The last couple of months has seen cybersecurity being a topic on the front page of a number of media publications. The attacks in the U.K. on Marks and Spencer, the Co-op and Harrods have all featured heavily in reporting.[1]
For those in the U.K. with longish memories, this is all rather reminiscent of 2017, when the WannaCry incident resulted in severe disruption across the NHS. For those not U.K.-resident, the NHS is something of a national institution, and this very much opened the public’s eyes to cyber as a modern risk. However, the fact that some eight years later, we have seen attacks on other national institutions[2], one is left to wonder what progress has been made?
Now, Marks and Spencer, the Co-op and Harrods will all survive these current difficulties. The size of each company, the strength of their individual balance sheets and, in the case of the first two, the fact that they are part of the national fabric, will see to this. There has also been much discussion around whether this is a line in the sand for the cyber insurance market and the extent to which it will lead to a significant take-up in policies by Corporate Britain.
However, if the cyber market is relying on these retail incidents to drive an improved understanding of cyber risk, then I wonder if it is relying on the wrong event. Let me explain…
I grew up in a village just outside of Northampton in the U.K. One of the more well-known businesses in the area was "Knights of Old," a haulage business named after the family name and the village in which they were originally based. As a kid (with a rather silly sense of humour that arguably has not changed much over the years), I had a vision of their articulated trucks being driven the length of the country by a series of Knights Templar figures. Oddly, even after having finished university and moved away from the area, it was still a reassuring sight to see these trucks on the motorway.[3]
The business, in more recent years, became formally known as KNP Logistics, although the branding seen in my childhood remained. However, unfortunately, the business suffered a ransomware attack in the summer of 2023 that caused the business to close with the loss of 730 jobs.[4]
Having reviewed the media reporting on this incident, as well as the administrator/liquidator reports relating to the winding up of the company, there are, in my view, a few key issues that emerge that may have contributed to the closure of the business.
The first relates to the business itself. Prior to the ransomware incident, the business had opened a new distribution center. As is the case with the launch of any new product/facility, there were some teething issues that needed to be resolved. The business was also being severely affected by the increase in fuel prices, which were impacting margins. These issues, while having a detrimental impact on cash flow, were not considered critical, and the business was expected to be able to trade through these problems.
The second relates to the company’s IT security. The hackers apparently gained access by exploiting a weak password used by a member of staff, and perhaps more crucially, the company had not enabled multi-factor authentication (MFA),[5] a critical security standard that assists in preventing hackers gaining access. At the time of the incident, it was often a prerequisite for obtaining cyber insurance and, if anything, MFA is now often viewed as a mandatory requirement for cover.
The final issue relates to the sum insured under their cyber policy — £1 million. The administrator report makes it clear that this was adequate to cover the IT costs that had been incurred following the incident. The same report’s silence as it relates to the business interruption loss implies that, once these IT costs were paid, there was limited cover remaining to pay the resulting loss of profit.
Given that the business was already tight on cash flow prior to the incident, the incident itself will have further exacerbated these problems, as it caused significant disruption on an operation that will have been highly dependent on IT to ensure the smooth handling of the circa 50,000 pallets of product that it was required to handle.[6] In the absence of any available practical business interruption insurance, it is perhaps not a surprise that the business failed.
But should it have failed?
Looking at the company accounts for the year before the incident, the business had revenues of circa £95 million. Baker Tilly’s own business interruption claims experience in this sector indicates that the rate of gross profit for insurance purposes would have been between 40% and 50%. On that basis, the business’ weekly gross profit exposure was between £0.7 million and £0.9 million.
Given that it takes most small to medium businesses at least two weeks to have even rudimentary IT systems restored following an incident of this nature, it appears that KNP was woefully underinsured.
However, why was it underinsured? Perhaps, the lack of MFA meant that the business could not get a higher limit. Maybe the business decided that, given the cash flow issues being experienced, it did not want to purchase a higher limit which would have attracted a larger policy premium. It may even be the case that the business had not given proper consideration to its cyber exposures, both from an IT and economic loss exposure. In all likelihood, all three of these factors are probably relevant.
Regardless of the cause, 730 people lost their jobs, and a business that could trace its roots back to 1865 was forced to close. When I relayed this story to my mother, who is Northampton born and bred, her response was that this was "criminal".
While the recovery of Marks and Spencer et al is newsworthy, as is the role of cyber insurance in this process, it is highlighting the wrong points. To my mind, we should be highlighting the real consequences of getting it wrong, and the impact that this can have on the economy. Marks and Spencer may be a flagship business, but it is the SMEs, such as KNP, that are the heartbeat of any economy. Lose these, and the economy is in big trouble.
This is, therefore, a call to arms. More needs to be done to understand and improve companies’ IT security exposure. More needs to be done to understand companies’ economic loss exposures from a cyber incident. And more needs to be done to ensure that the insurance that is purchased is fit for purpose.
Why? Because I want KNP Logistics to be a line in the sand, for two reasons. One, because I can no longer giggle with my children at the mental image of a Knights Templar figure driving an articulated truck. And second, and definitely more important, so 730 more people do not lose their jobs.
References
[1] Cyber Incident - Further Update, Marks and Spencer, April 25, 2025
Cyber Incident Member FAQs, Coop
Harrods latest retailer to be hit by cyber attack, BBC, May 1, 2025
[2] For the benefit of those not resident in the UK, Marks and Spencer is a national institution and very much a bellwether for the UK high street
[3] Alas, all drivers actually observed were usually attired in t-shirt and jeans
[4] The Times, Dec. 14, 2024
[5] ibid
[6] ibid
