M&S urges UK firms to report cyberattacks
British companies should be required to report material cyber incidents, says M&S chairman.
Marks & Spencer has called for a legal obligation requiring UK companies to report major cyberattacks to national authorities. Chairman Archie Norman told parliament that two serious cyberattacks on prominent firms in recent months had gone unreported.
He argued that underreporting leaves a significant gap in cybersecurity knowledge. It would not be excessive regulation to require companies to report material incidents to the National Cyber Security Centre.
The retailer was hit in April by what is believed to be a ransomware attack involving DragonForce, with links to the Scattered Spider hacking group.
The breach forced a seven-week suspension of online clothing orders, costing the business around £300 million in lost operating profit.
M&S had fortunately doubled its cyber insurance last year, though it may take 18 months to process the claim.
General counsel Nick Folland added that companies must be prepared to operate manually, using pen and paper, when systems go down.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!