Summary:
- M&S chair urges legal requirement for UK firms to report major cyberattacks to authorities.
- Two recent attacks on large UK companies reportedly went unreported, highlighting blind spots.
- M&S cyberattack in April forced a 46-day online shutdown, costing an estimated £300 million in losses.
M&S Calls for Legal Mandate on Cyberattack Disclosures
The chairman of Marks & Spencer has called for UK companies to be legally required to report major cyberattacks, warning lawmakers that critical breaches are slipping through the cracks and leaving the nation’s cybersecurity landscape exposed.
Speaking to the Business and Trade Committee, Archie Norman revealed that M&S learned of two significant cyberattacks on large British firms in the last four months that were never reported to the National Cyber Security Centre (NCSC).
Norman argued that requiring companies of a certain size to report “material attacks” within a set timeframe would not be “regulatory overkill,” but rather a necessary step to strengthen the UK’s digital defenses.
“There is a big deficit in knowledge in the cybersecurity space,” Norman told MPs, adding that M&S reported its own April cyberattack promptly to authorities, aiding wider efforts to protect other businesses from similar threats.
The April ransomware attack forced M&S to suspend online orders for nearly seven weeks, costing an estimated £300 million in lost profits.
The retailer’s online distribution hub in Castle Donington remained offline for weeks, with full operations expected to resume by the end of July. M&S CEO Stuart Machin has told investors the company will be over the worst of the disruption by August.
Inside the Attack: Lessons and Industry Debate
Norman described the attack on M&S as “traumatic” and akin to “an out of body experience,” with hackers infiltrating systems through a sophisticated “social engineering” operation on April 17.
The perpetrators, believed to be linked to the Asia-based ransomware group DragonForce and the hacking collective Scattered Spider, made no direct contact with M&S during the incident.
Norman declined to say whether M&S paid a ransom, calling it a matter for law enforcement, but noted, “In our case, substantially, the damage had been done.”
The retailer, which had doubled its cyber insurance coverage before the cyberattack, is expected to claim over £100 million, although the processing may take up to 18 months. Meanwhile, M&S General Counsel Nick Folland advised other businesses to prepare to “run your business on pen and paper” during severe attacks.
However, this approach faced pushback from Rob Elsey, Chief Digital Information Officer of the Co-op Group, who described reliance on paper as “unsustainable” in today’s economy. Instead, the Co-op, which suffered its own cyberattack days after M&S, has prioritized segregated systems that can be activated in emergencies to maintain digital operations during a breach.
The contrasting strategies underscore a growing challenge for UK businesses: how to balance investment in cybersecurity, operational resilience, and transparency while navigating increasingly sophisticated cyber threats.
As cyberattacks escalate, M&S’s push for mandatory reporting could mark a pivotal shift in how British firms and regulators tackle digital security in an era of relentless cyber risks.