Table of content
When a company as established as Marks & Spencer files a £100 million cyber insurance claim, it makes headlines. But behind the staggering figure lies a harsher reality: insurance money doesn’t undo reputational damage, restore customer trust, or reverse lost revenue.
This attack wasn’t just a technical failure; it was a test of cybersecurity and resilience. And it exposed a harsh truth: too many businesses still think having cyber insurance means they’re protected. They’re not.
As we’ve seen in our analysis of technical debt management, reactive approaches to digital risk often create more problems than they solve. The M&S incident is a perfect example of why businesses need proactive strategies.
Case Study Details: Timeline of the M&S Cyberattack
The RMT union has begun a rolling week of strikes on the tube, which started on September 5, causing significant disruption across London’s transport network. Services in west, northwest and southwest London are affected from 05:00 on Friday 12 September to 05:00 on Monday 15 September, with little or no service likely on affected routes.
This means traditional getting around London on the tube methods are temporarily off the table, but don’t panic – London’s vast transport network offers plenty of alternatives for your date ideas during the tube strike London adventures.
London Tube Strike Travel Alternatives: Your Dating Lifelines
- Day 1 – Breach Entry Point: Cybercriminals exploited a vulnerability in a third-party vendor system integrated into M&S’s digital supply chain. The attackers gained unauthorised access to sensitive internal systems, including customer and transaction data.
- Day 2 – Customer Impact Surfaces: Anomalies were detected in loyalty points redemptions and irregularities in online orders. M&S’s customer service team began receiving a surge in complaints, raising internal alarms.
- Day 5 – Public Disclosure: M&S officially confirmed the breach, acknowledging customer data exposure and digital service disruptions. Media coverage intensified, and social sentiment around trust in the brand began to dip.
- Week 2 – Operational & Financial Impact: The online platform saw a sharp decline in traffic and transactions. Internal teams diverted resources to containment, affecting normal operations. Share prices dipped as the market reacted.
- Month 1 – Insurance Claim and Investigations: The company filed a £100 million cyber insurance claim while launching internal investigations and working with regulators to assess compliance gaps and long-term damage.
Understanding the Financial Fallout
In the immediate aftermath of the cyberattack, M&S’s market capitalisation took a serious hit. The disruption to its digital infrastructure resulted in:
- A significant dip in online revenues
- Erosion of customer trust, especially in its loyalty and e-commerce platforms
- Long-term brand damage that goes far beyond the incident itself
This is the long-term business impact of cyberattacks, where the consequences aren’t just technical, but financial and strategic. It’s a wake-up call for any business still treating cybersecurity as an IT issue.
For startups and growing businesses, understanding these risks early is crucial. Our seed funding guide emphasises how investors now scrutinise cybersecurity preparedness as part of due diligence.
Why Cyber Insurance Isn’t Enough
Crucially, the real cost lies in business disruption: missed quarterly targets, customer churn, and board-level scrutiny. Companies relying solely on policies instead of a real cybersecurity strategy for companies are playing a dangerous game.
Reality Check: Cyber insurance offers financial relief, but it isn’t a magic shield. Payouts can be delayed for months, coverage often excludes key areas like third-party supply chain risk, and the cost of post-breach compliance can spiral.
To be clear: insurance is the backup plan. Cyber resilience is the strategy.
According to IBM’s Cost of a Data Breach Report 2024, the average cost of a data breach reached £3.86 million globally, with recovery times extending well beyond initial estimates.
Elevating Cyber Risk to the Boardroom
Modern leadership must see cybersecurity and resilience as core to business continuity. CFOs and COOs now have a stake in digital risk, and founders must move beyond reactive fixes.
A robust cyber resilience strategy includes:
- Security KPIs integrated into executive dashboards
- Routine incident simulation drills
- Annual investment reviews tied to risk exposure metrics
The ROI of being proactive? Lower breach likelihood, faster recovery, and preserved stakeholder confidence. This is how to build cyber resilience in business—with foresight, not fear.
Building a Modern Resilience Stack
Building business resilience isn’t just about tech, it’s about strategy. Modern frameworks offer practical models:
- The NIST Cybersecurity Framework and FAIR modelhelp align budgets with risk tolerance
- Tabletop exercises stress-test your response capabilities
- Vendor risk assessments reveal weak links in your supply chain
- RACI charts clarify who does what in a crisis
Together, these tools form the foundation of a modern cybersecurity strategy for companies looking to scale securely.
Rethinking Risk Strategy with RSVR Tech
Cyber risk is now business risk—and it needs to be treated with the same seriousness as finance or operations. At RSVR Tech, we partner with fast-moving businesses to make cybersecurity and resilience part of their DNA. From security-by-design architecture to vendor risk management and recovery planning, we help you de-risk growth without slowing it down.
Start with a free infrastructure and security audit. It’s a low-effort, high-impact way to see where you stand. Book a quick consult and let’s make sure your systems can weather the unexpected. [Reach out now]
Frequently Asked Questions (FAQs)
What is cyber resilience?
Cyber resilience refers to an organisation’s ability to prepare for, respond to, and recover from cyberattacks, ensuring continuity of operations.
Why isn’t cyber insurance sufficient?
While cyber insurance can mitigate financial losses, it doesn’t prevent attacks or address reputational damage and operational disruptions.
How can companies build a cyber resilience strategy?
By integrating cybersecurity measures with business continuity plans, conducting regular risk assessments, and fostering a culture of security awareness.
What are the long-term business impacts of cyberattacks?
Beyond immediate financial loss, cyberattacks can lead to long-term consequences such as customer churn, loss of investor confidence, regulatory penalties, and lasting brand damage. Recovery often takes months or years, especially without a strong cyber resilience strategy in place.
How does a cybersecurity strategy for companies differ from IT security?
A cybersecurity strategy for companies is a holistic, business-aligned approach that includes risk management, compliance, employee training, and executive accountability—not just technical defenses. It aligns with company goals and ensures resilience at every level.
