The Co-operative Group has confirmed it did not hold dedicated cyber insurance at the time of the April attack that crippled its IT systems and drained £120 million from profits. Instead, the mutual had opted to invest in defensive cybersecurity measures, a choice that has now left it bearing the full weight of one of the most damaging retail hacks in recent years.
“Co-op did not have dedicated cyber-insurance in place;” a spokesman told Insurance Business. “Instead of investing in insurance, they chose to invest in enhanced cyber security which ensured they were able to contain the threat and minimise the impact for our members and customers.”
The new statement raises questions over just what CFO Rachel Izzard meant when she told Reuters “We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties but we don’t believe we will be claiming on insurance for back-end losses.”
"At the large corporate level, I think you still see some organizations choosing to self-insure cyber risk when they're looking at their balance sheet and then the potential impact and what they believe are their segregation measures and things in place to mitigate the impact,” Alexandra Bretschneider, cyber practice leader at Johnson, Kendall & Johnson told Insurance Business. “They're not feeling that the cost of the insurance is necessarily worthwhile.”
Read more: Which are the UK’s best cyber insurers?
It is believed that the attack circumvented all the tech investment the Co-op had bought instead of insurance by using social engineering. Robert Elsey, the chief digital and information officer told the BBC that “They impersonated one of our colleagues. As soon as that account was used maliciously or abnormally, our systems are designed to detect that.
“So, within minutes, our colleagues were shutting those accounts down. [They were very persistent and very capable, they were trying to re-enable accounts and then we blocked those as well.”
Whatever tech steps were taken, the attackers managed to steal data from all 6.5 million co-op members’ accounts, and the BBC was told by the hackers that they had "spent a while seated in (the company’s) network."
The assault forced payment outages, bare shelves and manual workarounds across the Co-op’s stores, as well as paper-based systems in its funeral homes. In its half-year results to 5 July, the business reported an £80 million hit to operating profit, with the total impact expected to rise to £120 million by year-end. Revenues fell to £5.48 billion, down from £5.6 billion a year earlier, as the disruption rippled through supply chains and consumer channels.
While many corporates retain at least some cyber protection – often focused on incident response or consultancy – the Co-op has now acknowledged it held no cyber specific policy.
For insurance professionals, the decision looks increasingly stark when compared with peers. Marks & Spencer, also targeted by hackers this year, has signalled it expects to recoup a substantial portion of its estimated £300 million loss via insurance. Harrods, too, was able to rely on cover when its systems were compromised. By contrast, the Co-op will be left to fund the entire recovery from its own balance sheet – rather embarrassingly given that it actually offers a number of branded insurance products.
The financial exposure underscores the gulf between investing in technology and transferring risk. Experts warn that cyber resilience without insurance may protect systems, but it does nothing to replace lost income when defences fail. As the National Cyber Security Centre’s Jonathon Ellison has put it, “Cybercriminals will target anyone if they think there is money to be made.” For insurers, the Co-op episode is a reminder that boards continue to underestimate the scale of financial damage a single attack can inflict.
“As an insurance broker, the recent Co‑op breach makes one thing crystal clear;” wrote Tomos Jones of Daulby Read Insurance on Linkedin, commenting on the Insurance Business story. “Having cyber insurance isn’t enough, having the right cyber insurance is essential.”
The case is likely to be seized upon in the London market as evidence of why corporates should not view cyber insurance as discretionary. The absence of cover at a business with the Co-op’s profile will fuel underwriters’ calls for boards to disclose not only their cyber defences but also their approach to risk transfer. Brokers, meanwhile, will see in this episode a cautionary tale for clients tempted to self-insure.
With Jaguar Land Rover and Marks & Spencer still reeling from their own cyber crises, the spotlight is once again on how Britain’s corporates prepare for, and insure against, hostile digital intrusions. For the Co-op, the choice to go without cyber cover has turned into one of its costliest strategic bets in decades.
