Skip to content

M&S Cyberattack: A £100 Million Wake-Up Call on Cybersecurity and Resilience

June 27, 2025

Table Of Contents

When a company as established as Marks & Spencer files a £100 million cyber insurance claim, it makes headlines. But behind the staggering figure lies a harsher reality: insurance money doesn’t undo reputational damage, restore customer trust, or reverse lost revenue.

This attack wasn’t just a technical failure, it was a test of cybersecurity and resilience. And it exposed a harsh truth: too many businesses still think having cyber insurance means they’re protected. They’re not.

 

Case Study Details: Timeline of the M&S Cyberattack

  • Day 0 – Breach Entry Point:
    Cybercriminals exploited a vulnerability in a third-party vendor system integrated into M&S’s digital supply chain. The attackers gained unauthorised access to sensitive internal systems, including customer and transaction data.
  • Day 2 – Customer Impact Surfaces:
     Anomalies were detected in loyalty points redemptions and irregularities in online orders. M&S’s customer service team began receiving a surge in complaints, raising internal alarms.
unnamed
  • Day 5 – Public Disclosure:
     M&S officially confirmed the breach, acknowledging customer data exposure and digital service disruptions. Media coverage intensified and social sentiment around trust in the brand began to dip.
  • Week 2 – Operational & Financial Impact:
     The online platform saw a sharp decline in traffic and transactions. Internal teams diverted resources to containment, affecting normal operations. Share prices dipped as the market reacted.
  • Month 1 – Insurance Claim and Investigations:
     The company filed a £100 million cyber insurance claim while launching internal investigations and working with regulators to assess compliance gaps and long-term damage.

Understanding the Financial Fallout

In the immediate aftermath of the cyberattack, M&S’s market capitalisation took a serious hit. The disruption to its digital infrastructure resulted in:

  • A significant dip in online revenues
  • Erosion of customer trust, especially in its loyalty and e-commerce platforms
  • Long-term brand damage that goes far beyond the incident itself

This is the long-term business impact of cyberattacks, where the consequences aren’t just technical, but financial and strategic. It's a wake-up call for any business still treating cybersecurity as an IT issue.

Why Cyber Insurance Isn’t Enough

Cyber insurance offers financial relief, but it isn’t a magic shield. Payouts can be delayed for months, coverage often excludes key areas like third-party supply chain risk, and the cost of post-breach compliance can spiral.

Crucially, the real cost lies in business disruption: missed quarterly targets, customer churn, and board-level scrutiny. Companies relying solely on policies instead of a real cybersecurity strategy for companies are playing a dangerous game.

To be clear: insurance is the backup plan Cyber resilience is the strategy.

unnamed (1)

Elevating Cyber Risk to the Boardroom

Modern leadership must see cybersecurity and resilience as core to business continuity. CFOs and COOs now have a stake in digital risk, and founders must move beyond reactive fixes.

A robust cyber resilience strategy includes:

  • Security KPIs integrated into executive dashboards
  • Routine incident simulation drills
  • Annual investment reviews tied to risk exposure metrics

The ROI of being proactive? Lower breach likelihood, faster recovery, and preserved stakeholder confidence. This is how to build cyber resilience in business—with foresight, not fear.

unnamed (2)

Building a Modern Resilience Stack

Building business resilience isn’t just about tech, it’s about strategy. Modern frameworks offer practical models:

  • The NIST Cybersecurity Framework and FAIR modelhelp align budgets with risk tolerance
  • Tabletop exercises stress-test your response capabilities
  • Vendor risk assessments reveal weak links in your supply chain
  • RACI charts clarify who does what in a crisis

Together, these tools form the foundation of a modern cybersecurity strategy for companies looking to scale securely.

Rethinking Risk Strategy with RSVR Tech

Cyber risk is now business risk—and it needs to be treated with the same seriousness as finance or operations. At RSVR Tech, we partner with fast-moving businesses to make cybersecurity and resilience part of their DNA. From security-by-design architecture to vendor risk management and recovery planning, we help you de-risk growth without slowing it down.

Start with a free infrastructure and security audit. It’s a low-effort, high-impact way to see where you stand.
Book a quick consult and let’s make sure your systems can weather the unexpected. [Reach out now]

Frequently Asked Questions (FAQs)

What is cyber resilience?
Cyber resilience refers to an organisation’s ability to prepare for, respond to, and recover from cyberattacks, ensuring continuity of operations.

Why isn’t cyber insurance sufficient?
While cyber insurance can mitigate financial losses, it doesn’t prevent attacks or address reputational damage and operational disruptions.

How can companies build a cyber resilience strategy?
By integrating cybersecurity measures with business continuity plans, conducting regular risk assessments, and fostering a culture of security awareness.

What are the long-term business impacts of cyberattacks?
Beyond immediate financial loss, cyberattacks can lead to long-term consequences such as customer churn, loss of investor confidence, regulatory penalties, and lasting brand damage. Recovery often takes months or years, especially without a strong cyber resilience strategy in place.

How does a cybersecurity strategy for companies differ from IT security?
A cybersecurity strategy for companies is a holistic, business-aligned approach that includes risk management, compliance, employee training, and executive accountability—not just technical defenses. It aligns with company goals and ensures resilience at every level.

You Might Also Like

Leave a Comment





Book a call today to explore how RSVR can help you build, scale, and succeed.

Book A Call