The House of Commons Business and Trade Sub-Committee: M&S summary, July 2025
9th February 2026The House of Commons Business and Trade Sub-Committee as part of its enquiry into UK economic security looked at the Marks & Spencer (M&S) ransomware incident as a case study with strong implications for cyber insurance around aggregation, silent accumulation, and resilience linked underwriting.
The panel heard from Archie Norman (Chairman), Nick Folland (General Counsel) and Victoria McKenzie Gould (Corporate Affairs Director) about the attack’s mechanics, financial impact, interaction with insurers and government, and lessons for boards and policymakers.
M&S described the incident as a “highly sophisticated and targeted” ransomware attack in April 2025, with initial access on 17th April via sophisticated social engineering/ impersonation of an individual combined with a third party vector.
The threat ecosystem is linked to DragonForce ransomware and the Scattered Spider affiliate group, reflecting a broader campaign against UK retail that also hit Co op and reportedly targeted Harrods. Attackers were not immediately visible, M&S only detected them on the 19th April, convened a crisis team that night, notified authorities after the Easter break, and went public on 22th April – illustrating multi day dwell time before business detection and disclosure.
Public reporting adds that DragonForce communicated using an email apparently connected to a Tata Consultancy Services employee account, underlining identity abuse and third party risk in a heavily outsourced environment.
M&S estimates a gross £300m reduction in profit before recoveries, largely driven by online disruption (roughly £10m profit loss per week of online outage), while stores remained open but operated with significant manual workarounds.
External reports note suspension of online orders, disruption to click & collect and some contactless payments, empty shelves in some locations, and failing over to paper processes.
Customer data exfiltration included names, dates of birth, contact details, household information and order histories, turning a business interruption event into a data security and potential privacy liability incident.
For comparison, Co op has reported at least £206m in lost revenue from its 2025 cyber incident, highlighting that two UK retailers alone account for over half a billion pounds of direct top line/earnings impact in a single campaign.
M&S had “extensive” cyber insurance and expects a “significant” recovery, though they acknowledge that quantum and coverage outcomes will take around 18 months to settle – typical for complex, multi tower programmes.
A year before the attack, M&S restructured its programme away from “insuring the trivia” and toward high severity cover: retaining initial losses and transferring catastrophe scenarios to the market, a structure they now regard as vindicated.
The company declines to comment on ransom payment, citing live law enforcement considerations and the risk of providing “oxygen” to threat actors, but confirms all details are shared with the NCA – illustrative of the opacity insurers face around extortion decisions even in well governed PLCs.
Interaction with insurers is described as “hand in glove”, with near daily dialogue from day one of the incident, reinforcing the value of specialist incident response and claims partnership as part of the product, not just limit capacity.
M&S highlights structural features that drive both loss magnitude and difficulty of underwriting, a vast attack surface (c.50,000 users, multiple contractors and third parties) and a hybrid legacy – modern estate that makes containment and segmentation challenging.
They emphasise that the “perimeter is permeable”, even with MFA and password controls, and that once an attack has any success, organisations face a multi week rebuild regardless – key for modelling downtime, reinstatement costs and secondary loss.
Legacy architecture (including historic mainframe migration, ageing SAP core finance and numerous distributed systems installed by long gone contractors) complicates mapping, lateral movement controls and restoration sequencing, the board now treats system mapping and accelerated modernisation as core resilience investments.
Annual capex runs at £600-650m, with £200-250m on technology and roughly £150m on legacy upgrades, yet this still proved insufficient to prevent a major ransomware loss – underscoring that high IT spend is not a simple proxy for cyber maturity.
The witnesses describe initial law enforcement routing from West Yorkshire Police to the Met and then the NCA as “a little slow” but ultimately effective, with additional support from the FBI and NCSC however, they characterise NCSC engagement as operational rather than board level and call for more senior, two way involvement in major incidents.
They argue for mandatory reporting of “material” cyber-attacks to NCSC, noting credible indications that at least two serious attacks on large UK companies in the preceding four months went unreported, leaving central intelligence and, by extension, insurers partially blind to true loss frequency and clustering.
UK Government commissioned research now estimates that cyber attacks cost the UK economy around £14.7bn annually (c.0.5% of GDP), with £1-8.5bn of that stemming from IP and knowledge asset theft, this places large single company losses like M&S and Co op firmly within a broader macro risk profile.
The UK cyber security sector itself generates about £13.2bn in annual revenue, 67,300 FTE jobs and £7.8bn GVA, ranking the UK third globally behind the US and China – supporting the witnesses’ contention that cyber is simultaneously a national resilience challenge and a strategic growth sector.
Lessons for cyber insurance underwriting and product design
Board level testimony underlines that even firms with identified cyber as a top risk, growing CISO functions (M&S trebled cyber headcount to 80 and doubled spend) and extensive simulations can still experience catastrophic BI and data loss events, challenging simplistic control checklist approaches to underwriting.
The contrasting experiences of M&S and Co op (M&S suffering deeper, longer online disruption, Co op incurring large revenue loss but arguably benefiting from earlier, more radical shutdown) suggest that crisis management posture and willingness to self impose disruption are material, yet hard to quantify, rating factors.
The evidence strongly supports product features that reward proactive legacy modernisation and segmented architecture (through pricing or coverage enhancements) integrate mandatory incident reporting and information sharing obligations aligned with NCSC/NCA, and provide embedded crisis management, legal and PR support to manage media pressure and regulatory communication.
For accumulation and systemic risk modelling, the case reinforces several scenarios of concern to carriers, concentrated campaigns against a sector (UK grocery/retail), shared third party and cloud/service provider dependencies, and the prospect of simultaneous operational disruption plus social media driven public panic, as raised by the Committee.