When Cyber Insurance Matters: Lessons from Co‑op, M&S, Harrods and JLR
Posted on October 16, 2025 by Louise Howland
Cyber risk is a very real danger for every organisation. It often feels like one major company after another is making headlines for being compromised by a cyber breach or attack. In 2025 alone, Co‑op, M&S, Harrods and Jaguar Land Rover (JLR) all suffered high‑profile cyber incidents. Their outcomes varied dramatically depending on whether they had cyber insurance in place.
These cases show: cyber insurance isn’t a luxury, it can be the difference between absorbing costs internally, claiming support, or in extreme cases leaning on government intervention. Below, we walk through each case, compare outcomes, and draw lessons.
Co‑op, uninsured and exposed
What happened
In April 2025, Co‑op was targeted in a sophisticated attack that forced shutdowns of IT systems and disrupted payments. Hackers accessed the personal data of 6.5 million members. Stores were left with empty shelves, and fallback to manual systems slowed service.
Financial impact
Co‑op reported severe operational disruption and significant financial losses, estimating around £206 million in lost sales.
Insurance & recovery
Co‑op did not have a cyber insurance policy. As a result, it is absorbing most of the costs itself, including litigation, notification, regulatory fines, and reputational repair. A group legal action has already been opened by affected members.
Key takeaway
Without dedicated cyber coverage, the full burden falls directly onto the business, magnifying both financial and reputational impact.
M&S, insured and making claims
What happened
Over Easter 2025, M&S suffered a cyberattack that halted online orders and disrupted in‑store payments. Customer data, including names and addresses, was accessed.
Financial impact
M&S projected a hit of around £300 million to operating profit. With insurance claims, the company expects to reduce this net loss to closer to £150 million.
Insurance & recovery
M&S has a wide‑ranging cyber insurance policy, allowing claims of up to £100 million. This means a significant portion of its losses can be offset. While online ordering was down for weeks, insurance cushioned the financial blow.
Key takeaway
Insurance didn’t prevent disruption, but it absorbed much of the cost and enabled the business to focus on recovery.
Harrods, uninsured and exposed
What happened
Harrods confirmed attempted unauthorised access to its systems in 2025, forcing restrictions on internet access across parts of its operations.
Financial impact
Public reports have not disclosed the precise financial toll, but reputational risk and operational disruption were significant.
Insurance & recovery
Like Co‑op, Harrods lacked cyber insurance. This left the organisation to fund remediation, legal exposure, and reputational costs from its own resources.
Key takeaway
Luxury brands are no exception. Without cyber insurance, Harrods had no external safety net to manage the financial aftermath.
Jaguar Land Rover, uninsured and bailed out
What happened
On 31 August 2025, JLR’s systems were heavily compromised, halting production worldwide. The disruption cascaded through its supply chain, threatening supplier solvency.
Financial impact
The downtime was estimated to cost £50 million per week.
Government response
Because of JLR’s strategic importance, the UK government intervened with a £1.5 billion loan guarantee to stabilise the company and its supply chain. This extraordinary intervention was only possible because of JLR’s systemic role. For SMEs, no such bailout would be forthcoming.
Key takeaway
Without cyber insurance, JLR relied on state support. Most organisations would not be afforded such a lifeline.
Who had insurance cover and who didn’t
| Company | Had Cyber Insurance? | Known Loss / Exposure | External Support |
| Co‑op | No | Data on 6.5m members stolen; hundreds of millions in losses | None |
| M&S | Yes | ~£300m hit, reduced to ~£150m via insurance | Up to £100m insurance claim |
| Harrods | No | Attempted system access; unknown costs | None |
| JLR | No | £50m per week during downtime | £1.5bn government guarantee |
Lessons for businesses
Insurance is strategic, not optional. M&S shows how insurance cushions major shocks. Co‑op and Harrods reveal the risks without it, and JLR highlights the exceptional scale required for government rescue. Crucially, this isn’t just about big business, SMEs are just as vulnerable to disruption, but unlike JLR they cannot expect a government bailout and would need to rely entirely on their own resilience or insurance. Downtime costs outweigh breach costs, as revenue loss and supply chain disruption often dwarf legal or forensic bills. Government bailouts are not a plan, as only large organisations like JLR would qualify for intervention, leaving SMEs to fend for themselves. And finally, preparedness enables payout, since insurers require evidence of strong governance and security controls before honouring claims.
It’s not a question of if your business will face a cyber incident, but when. Insurance alone won’t prevent attacks, but it can mean the difference between a manageable disruption and an major crisis. The experiences of Co‑op, M&S, Harrods and Jaguar Land Rover make it clear: a robust cyber insurance policy should be central to every organisation’s risk management strategy.
Download our Cyber risk and insurance factsheet to find out more about cyber insurance and how it can protect your organisation.
