The latest EY-Parthenon analysis of UK profit warnings covering Q3 2025 confirms that this period saw the highest number of warnings by listed retailers since Q4 2023 and the worst third quarter since 2022.

This research comes after a dramatic period when a wide range of high-profile retailers were the victims of major cyber attacks, one of which hit M&S profits by around £300m. Other major retailers badly affected by similar incidents included the Co-Op and Harrods. Retailers are particularly attractive targets for cyber criminals because they have very large organisational footprints and huge amounts of customer data.

Among the huge range of cyber challenges facing retailers, two particular aspects stand out:

1. AI-powered phishing & vishing scams

According to the latest 2025 Phishing Threat Trends Report, after first infiltrating major retailers, hackers typically launch secondary phishing campaigns that impersonate compromised brands with the objective of stealing customer details.

These campaigns leverage a mix of technical and human-targeting tactics, including sophisticated social engineering, voice phishing, multi-factor authentication (MFA) ‘bombing’ and data harvesting. This approach bypasses traditional defences. The report in particular highlighted a marked increase in the use of phone-based phishing attacks, known as vishing. This phenomenon has risen by 449% compared to the previous year.

2. Third party risk

The nature of cyber threats is always changing. Attacks continue to be more sophisticated, often targeting supply chains as entry points. A breach at a single vendor can cascade across ecosystems, disrupting operations, damaging reputations and shutting down the operations of companies within the supply chain.

This new style of cyber attack has put supply chain resilience under added scrutiny. Many supplier agreements still lack robust cyber security clauses, leaving organisations exposed. As businesses deepen reliance on tech, points of failure risks are growing. Without a shared understanding of risk and decent cyber security standards being met, interdependencies can become liabilities. Notably, the M&S attack appears to have come through a weakness at a third party service provider.

The Crowdstrike incident illustrated this all too vividly, to the considerable detriment of many of its customers.  As it happens, this was not a cyber attack, but instead it was a malfunction in July 2024 with a single content update from the cyber security software company, which caused more than 8.5m systems worldwide to crash. Losses were estimated at $5bn, while costs for insurers are said to have been $1.5bn.

The recent AWS outage is another clear warning sign about third party cyber resilience risk. Internet platforms including Signal, Snapchat, Roblox, Duolingo, as well as services such as banking sites and the Ring doorbell company were among the 2,000 companies affected by the outage, with more than 8.1m reports of problems from users globally. Services were restored within hours, but the impact of the outage was felt widely.

To create effective resilience, retailers need to map dependencies across their full supplier network, embed cyber security into procurement and invest in secure, timely backup solutions and regularly tested recovery protocols. Localisation and diversification strategies can reduce exposure, whilst AI and automation can enhance threat detection and response.

The problem with bricks and mortar

Insecure physical footprints may be partially to blame for the uptick in cyber attacks against retailers. The problem is that retail outlets are no longer just buildings. They have become smart, interconnected digital environments utilising increasingly sophisticated and ever-changing technologies. Embedding digital systems in physical locations comes with a high level of cyber risk, increasing the attack surface that needs to be protected against digital intruders.

Retailers are especially vulnerable because their stores are open to the public. Attackers can quite casually scope potential ways into networks. Among the many potential system entry points are building-management systems, internet-of-things devices, access control systems, CCTV networks and even ventilation and air conditioning systems.

Cyber risk insurance

Astonishingly, the Co-Op did not have dedicated cyber cover, having instead opted to invest in defensive cyber security measures but leaving itself fully exposed to the entire estimated £120m loss when this strategy failed. M&S was inadequately insured, to such an extent that it is believed that only around a quarter of its gross loss of £400m may be recoverable from insurers.

Some reports suggest that up to half of all UK businesses have no specific cyber insurance, despite suggestions that a quarter of all UK organisations have suffered a cyber attack.  Factors include the obvious issue of cost, as well as concerns about the availability of sufficiently flexible insurance products at a time when cyber risks are constantly evolving. The good news is that there are now new entrants targeting the previously under-served SME market.

After price hikes and tightening of underwriting requirements between 2020 and 2023, pricing had started to soften in Q1 2025 before the latest rash of retail cyber incidents caused by the Scattered Spider hacking group changed risk perceptions. Rates may not have risen yet as a result, but insurers are certainly looking much more closely at the strength of cyber security measures at their insured and insisting on improvements where they are deficient.

Considerations for the future

Avoiding cyber risks altogether is unachievable. The objective for retailers should be recognise risks and minimise them. This should be regularly reviewed. Look into the benefits of carrying appropriate cyber insurance cover and make sure you have a feasible recovery plan to minimise downtime.

If you are seeking professional advice for your business, Opus is here to help. We can arrange for you to speak to one of our Partners, who can discuss options with you. We have offices nationwide and by contacting us on 0203 995 6380, you will be able to get immediate assistance from our Partner-led team.