The Co-operative Group is a British operator of retail stores, funeral homes and other businesses. Like Marks and Spencer, another major UK retailer, the Co-op, which generates billion-of-dollars in yearly revenue, has been hit with a major cyber attack. But compared to Marks and Spencer, the Co-op appears to be grossly underinsured for cyber threats. Unlike Jaguar, which has no insurance to cover massive losses from its disastrous recent hack, the Co-op does have some cyber insurance to address its April attack — but apparently, they may suffer from underinsurance, and only have enough to cover the costs of incident response, not other, larger downstream losses to its business.
Co-op Cyber Insurance Does Not Cover Back-end Losses?
“We had the front-end elements of cyber insurance in place in terms of the immediate response capabilities in the technology space for third parties, but we don’t believe we will be claiming on insurance for back-end losses,” CFO Rachel Izzard told Reuters. This appears to be an indirect admission that Co-op failed to buy insurance to cover “business Interruption” or “consequential loss” from the attack — losses that will presumably include legal costs linked to the theft of personal data on millions of customers during the incident.
According to a recent financial disclosure by the company, see link here (and document embedded below), total costs from the hack could reach at least $276 million, of which app. $27 million consists of “one-off” costs (the latter presumably covered at least in part by insurance for “immediate response,” with the rest of the costs, including revenue hits, apparently not just underinsured, but not insured at all.) Then there’s the drop in Co-op’s stock price, which the company has not discussed in detail, and for which we see no evidence of coverage.
“Cost Headwinds” in the Financial Forecast
“We anticipate continued cost headwinds, global volatility and high competition. In response, we remain committed to a disciplined approach to investment to support our future, while managing a reducing level of cyber impact through the second half,” the company states in its filing, conceding the fall out from the hack will continue for months.
Social Engineering
According to media reports, the Co-op hack involved social engineering, “They (the hackers) impersonated a (Co-op) colleague to access their account,” explained the company’s chief digital officer.
Lessons from the Co-op Hack for Boards & Shareholders
“(T)he (British) National Cyber Security Centre has again urged boards to take a direct role in cyber preparedness,” reports Insurance Business Magazine in its coverage of the Co-op penetration. “For the insurance market, the Co-op episode illustrates the gulf between perception and reality in cyber protection. Policies designed as bolt-ons or limited to response services leave corporates bearing the true weight of prolonged outages.’ concludes one insurance news site.
We imagine there’s more than one director of a US public company set to ask management what’s really covered, and not, in its cyber insurance policy. Being underinsured, to paraphrase the man, is no way to go through life as a public company.
Related Posts
