Experts count staggering costs incurred by UK retail amid cyberattack hell – Source: go.theregister.com

Britain’s Cyber Monitoring Centre (CMC) estimates the total cost of the cyberattacks that crippled major UK retail organizations recently could be in the region of £270-440 million ($362-591 million).

The organization – which launched earlier this year and introduced standardized grading of cyberattacks – gave the criminals’ digital intrusions of retail outlets across the country high marks, characterizing them as a category 2 systemic event.

Marks & Spencer, the Co-op, and Harrods were all targets. Luxury Brit retailer Harrods said its flagship store remained open and continued to operate its online sales at the time of the attack, so the impact there may have been far less. At any rate, CMC did not include its data due to the low level of info disseminated about their attack.

The CMC’s Cyber Monitoring Matrix grades systemic cyber events between category 0 for the lowest impact and category 5 for the highest. Overall impact is determined by how many people are affected by any given attack, and by the financial impact.

In its public assessment statement, the CMC said: “The impact from this event is ‘narrow and deep,’ having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers. This contrasts with a ‘shallow and broad’ event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected, but the impact to any one company was far smaller. 

“We are yet to see a deep and broad category 4 or category 5 event impact the UK. Had there been further widespread disruption in the sector, the categorization could have been higher, but because the impact was confined to two companies and their partners, it is judged to be at the lower end of severity on the CMC’s scale.”

It previously said that CrowdStrike’s outage last year would have been designated a category 3 systemic event, had the CMC been launched at the time, due to the scale of its impact across the UK. 

CrowdStrike’s faulty file update – which inadvertently led to what has been described as the largest IT outage in history – may have earned category 4 status if it was a malicious cyberattack, instead of a faulty sensor update. This is because of the increased costs involved in cleaning up attacks, said the org. Hypothetically, an example of a cat-5 attack would be Russia’s NotPetya campaign.

The CMC said M&S and Co-op were likely losing big on things like lost sales, as well as incident response, IT restoration, and legal counsel.

The model used by the CMC indicates that the cost to retailers unable to fulfil normal sales could be in the region of £1.3 million ($1.74 million) per day. For M&S, its online orders weren’t expected to return until July, but have since been partially restored, limiting the daily losses from sales.

Fable Data informed the CMC’s assessment of lost revenues; it indicated that M&S had to contend with a 22 percent reduction in daily spend while online shopping was unavailable. Early reports focused on contactless payments being down in stores, and while in-store purchases fell by around 15 percent, pausing online sales had the biggest impact on the retailer’s financials, dropping to near zero.

The same data indicated that Co-op had a slightly better time of things, with daily spend dropping just 11 percent for the first 30 days after its attack.

While Co-op’s financials may have taken less of a hit, it could be argued the impact of its attack on parts of the UK was much greater than that of M&S. Co-op acts as a sole provider in remote and rural areas such as the Scottish Highlands and the islands around the Scottish coast. 

About the CMC

The assessment of the recent UK retail attacks is the first contemporary incident categorization to come from the world-first CMC. 

At launch, it offered theoretical assessments based on previous attacks, but the hits on UK retail mark the first time the CMC has been called into action since it was founded.

The CMC is chaired by the UK NCSC’s former founding CEO Ciaran Martin, and is comprised of cybersecurity experts and finance specialists.

The whole idea behind organizing the CMC was to remove the ambiguity around what constitutes a systemic cyber event – crucially one that allows cyber insurers to claim on their reinsurance policies.

Systemic risk remains a pain point for the insurance industry, largely because it lacks a clear, standardized definition. Due to this, different parties can be confused by an insurance policy’s terms, and whether it could or should pay out.

• UK industry leaders unleash hurricane-grade scale for cyberattacks
• CrowdStrike still doesn’t know how much its Falcon flame-out will cost
• Cyber fiends battering UK retailers now turn to US stores
• M&S stops online orders as ‘cyber incident’ issues worsen

The CMC pitches itself as more than a body to help insurers claim on their own protection policies. The reports it promises to produce on systemic events that lead to losses of £100 million ($133 million) or more will, we’re told, feed into national security and cyber resilience discussions that could help more than just those organizations caught up in the attacks it assesses.

Its role could also evolve in the future. CEO Will Mayes said that if the UK government introduced a backstop to cover systemic cyberattacks that lead to massive costs, the CMC could potentially be called in to say whether additional funding should be released.

Experts speaking to The Register at the CMC’s February launch were broadly positive about the organization, although there was a feeling that the non-profit would have to prove its worth over the long term. ®