What can businesses learn from major cyber-attacks?

Recent high-profile cyber incidents have been a wake-up call for UK firms across all sectors. They’ve show how an event that starts in IT can rapidly become an operational crisis, triggering lost revenue, disrupted services, supply-chain delays, reputational damage, and costs that go far beyond technical remediation. 

Last April’s attack on M&S is reported to have cut online orders by more than 40 per cent, costing £136m and halving their profits, including another £34m in the final six months of its financial year, while the infiltration by hackers of Co-op’s systems saw consumer data stolen and a bill of £206m.

For businesses already grappling with rising costs, inflation, supply-chain fragility, tax and regulatory pressure, events of this kind add a dangerous and unpredictable dimension to the risk profile. The lesson is simple – cyber risk is no longer just about data, it’s about resilience. 

The risks exposed

These incidents highlight the vulnerability of ‘business as usual’ in tightly connected modern organisations. Problems with one part of the business can quickly affect another and then ripple outwards at speed. According to the Cyber Monitoring Centre (CMC), last year’s attack on Jaguar-Land Rover may have cost the wider UK economy around £1.9 billion, likely making it the most economically damaging cyber-attack in British history. 

Our report on the incident shows that when one link breaks, it can lead to:

• Operational shutdown – systems can be taken offline to contain a threat, which can halt customer-facing services, production, dispatch, or scheduling
• Business interruption losses – downtime is often the biggest cost, especially where revenue depends on digital processes or time-sensitive delivery windows
• Supply-chain knock-on effects – a disruption can spread beyond a single organisation, affecting suppliers, customers, and contractors who depend on shared systems, data, or just-in-time workflows 
• Regulatory and legal exposure – even where customer data is not the headline, organisations may need legal support, investigation, and regulator engagement if data or systems are compromised 

For many organisations, the risk is no longer only a data breach or a ransom demand. It’s the interruption of operations, the disruption of supply-chain flows, and the wider economic fallout. 

What businesses must do to protect themselves

1) Recognise that cyber-risk is not just an IT issue, but a board-level operational risk. Senior leadership must know which systems are critical, how resilient they are, and the practical question of how quickly the organisation can recover. Underwriters are increasingly looking for evidence of resilience: tested incident response, business continuity planning, and clear recovery capabilities.

2) Supply-chain mapping and resilience matter. Vulnerabilities in third-party suppliers or contractors can trigger systemic failure, so it’s vital to understand not just your direct suppliers, but the supplier of the supplier. Incidents have highlighted how a large manufacturer’s outage cascades into smaller firms whose cash-flows and contract timelines collapse. A robust approach means understanding:

• Which suppliers are operationally critical
• Which third parties process or store sensitive information
• Which outages would stop you trading
• What contractual protections and contingency plans exist

3) Business-interruption planning must go beyond standard cyber-insurance. Traditional policies may cover data breach costs, regulatory fines, or forensic investigations. The huge cost at JLR came from operational downtime and supply-chain disruption – a different class of risk. This means cover must be reviewed and perhaps extended, sums insured revisited, and the insured peril adjusted to reflect a full production stop scenario.

4) Consider the operational technology and “physical world” exposure. For some firms, cyber risk reaches beyond laptops and servers. Where operational technology (OT) or industrial control systems (ICS) are connected to day-to-day operations, a cyber event can disrupt machinery, processes, and safety-critical systems. Cyber cover is widely available that can be extended to address physical damage caused by a cyber event (subject to underwriting and policy structure), and can sometimes be arranged to help fill gaps created by cyber exclusions in traditional property damage/business interruption policies. 

Even if you’re not a manufacturer, the principle applies that if digital systems control real-world operations (building management systems, cold-chain monitoring, warehouse automation, access control, scheduling, and dispatch), the operational consequences of cyber failure can be significant.

5) Make sure your “people and partners” plan is real. Speed matters in a cyber incident. Many policies provide access to specialist support on a 24/7 basis which include breach coaches, forensic investigators, and legal advisers. They can also support crisis communications and regulatory notification processes where needed.

Two practical steps make a big difference:

• Know how to activate support quickly (who calls, when, and with what information).
• Check if external firms you want to use (e.g., a preferred legal adviser or specialist provider) need to be pre-approved under the policy.

Why it matters for you (and your insurance partner)

From an insurer’s perspective when risk management is robust and well-documented the probability of incident and size of claim reduce. In the case of M&S, their insurance reportedly covered £100m of the £136m cost, demonstrating the importance of the right cover, but will undoubtedly lead to higher premiums. Managing risk better means lower premiums and better terms. On the flip side, under-insurance of business-interruption exposure, inadequate supply-chain cover, or untested recovery plans increase both risk of loss and cost of payout.

Our team at Howden is ready and waiting to help you review your exposure, sharpen your cover, and help turn a catastrophic incident into a survivable event. Please get in touch to arrange a no-obligation review of your cyber-risk strategy.