Filter articles

Assured Reacts 23.04.2026

Archie Norman, M&S Chairman: “Insure for a cyber catastrophe”

Archie Norman, M&S Chairman, advises retailers to check their cyber insurance and insure for a catastrophe, not a minor loss

Author: Eleanor Dallaway

Archie Norman, Chairman of M&S, offered two clear pieces of advice to retailers on cyber resilience, one year on from one of the retail sector’s most high-profile cyber incidents:

  1. Check your cyber insurance and insure for a catastrophe, not a minor loss
  2. Never assume your systems are impregnable. Plan for what happens when attackers get in

Reflecting on the infamous M&S cyber attack in a fireside chat with Kate Hardcastle MBE at the Retail Technology Show,  Archie Norman described the cyber incident one year ago as “traumatising and stressful” as he recalls watching M&S, quite literally, being turned off. “The aftermath lasted months, a year. Even now, there are traces of it around the business,” he admitted.

“Unbeknown to me, in a stroke of genius, our corporate counsel had doubled our insurance. We were insured for a cap of £100m, and as you know, that was paid out.”

But, he stressed, this was far from sufficient. “It’s not the first ten to twenty million you should insure for. It’s the catastrophe. Insure for one hundred, two hundred, three hundred million. In our case, this cost over £300m. And that’s before you look at business impact, business value and brand impact.”

While insurance provided a level of critical financial protection, the scale and duration of the operational disruption was huge.

Prepare for the worst

Norman reflected that the degradation of systems forced core processes offline. “Ordering systems went manual, back to paper, pens and clipboards.”

His advice to other retailers was simple: assume failure.

“Assume your systems will get shut down, think about the end point, and assume that the rebuild will cost you a lot of money.”

Crucially, he noted that most modern attacks are not driven by technical failure, but by exploitation of people. “Most attacks are impersonations, clever fraud. Assuming no-one can get in [to your systems] is a false assumption.”

For M&S, that meant an attack surface of 50,000 people, a reminder that identity risk now sits alongside, and often above, traditional infrastructure risk.

Norman also challenged the value of traditional cyber exercises. “You’ll probably have had consultants come in and game-play a red team attack. But it’s nothing like that. In that moment, you can forget all that. It was totally unlike anything you will have practised.”

While reluctant to call the year “lost”, he acknowledged that “we would be further ahead in our journey if it hadn’t happened.”

Assured Reacts

Assured’s senior cyber broker, Caspar Rogers, reacts to Norman’s reflections:

The M&S cyber event reflects two consistent trends we see across the market:

  • A persistent underestimation, particularly at Board level, of the true scale and duration of cyber impact
  • Systematic underinsurance against catastrophic cyber loss

Buying £100m of cover is often considered robust. In reality, as this case demonstrates, it can fall significantly short of the true financial exposure.

Too often, organisations treat cyber insurance as a compliance exercise or a marginal purchase, rather than a core financial risk transfer mechanism. The result is a mismatch between potential loss and purchased limits, particularly in larger, more complex businesses.

This gap is typically driven by a disconnect at Board level. Those responsible for approving cyber insurance decisions do not always have a clear, quantified view of how cyber incidents translate into financial loss, particularly across business interruption, incident response, and liability.

Our advice would always be that if you are buying cyber insurance, make sure you are buying enough.

As a cyber insurance broker, our role is to bridge this gap in understanding, translating technical cyber risk into financial exposure, and ensuring organisations understand both the scale of potential loss and how to transfer it effectively.

In the months following the M&S incident, we saw a clear uptick in organisations progressing their cyber insurance purchasing. Awareness sharpened the minds of board members, but only temporarily. This short-lived shift demonstrates how quickly these incidents can be forgotten – but not, of course, by Archie Norman and the rest of those who continue to feel the repercussions of an incident that happened one year ago.

The lesson is clear: plan for operational failure and insure for financial catastrophe, because when a cyber incident hits, both will matter.

Advice to retailers:

If retailers are shopping around for cyber insurance, they should focus on the following key areas:

  • Dependent business interruption and non-IT-dependent business interruption
  • Spoilage (It’s particularly relevant in this example because a lot of Marks & Spencer’s losses stemmed from the loss of perishable product value that couldn’t be shipped or distributed to stores.)

Topics

Latest articles

Be an insider. Sign up now!