losses demonstrate the limitations of cover. 

Boards of all companies (not just those that are publicly listed) need to consider the potential impact of a cyber attack on their businesses from every angle – financial, operational, reputational – and then decide whether insuring the risk is adequate.  

2. Could it Have Been Worse?  

While the threat actors stole customer data like telephone numbers, home addresses and dates of birth, M&S insists the attackers did not steal payment details, or account passwords. If they had, the long-term implications of the attack could be much more damaging.  

Strong Protections were clearly in place at M&S.  

The rapid identification of suspicious activity enabled the retailer to activate its incident response and business continuity plans in good time. This was in no small part because the board had run a cyber attack simulation exercise the previous year, building muscle memory regarding what they would do in the event of an attack.  

Lessons for Private Equity firms 

The full consequences of the M&S attack are yet to be seen. What is clear is that, although M&S had robust safeguards in place, acted quickly and had insurance coverage, the retailer is still set to suffer heavy losses. These are the key lessons that any company should learn from the incident:  

  • Cyber insurance is part of the solution, not a golden bullet: consider the potential impact of a cyber attack against your portfolio of companies. Will the insurance policy cover theft of commercially sensitive IP and customer data? What happens if the company suffers operational disruption that impacts reputation and customer loyalty?  

  • Proactive risk management can prevent incidents: PE firms might have limited appetite to proactively engage with their portfolios to mitigate cyber risk. But they can at least ensure that the right technologies, people and processes will protect the portfolio company and their investors.   

  • Plan and test your incident response: The M&S attack could have ended very differently. The company clearly had a plan in place and was able to implement it immediately, despite it being a public holiday. While planning is essential, it needs to be rehearsed, stress-tested and understood by senior management.  

  • Monitor your suppliers’ cyber risk: Even trusted, long-standing and apparently secure suppliers must be managed appropriately. That’s why a third-party risk management programme is a necessity for any business, especially for its critical service providers.  

  • Concentration risk can be a threat to your portfolio: where two or more portfolio companies rely on a single service provider – for example for a shared growth initiative, or if they’re in a similar industry – the potential for a systemic cyber incident in your portfolio increases. While you can’t eliminate this risk entirely, you can mitigate it with a third-party risk management programme.  

  • Portfolio valuation assessments: Annual assessments of the impact of cyber incidents on portfolio valuations are crucial. A single breach can have far-reaching consequences, affecting private equity firms' strategies, exit plans, and returns on investment. 

Thomas Murray helps private equity firms to assess, monitor and mitigate cyber risk across their portfolios – get in touch to find out how we can help.  

Cyber Risk

Cyber Risk

We understand that protecting your business from evolving cyber threats is crucial for your success. Whether you need expert advice, a tailored cyber security solution, or immediate support, we’re here to help.

Contact us

Contact our experts

Roland Thomas

Roland Thomas

Associate Director

Edward Starkie

Edward Starkie

Director, GRC | Cyber Risk