# UK Companies Should Have to Disclose Major Cyberattacks, M&S Says

The recent major cyberattack on Marks & Spencer (M&S) has highlighted the need for British businesses to be legally required to report material cyberattacks to the authorities, according to the company's chairman, Archie Norman.

On Tuesday, Norman gave evidence to lawmakers on parliament's Business and Trade Committee, sharing his concerns about the lack of transparency in reporting major cyberattacks. He claimed that two recent major attacks on large UK firms had gone unreported, leaving a "big deficit" in knowledge in the cybersecurity space.

"I don't think it would be regulatory overkill to say if you have a material attack ... for companies of a certain size you are required within a time limit to report those to the NCSC," Norman said, referring to the National Cyber Security Centre. He declined to comment on whether M&S had paid any ransom but said that the subject was "fully shared" with other authorities.

The M&S cyberattack occurred in April, when the company suspended online shopping for nearly seven weeks due to a major attack. The attack forced M&S to suspend its online ordering system and resulted in significant financial losses, estimated at around £300 million ($409 million).

Norman attributed the delay in reporting the attack to the lack of communication with the threat actor. "When this happens you don't know who the attacker is, and in fact they never send you a letter signed Scattered Spider," he said, referring to the hacking collective believed to be responsible for the attack.

The incident highlighted the importance of having contingency plans in place, according to M&S' General Counsel, Nick Folland. "That's what you need to be able to do for a period of time whilst all of your systems are down," he said. The company has since resumed taking online orders for clothing lines but is still working to restore click and collect services.

M&S CEO Stuart Machin recently stated that the group would be over the worst of the fallout from the attack by August, but the incident serves as a reminder of the need for greater transparency in reporting major cyberattacks. Norman's call for regulation on this issue has sparked debate about the potential benefits and drawbacks of such measures.

Would you like to learn more about cybersecurity? Check out our latest articles on the topic.

---

**A Growing Concern**

The recent M&S cyberattack is just one example of a growing concern in the UK business community. With the increasing sophistication of cyberattacks, it's essential that British businesses have a system in place for reporting and responding to such incidents.

**The Benefits of Regulation**

Norman's suggestion that companies should be required to report material cyberattacks to the authorities raises important questions about the potential benefits of regulation. By requiring companies to report major attacks, the government could gain valuable insights into the nature and scope of these incidents, ultimately helping to improve cybersecurity measures across the board.

However, there are also concerns about the potential drawbacks of such regulation. Some argue that it could lead to a culture of complacency, where companies feel pressured to report every minor incident in order to avoid regulatory penalties.

**A Call to Action**

As the UK business community continues to grapple with the challenges of cybersecurity, it's essential that we take a proactive approach to addressing this issue. Norman's call for regulation on cyberattack reporting is just one example of the need for greater transparency and cooperation between businesses and authorities.

By working together, we can build a more resilient and secure digital economy, where UK businesses can thrive in an increasingly complex and interconnected world.