M&S Chair Calls for Mandatory Cyberattack Reporting by UK Firms
British businesses should be legally required to report significant cyberattacks to authorities, according to the chairman of Marks & Spencer. Archie Norman stated that two major attacks on large UK firms had recently gone unreported, highlighting gaps in cybersecurity oversight.
Many Cyberattacks Go Unreported
Speaking to the Business and Trade Committee in parliament, Norman explained that many serious cyberattacks are not reported to the National Cyber Security Centre (NCSC). He was giving evidence on the April cyberattack that forced M&S to suspend online shopping for nearly seven weeks.
Norman noted, “We have reason to believe there have been two major cyberattacks on large British companies in the last four months which have gone unreported.” He added that this situation had created a “big deficit” in cybersecurity knowledge across the sector.
He suggested that mandatory reporting of material cyberattacks for companies above a certain size would not be excessive regulation. He argued that prompt reporting to the NCSC would help authorities understand and address emerging cyber threats.
M&S Cyberattack Details Shared
Norman did not confirm if M&S had paid a ransom during the attack but said the matter was “fully shared” with the National Crime Agency and other authorities. He explained that loosely aligned parties were involved in the attack, with DragonForce, a ransomware group believed to be based in Asia, playing a role.
A group known as Scattered Spider, which uses DragonForce ransomware, has been linked to the M&S attack by media reports. Norman explained that attackers do not clearly identify themselves, stating, “They never send you a letter signed Scattered Spider.”
The attackers penetrated M&S systems on 17 April using a “social engineering” method, with no contact from them for about a week after the breach.
Impact on M&S Operations and Lessons Learned
In May, M&S reported that the attack would cost around £300 million in lost operating profit. The company had doubled its cyberattack insurance cover last year, which Norman said was fortunate, though processing the claim could take up to 18 months.
M&S resumed online clothing orders on 10 June after a 46-day suspension, though click and collect services remain unavailable. CEO Stuart Machin told investors last week that the company expects to be past the worst of the fallout by August.
Nick Folland, M&S’ General Counsel, highlighted a critical lesson for businesses, advising that companies should prepare to operate manually if systems go down. “You need to be able to operate with pen and paper for a period of time whilst all of your systems are down,” he told lawmakers.
with inputs from Reuters