UK Companies Should Have to Disclose Major Cyberattacks, M&S Says
As the UK's retail sector continues to grapple with the consequences of a recent major cyberattack, Marks & Spencer (M&S) has come forward with a proposal that could have far-reaching implications for businesses across the country. According to Archie Norman, the chairman of M&S, British companies should be legally required to report material cyberattacks to the authorities.
Norman made this call during evidence to lawmakers on parliament's Business and Trade Committee last week. He claimed that two recent major attacks on large UK firms had gone unreported, highlighting a significant gap in knowledge about cybersecurity threats. "In fact we have reason to believe there've been two major cyberattacks on large British companies in the last four months which have gone unreported," he said.
Norman argued that this lack of reporting meant there was a big deficit in knowledge about cybersecurity threats, and that making companies report material attacks would help fill this gap. "So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC," he said.
M&S was not the only company affected by recent cyberattacks, with two major attacks on large UK firms going unreported. Norman did not disclose which companies were affected but revealed that M&S was targeted by a ransomware operation based in Asia, believed to be linked to a hacking collective known as Scattered Spider.
"When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider, that doesn't happen," Norman said. He explained that M&S didn't hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a social engineering operation.
The cyberattack had significant consequences for M&S, with the company estimating a £300 million ($409 million) loss in operating profit due to the attack. The group was fortunate to have doubled its cyberattack insurance cover last year, but the claim process could take up to 18 months.
A Lesson Learned from the Crisis
M&S' General Counsel, Nick Folland, told lawmakers that a major lesson from the crisis for businesses generally was the importance of being able to operate with pen and paper. "That's what you need to be able to do for a period of time whilst all of your systems are down," he said.
Folland's comments echoed Norman's call for greater transparency around cyberattacks. "So I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC," Folland said.
A Way Forward
Norman's proposal for greater transparency around cyberattacks is just one possible way forward for businesses in the UK. While some may argue that making companies report material attacks could be an overreach, others see it as a necessary step to address the growing threat of cybercrime.
The National Crime Agency and other authorities are already working with loosely aligned parties to investigate and combat cyber threats. Norman's call for greater transparency could help build on this work and create a more effective cybersecurity landscape for businesses in the UK.