High-profile cyberattacks on UK retailers are spotlighting the ongoing cyberattack vulnerabilities businesses face. From the Co-op to M&S to the Harrods hack, these crimes are costing firms millions. Beyond stock value, there is also a personal cost, like the couple left without their wedding cake, highlighting cybercrime’s very real human impact. It has been reported that, in one case, cybercriminals tricked an IT staffer into resetting passwords, illustrating human error’s persistent role in cybersecurity breaches.
Against the backdrop of the Co-op, M&S, and Harrods hack, new research from Pen Underwriting reveals a troubling disconnect. Businesses in the UK and Ireland significantly underestimate their vulnerability to cyberattacks and overestimate their resilience. While 90% of surveyed business leaders feel protected against cyber threats, only 47% have dedicated cyber insurance coverage.

Smaller Firms at Greater Risk
The findings emphasize that small businesses face heightened risks but remain least prepared. Only 18% of companies with annual turnovers below £1 million possess cyber coverage. Alarmingly, half of these smaller enterprises have no cyber insurance at all.
Moreover, many small firms neglect basic cybersecurity practices. Just 31% perform regular data backups, and a mere 32% train their staff in cybersecurity awareness. Only 29% require multi-factor authentication (MFA) for remote system access.
Cyber Attacks More Frequent than Traditional Perils
Cyber incidents significantly outpace traditional threats like fires and thefts. Over five years, 39% of businesses experienced cyberattacks, surpassing the 10% impacted by fire or 7% by floods. Even theft incidents (35%) fell short of cybercrime frequency. Furthermore, 80% of cyberattack victims faced multiple attacks.
The consequences of these cyber incidents are severe. Firms report substantial financial losses, data breaches, operational disruptions, productivity loss, and reputational harm. Over a quarter of affected businesses experienced disruptions lasting more than a week, devastating for 80% of the companies that cannot afford to remain offline for even that long.
Inadequate Risk Mitigation
The research highlights weak cyber risk mitigation strategies. For example, only about half of businesses train employees or perform automated data backups, and less than half implement MFA for email or conduct regular system vulnerability scans.
Ian Summerfield, Head of Cyber at Pen Underwriting, stresses the severity of these findings. He emphasizes businesses’ need to reconcile perceived security with actual vulnerabilities. “Cyber risk is as fundamental to every cover conversation between businesses and their insurance brokers as property and liability,” Summerfield said.
In Sunderland’s view, cyber insurance offers substantial financial support after a breach and plays a key role in risk management. It helps businesses spot and fix vulnerabilities, strengthening their cybersecurity and overall resilience. Just as crucial, it ensures rapid access to expert assistance in the event of an incident, reducing downtime and speeding up system recovery.
Other News: UK Gov Offers Cyber Insurance — “Appalling” or “Good Step?”(Opens in a new browser tab)