Viewpoint: Firm up cyber resilience

Recent high-profile cyberattacks and data breaches have disrupted operations at major retailers and their suppliers this year. The attacks have targeted global brands including Adidas, Marks & Spencer, Co-op, Harrods, Victoria’s Secret and Whole Foods.

As we report here, retailers handle vast amounts of financial and personal data, which makes them a lucrative target for cybercriminals. They also rely increasingly on digital technologies and online transactions, making cyber threats a perennial concern.

This year’s attacks have exploited common technical vulnerabilities at retail businesses and deployed social engineering tactics to undermine human weaknesses, specifically targeting help desk personnel and other staff. Several incidents were attributed to the hacking group “Scattered Spider,” known for sophisticated social engineering and data extortion. In 2023, the group targeted major casinos in Las Vegas. 

Insurer QBE recently reported nearly 50% growth in destructive cyberattacks between 2023 and 2024 across North America and Europe, driven by geopolitical, economic, social and technological factors. Microsoft reports that its customers face about 600 million global attacks daily from both cybercriminals and nation-state actors.

Such projections highlight the importance of effective risk management. After the initial cyberattack and data theft in April, it took nearly four months for U.K. retailer Marks & Spencer to resume accepting click-and-collect clothing orders. That’s a significant amount of time and lost revenue for any business. More sophisticated attacks targeting critical systems can lead to longer recovery times.

Fortunately for the companies targeted, cyber insurance take-up in the retail sector is high. Marks & Spencer previously estimated that the hack could cost about $404 million in lost operating profit for fiscal 2025-26, though it expects to halve that through insurance recoveries and cost controls.

Recent market reports point to a competitively priced cyber insurance market. Rates decreased by 7% globally in the second quarter, with declines in every region, according to the latest Marsh global rate index. In the U.S., cyber rates fell 3%, the ninth straight quarterly drop. 

Despite ongoing rate decreases, fewer businesses purchased higher limits. Organizations were less inclined to pay ransoms after cyber extortion events than they were three years ago. Cyber extortion claims continued, with policies covering those losses, though they took longer to resolve.

Risk transfer is only a part of the solution, however. Risk management and operational resilience are key. As a common target of cybercriminals and early adopters of cyber coverage, retailers have gained significant risk management experience. The rising likelihood of attacks is compelling organizations across various sectors to implement better controls to manage and mitigate cyber risks. As a result, many are implementing practices that move beyond siloed cybersecurity and risk management programs toward a more integrated approach to operational resilience, according to the Business Continuity Institute, a global association of business continuity and resilience professionals.

In a recent survey, BCI found that nearly 70% of responding organizations have established internal structures to improve coordination between departments, from cybersecurity to IT operations. Many cited regulatory requirements as their main reason for implementing operational resilience programs. Scenario testing, long touted by the insurance industry as a way to strengthen resilience, must become a regular practice if organizations are to stand a chance of keeping pace with cyber threats. Addressing human vulnerabilities through robust employee training is also a key part of any cyber resilience strategy.