IAS 1 para 97, disclosure of effects of cyber attack in the year

Co-operative Group Limited – Annual report – 3 January 2026

Industry: retail, finance

1 Operating segments (extract)

c) Underlying operating (loss) / profit is a non-GAAP measure of operating (loss) / profit before the impact of non-underlying items, as detailed in notes (i) – (iv) below. Underlying (loss) / profit before tax includes charges for underlying interest on our borrowings and leases. The Directors believe that these Alternative Performance Measures (“APMs”) help our members understand our Group’s and business segments underlying performance. Further details on the Group’s APMs is given in the Glossary section (page 222). The difference between underlying operating (loss) / profit and operating (loss) / profit includes:

  • Gains from property and business disposals of £11m (2024: £19m) comprise a £11m gain (2024: £11m gain) on non-trading properties held in our central supporting function segment and £nil gain (2024: £7m gain) on Food stores and £nil gain (2024: £1m gain) in Wholesale.
  • Net impairment charges of £29m (2024: £18m) relate to an impairment charge over our Food stores of £37m (2024: £17m in Food and £1m in Wholesale) offset by a net £1m impairment reversal relating to our support centre (2024: £nil), and a further reversal of £7m of the previously recognised impairment on our sub-leased estate (2024:£nil).
  • During the period our Co-op was the victim of a cyber attack (April 2025). Our proactive cyber containment, defensive action and subsequent recovery has impacted our financials in the period across multiple areas. Incremental, non recurring costs relating to additional activities and costs incurred as a direct result of the cyber attack totalling £21m (2024: £nil) have been recognised within non-underlying items. These mainly relate to incremental stock losses (£4m) and stock wastage (£6m) in our Food business (totalling £10m), incremental third party costs incurred with our professional services partners as well as incremental payroll costs incurred as part of the cyber recovery process (£11m). Full analysis of the cyber impact on our Co-op is included in the Financial Review section of this report.
  • Other non-underlying items totalling a £7m gain (2024: £5m gain) comprises £13m of net gains from releases and charges to legal and regulatory provisions, a £2m gain following a change in accounting treatment of deferred acquisition costs in our Insurance business, net of a £8m charge relating to a multi-year business restructuring activity.

GROUP FINANCIAL OVERVIEW (extract)

Cyber attack impact

The cyber attack was a one-off criminal event with a material impact on our financial results. The estimated impact is best understood in two parts.

1. Immediate financial impact:

Non-recurring incremental costs of £21m: this includes third-party support and other non-recurring recovery costs. In line with the Group’s policy for non-underlying items, these have been removed from underlying profit and presented as non-underlying.

Sales and gross margin estimated impact of £285m and £86m respectively: resulting from restricted systems, reduced promotional capability, operational inefficiencies and lower volume throughput. We have estimated these impacts based on our Group forecast for 2025, updated to reflect actual external conditions, such as changes in frequency of shopping behaviour. These impacts remain within our underlying measures.

The cash impact is the value of the cumulative non-recurring costs and the sales and gross margin estimated impact.

2. Tail of impact:

Beyond our immediate response to the event, our Co-op saw a tail of impact through the year. Transient shopping patterns had been disrupted, and cyber containment and recovery slowed strategic progress, most notably in Food, during a time of fast-moving market shifts.

The table below summarises the estimated immediate impact.

In the tables through this document, we will talk to:

  • Statutory profit measures which have no adjustments.
  • Underlying profit measures which exclude the impact of nonrecurring cyber costs.
  • Variances to the period prior excluding the total estimated direct impact of the cyber attack, including the lost trade impact. This is provided to aid understanding and is not an ongoing statutory or alternative performance measure.