Cyber-cover and the decision to take your business offline

Ellie Ruiz and Chris Lally at Reed Smith LLP consider cyber-insurance cover and how businesses should respond to the recent string of cyber-attacks on retailers

 

Cyber-security insurance has come into the spotlight following a string of high-profile cyber-attacks against retailers including Marks & Spencer (“M&S”) and the Co-operative Group (“Co-op”) – with the former suffering losses in the ballpark of £300m.

 

But what does cyber-cover entail, and should you fall victim to an attack, how might your business respond, within the scope of cover?

 

Cyber-insurance: what is it?

Cyber-security insurance, or “cyber-insurance”, is a specialist type of cover designed to mitigate the losses suffered by businesses arising out of the financial, operational, and reputational fallout from cyber-incidents such as data breaches, ransomware, and system outages.  

 

While the scope of cover may vary, a comprehensive cyber-insurance policy typically provides both first-party and third-party cover, and many policies also offer access to expert incident response teams, legal and PR support, and regulatory compliance advice. Cyber-insurance is intended to fill gaps left by standard policies, which often specifically exclude digital data loss, cyber-extortion, or the reputational impact of a breach.  

 

Recent spate of cyber-attacks

The recent cyber-attacks provide significant lessons for businesses (both retail and non-retail) and insurers alike, particularly around the importance of having adequate cyber-cover in place and understanding how that cover works in practice, which then directly impacts operational decision-making during a crisis. 

 

In April 2025, M&S experienced a major cyber-attack that resulted in the theft of customer data and significant operational disruption, with an estimated loss of profits of around £300 million.  The company’s cyber-insurance policy— reportedly worth up to £100 million—is expected in principle to cover a broad range of losses, including lost sales, legal liabilities, and incident response costs.   

 

At the same time, the Co-op also suffered a significant cyber-breach, which disrupted IT systems and affected stock availability.  In the Co-op’s case, they made an early decision to go “offline” in an attempt to mitigate further harm to their systems. Co-op did not have cyber-insurance cover in place.

 

Waiting periods and the decision to go offline

A key feature of cyber-insurance policies is the “waiting period”—the minimum amount of time that must pass after a cyber-incident before any business interruption cover is triggered.  This functions much like a deductible, ensuring that insurance is reserved for significant events rather than minor, short-lived disruptions.  Typical waiting periods for cyber-insurance are between 8 and 12 hours, though some policies may offer shorter or longer durations depending on the business’s risk appetite and IT resilience. 

 

Some policies only cover losses occurring after the waiting period, while others may cover losses from the start of the incident once the waiting period is met. 

 

The existence of a waiting period has direct implications for operational decisions during a cyber-incident.  For example, if a business is hit by a ransomware attack or a system outage, management must decide whether to take systems offline to contain the threat or attempt to keep operations running.  This decision can affect the duration and severity of the interruption, and therefore the amount of any insurable loss suffered.  

 

It has been widely reported that the Co-op avoided the more serious consequences of a significant cyber-attack by rapidly taking their computer systems offline, preventing the hack from continuing. If this is correct, then the losses suffered by the Co-op are likely to be predominantly business interruption losses caused by their own ‘shutdown’ in response to the attack.  

 

Key considerations for businesses 

How a business reacts to a cyber-incident will be directly influenced by the potential impact of this type of time-deductible wording. Would the Co-op’s decision to go offline have been different had they had insurance cover in place?  How did M&S and its insurers work together to determine when to take systems offline? 

 

The decision as to whether and/or when to take systems offline during a cyber-attack requires a business to take a view as to the likely extent of the attack, and insurers will expect the insured to act as a prudent uninsured business. This is often extremely challenging, given the difficulty in assessing the potential damage that might be caused by a cyber-attack at the point the attack is taking place. 

 

For a business to be confident in taking these kinds of decisions, it will want to have a very well-rehearsed incident response plan that is also agreed in advance with insurers as the best approach to manage and mitigate risk. 

 

With the recent increase in cyber-attacks on businesses in various sectors and industries, it is to be expected that both insurers and insured businesses may want to revisit and renegotiate the duration of a waiting period for cyber-cover.

 

Insured businesses may be able to reduce that waiting period by increasing their cyber-resilience, including by integrating rapid response cover, now part of most insurers’ cyber-cover offerings. With the confidence that an expert team should be able to immediately respond to any incident, both insurers and insured businesses can look to agree a time deductible which takes that increased certainty into account.

 

The lessons from recent breaches are clear: robust cyber-insurance, a clear understanding of the implications of waiting periods, and clearly agreed incident response plans are essential for managing risk, ensuring business continuity, and protecting both reputation and financial stability in an increasingly hostile digital environment. 

 

---

 

Ellie Ruiz, Counsel, and Chris Lally, Associate, at Reed Smith LLP

 

Main image courtesy of iStockPhoto.com and Who_I_am