CEOs from Major UK Brands Share Hard-Learned Lessons Following Cyber-attacks

Quorum Cyber’s Incident Response Consultant Emily Benbow shares her thoughts on the recent spate of cyber-attacks on the British retail sector.

When senior executives from Marks & Spencer (M&S) and Co-op appeared before the Business and Trade Sub-Committee on Economic Security, Arms and Export Controls last week, their testimony provided a rare glimpse into executive-level decision-making before, during and after major cyber incidents. The panels comprised two iconic British retailers navigating near simultaneous cyber-attacks and demonstrated the dilemmas faced by boards around the best response to sector-specific attacks of this kind.

M&S faced a scenario all businesses rightly dread; its sensitive customer data had been encrypted by attackers after they had entered their systems undetected two days prior. After discovering the attack, M&S elected to take their systems down, despite more than half of them being unaffected. Meanwhile, Co-op’s defence systems almost immediately detected an attack, and their responders successfully contained the threat, in part by taking down around 40 key systems.

The decision to shut down critical systems and effectively halt operating unquestionably risks lost revenue, but the incentive structure during a ransomware attack likely pushes decision-makers to favour the uncertain expense of an overreaction over the guaranteed cost of an underreaction.

The hidden costs of a cyber-attack

One part of the problem is that victim organisations rarely disclose the cost of a cyber-attack itself, in terms of lost data and any ransoms paid, versus the cost of any response to stop the attack and rebuild systems. M&S has not disclosed whether it paid a ransom to recover its data, but estimates it faces around £300 million in lost revenue after the chain halted online orders entirely at the end of April and only recommenced for a limited selection of items at the beginning of June. Half of its online operations, including click and collect, remain down.

Further complicating the picture is the unevenness of cyber insurance coverage across organisations, which could lead to complacency in boards, and underinvestment in digital infrastructure and crisis preparedness. While M&S opted to cover critical cyber incidents last year, Co-op lacked insurance coverage for ransomware attacks. Co-op had, however, war-gamed an identical scenario within the leadership team previously and had structured its operations to cope with such an attack. Co-op was able to rely on business continuity plans, largely paper-based, and they rebuilt their systems over the course of two weeks.

The willingness of both organisations to rapidly shut down, even when risking huge losses of revenue, is likely also influenced by the regulatory pressures on boards. As it currently stands, businesses are more liable for failing to prevent the theft of consumer data than for disrupting services. This is particularly significant in critical industries like food supply. The panic-buying of the first Covid lockdown demonstrated the potential impact of consumer uncertainty, even when food supplies were relatively unaffected.

As Professor Ciaran Martin, Professor of Practise in the Management of Public Organisations at the University of Oxford, stated in another panel, the incentives may be “all wrong” for businesses operating in critical services, where a drop in continuity of service may have profound implications for national security. Months-long service downtime for organisations across critical sectors like pharmaceuticals, food supply, or finance, could be catastrophic, and foreign adversaries will have almost certainly taken note. As Martin stated, “the criminals have given nation states a playbook”.

The responses taken by M&S and Co-op also highlight the benefits and risks of developing and adhering to consistent sector-wide responses. Rob Elsey, Group Chief Digital Information Officer revealed the Co-op had calls with other retailers while they were responding to their own attack to share lessons learned and to “prevent any systemic implication”. Sharing intelligence could mean other organisations avoid falling victim to similar attacks, such as via social engineering of third-party IT vendors, but threat actors could learn to anticipate identical response patterns. In the case of rapid shutdowns of critical systems, threat actors may pivot toward more aggressive and rapid encryption methods and target some systems at an earlier stage, compressing already tight response windows for defenders.

Further, the decision to involve law enforcement fully and openly share information with the Government may have been contrary to the legal advice received by the boards of M&S and Co-op, owing to the inherent risks of increased regulatory scrutiny and possible legal repercussions. However, the recent arrests of four individuals tied to the retail cyber-attacks highlight the benefit to wider society of involving law enforcement in incident response in reducing the likelihood of further attacks. Boards may face conflicting moral and fiduciary duties in sharing information with law enforcement.

The contrasting experiences and decisions of M&S and Co-op executives thus reveal crucial insights: handling cyber incidents goes beyond technical defences to encompass strategic executive judgement, risk tolerance, and regulatory foresight.