The National Crime Agency has arrested four individuals in connection with the sophisticated cyberattacks that paralysed operations at Marks & Spencer, Harrods and the Co-op Group earlier this year. The development marks a critical advance in what has become one of the UK’s most closely watched cybercrime investigations, with implications that are now reverberating throughout the insurance industry.
The suspects, aged between 17 and 20, were detained at residential addresses in Staffordshire, London and the West Midlands. They include three British nationals and one Latvian, and are being held on suspicion of offences under the Computer Misuse Act, blackmail, money laundering and participation in an organised crime group. Electronic devices were seized during the arrests, which are believed to be linked to a series of ransomware attacks that inflicted hundreds of millions of pounds in disruption.
Paul Foster, director of the NCA’s National Cyber Crime Unit, said the investigation remained a top priority. “Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice,” he said. Foster also thanked the retailers for their cooperation, noting the importance of victim engagement in law enforcement efforts.
The campaign against UK retailers, widely attributed to the group known as Scattered Spider, has placed the insurance sector on heightened alert. Google’s Threat Analysis Group recently confirmed that the same threat actor had begun targeting insurers and financial institutions, prompting warnings of tailored attacks on firms with decentralised IT systems and large call centre operations.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert – especially for social engineering schemes that target their help desks and call centres,” said John Hultquist, Google’s chief cyber analyst.
The group is known for its ability to impersonate staff and circumvent authentication protocols, often by manipulating IT support staff. Similar tactics were reportedly used in the intrusion at M&S, which began with a breach through a third-party partner. The incident went undetected for two days, during which substantial damage was done to IT infrastructure. Online operations were suspended, e-commerce systems were disabled, and the retailer now faces estimated losses of up to £300 million.
M&S’s cyber policy, arranged through Willis Towers Watson, is expected to trigger one of the UK’s largest-ever insurance claims of its kind. Allianz serves as the lead underwriter on the programme and is anticipated to cover an initial £10 million of losses. Beazley and other Lloyd’s market participants are also involved through a layered policy structure that could ultimately reach the £100 million policy limit.
In a recent statement to Parliament, M&S chairman Archie Norman acknowledged the scale of the breach. While the company has not disclosed whether a ransom was paid, Norman confirmed that the retailer had tripled its cybersecurity staff and doubled insurance limits in the previous policy year. “We anticipate a meaningful recovery,” he said, while noting that the full value of the claim may not be determined for 18 months.
Insurers will be scrutinising both first-party and third-party exposures. Costs are expected to include business interruption, forensic analysis, legal liabilities, reputational remediation, and customer data notification obligations. M&S has acknowledged that customer contact information and order histories were accessed, though financial data was not believed to have been compromised.
The fallout from the attack has intensified pressure on the cyber insurance market, which is already facing volatility amid rising claims and evolving risk profiles. Premiums, which had softened slightly in late 2024, are widely expected to rise. Beazley, which underwrites a significant share of the global cyber market, said incidents like the M&S breach often act as inflection points.
“After high-profile attacks, boards start asking the right questions,” said Sydonie Williams, head of international cyber risk at Beazley.
Bloomberg Intelligence has forecast a 67% growth in cyber gross written premiums for Beazley over the next five years. Meanwhile, Munich Re has revised its estimate for global cyber premium volumes to $16.3 billion in 2025, rising to $30 billion by 2030.
Yet cyber insurance remains unevenly distributed. Government figures show that fewer than half of FTSE 100 firms have dedicated cyber cover, and uptake among SMEs remains below 10 percent. Underinsurance and patchy incident response planning continue to hamper resilience across sectors.
For many insurers, the shift is stark. The industry, once positioned solely as a backstop for cyber risk, now finds itself a primary target. Recent breaches at Philadelphia Insurance Companies and Erie Insurance in the United States have exposed gaps in defence and led to regulatory scrutiny, proposed class actions, and calls for greater oversight of cyber aggregation risk across portfolios.
Analysts caution that systemic cyber events pose challenges akin to natural catastrophes, with the potential for cascading impacts across policyholders, vendors, and markets. Aggregation exposure and silent cyber risk continue to trouble underwriters, particularly in light of the increasingly franchise-based model adopted by ransomware syndicates.
For insurers, brokers and risk managers, the message is unequivocal: cyber risk is no longer contained to the balance sheet of the policyholder. It is embedded within the very operations of those who underwrite it.
