M&S Urges Mandatory Reporting of Major Cyberattacks by UK Firms
Marks & Spencer (M&S) chairman Archie Norman has called for new legislation requiring large UK companies to report material cyberattacks to national authorities. Speaking before Parliament’s Business and Trade Committee on Tuesday, Norman said the current voluntary system leads to significant underreporting of serious breaches.
Citing the April 17 cyberattack that forced M&S to suspend its online operations for 46 days, Norman said the company had since learned of two major cyberattacks on large British firms within the past four months that were never reported to the National Cyber Security Centre (NCSC).
“We believe there’s a big deficit in knowledge,” Norman said. “So I don’t think it would be regulatory overkill to require companies of a certain size to report material cyber incidents to the NCSC within a fixed timeframe.”
While Norman declined to say whether M&S paid a ransom, he noted that the matter was “fully shared” with the National Crime Agency and other authorities. He also revealed that the attack likely involved multiple parties, including the ransomware group DragonForce, believed to be operating from Asia. Media reports have linked the Scattered Spider hacking collective to the breach.
Describing the cyberattack’s mechanics, Norman said it began with a “social engineering” operation. M&S reportedly had no contact from the threat actors for about a week following the breach. The attack is expected to result in an estimated £300 million ($409 million) in lost operating profit.
Norman added that M&S had been “fortunate” to have doubled its cyber insurance coverage last year, though the company expects the claims process to take up to 18 months. The online clothing store reopened on June 10, but click-and-collect services remain offline.
Nick Folland, General Counsel at M&S, told lawmakers that a key takeaway for other businesses was to maintain the ability to operate offline using pen and paper: “That’s what you need to be able to do for a period of time whilst all of your systems are down.”
CEO Stuart Machin previously said that the company expected to be past the worst of the incident’s impact by August.
Norman’s remarks underline the growing push for stronger cybersecurity regulation in the UK, amid rising concerns about corporate transparency and resilience in the face of increasingly sophisticated cyber threats.