The Co-operative Group has admitted that the April cyber assault on its IT systems will carve £120 million from annual profits, raising sharp questions over the adequacy of corporate cyber insurance programmes.
The mutual revealed that operating profits for the six months to 5 July had already been reduced by £80 million, including £20 million in one-off remediation expenses, with the remainder due to sales disruption. Revenues are thought to have suffered by more than £200 million during the period, according to reporting by Sky News.
Rachel Izzard, the Co-op’s chief finance officer, told Reuters that the full-year impact would reach £120 million “inclusive of any (insurance) recovery”.
The group’s cyber cover was limited. “We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties but we don’t believe we will be claiming on insurance for back-end losses,” Izzard said.
While not as bad as JLR’s failure to secure cover, the shortfall underscores an uncomfortable truth for risk managers: that many corporates retain policies focused narrowly on incident response and consultancy, rather than the far more costly consequences of business interruption.
Co-op chair Debbie White struck a defiant note, telling Sky News: “The first half of 2025 brought significant challenges, most notably from a malicious cyber attack. Our balance sheet strength and the magnificent response of our 53,000 colleagues enabled us to maintain vital services for our members and their communities.”
Yet the financial hit highlights how partial cover can leave major exposures on the balance sheet. Unlike Marks & Spencer, which has suggested it expects to recoup a substantial proportion of its estimated £300 million loss via insurance, Co-op is largely unprotected.
The incident has reverberated across the retail and manufacturing sectors. Marks & Spencer endured outages in online and contactless payment systems earlier this year, while Jaguar Land Rover is grappling with a paralysing attack that has forced its factories to a standstill. The Financial Times has reported that JLR had been exploring cyber cover at the time of its breach, but had yet to finalise protection.
Read more: Why cyber plus climate = huge risks
When the Co-op first disclosed the April intrusion, it temporarily shut down parts of its IT estate to contain the risk. A spokesperson said the move was “intended to safeguard critical systems”, as reported by The Times. While early indications suggested customer-facing operations were spared, subsequent disruption left shelves bare and payments patchy until late May.
The run of attacks has prompted government officials to warn businesses that cyber resilience must extend well beyond defensive technology. The Treasury has signalled it is considering assistance for affected supply chains, while the National Cyber Security Centre has again urged boards to take a direct role in cyber preparedness.
For the insurance market, the Co-op episode illustrates the gulf between perception and reality in cyber protection. Policies designed as bolt-ons or limited to response services leave corporates bearing the true weight of prolonged outages.
The Co-op’s predicament is likely to strengthen calls within the London market for more sophisticated parametric and indemnity-based structures, and for greater disclosure to boards of precisely what is – and is not – covered.
