Author: Dom Horton
Article 1 of 5
It is estimated that M&S has recovered less than a third of their £300m+ Cyber Loss from its insurers.
What would a substantial Uninsured Cyber Attack do to Your Portfolio Company?
Why PE firms need to rethink cyber insurance before the next deal.
In 2025, Marks & Spencer suffered a ransomware attack that knocked out its online operations for months. Estimated cost: north of £300 million. The Co-op Group was hit at a similar time, bringing the combined bill to roughly £440 million. Jaguar Land Rover’s cyber incident demonstrated why it is not just retailers who are exposed. Their attack was severe enough to contribute to UK GDP contracting by 0.1%.
These aren’t theoretical risks. They are last year’s headlines. Yet in our experience advising on over 100 transactions annually, cyber insurance remains one of the most poorly arranged and least understood coverages.
The Numbers
The UK Government’s Cyber Security Breaches Survey shows 43% of UK businesses experienced a breach in the past year. For medium-sized businesses – the mid-market PE sweet spot – that rises to 67%. A January 2026 Vodafone study found over 10% of senior leaders admitted their organisations would be unlikely to survive an M&S-scale incident.
The cost of cyber incidents continues to climb. The average recovery cost for a mid-market business now sits above £250,000 before factoring in regulatory fines, reputational damage, and customer attrition. For PE-backed companies in the midst of a growth phase or approaching exit, the exposure is magnified.
Why This Matters on Deals
At Acquisition
Cyber cover is often treated as a tick box item. The critical questions — Do the limits reflect actual exposure? What are the coverage carve outs and inner restrictions? Does the policy cover first party risk adequately including employee error? What about loss of profits driven by a supplier breach? — are either glossed over or not even thought about.
W&I insurance almost universally excludes cyber-related losses. A breach occurring between signing and completion leaves the buyer fully exposed, with no recourse under the W&I policy.
Vista uses its insurance partners to undertake external stress testing of the target’s cyber security – an invaluable tool in identifying vulnerabilities before signing.
During the Hold Period
Portfolio companies are especially vulnerable during ownership. System migrations, bolt-on integrations, and cost-cutting all weaken cyber resilience at precisely the time the insurance programme is sitting untouched from acquisition. IT environments become more complex with each bolt-on, and the attack surface grows — but the cyber insurance often still reflects the standalone target at the point of purchase.
At Exit
Buyer DD teams now routinely scrutinise cyber risk as standard practice. A portfolio company with inadequate cover will face questions that delay the sale process, and W&I underwriters on the buy side will note the gap and price accordingly. In a competitive exit, poor cyber insurance hygiene can become a differentiator for the wrong reasons.
What to do
Review the target’s cyber insurance as a standalone DD item — not just a tick box. Check limits against realistic loss scenarios, review exclusions for ransomware and social engineering fraud, check that all the right cover extensions are included and confirm whether the policy transfers on a change of control.
Build cyber insurance into the 100-day plan. If cover is inadequate, ideally address it immediately or at worst post-completion rather than waiting for the next renewal cycle. The window between completion and the first renewal is a period of peak vulnerability.
Conduct a pre-exit cyber review — ensure the programme stands up to buyer scrutiny before the data room opens. A clean cyber insurance position signals operational maturity to prospective buyers.
| VISTA INSIGHT Your W&I policy won’t cover a cyber loss. Your portfolio company’s cyber programme might not either. That’s exactly the gap insurance due diligence is designed to find — before it becomes a deal issue. |
Want to discuss how this applies to your portfolio?
Get in touch with Dom Horton, Associate Director at Vista Insurance Brokers, for a confidential conversation about your deal pipeline or portfolio insurance requirements.
LinkedIn: Dom Horton | E: dominic.h@vistainsurance.co.uk | M: 07901339510
About Vista Insurance Brokers
Vista is a specialist M&A insurance advisory firm working exclusively with private equity houses, corporate finance firms, and law firms across the UK and Ireland. We advise on over 105 transactions annually, providing insurance due diligence, W&I insurance placement advice, and transactional risk solutions for mid-market deals. Our insurance DD reports are delivered in 5–7 working days on a contingent fee basis – no cost if the deal doesn’t complete.
