UK retailer doubled cyberattack coverage before incident

(Reuters) — British businesses should be legally required to report material cyberattacks to the authorities, the chairman of retailer Marks & Spencer said on Tuesday, claiming two recent major attacks on large UK firms had gone unreported.

Giving evidence to lawmakers on parliament’s Business and Trade Committee on the April cyberattack which forced M&S to suspend online shopping for nearly seven weeks, Archie Norman said M&S was fortunate in having doubled its cyberattack insurance cover last year, though its claim could take 18 months to process.

Norman said the group had learned that “quite a large number” of serious cyberattacks never get reported to the National Cyber Security Centre (NCSC).

“In fact we have reason to believe there’ve been two major cyberattacks on large British companies in the last four months which have gone unreported,” he said.

Norman said that meant there was “a big deficit” in knowledge in the cybersecurity space.

“So I don’t think it would be regulatory overkill to say if you have a material attack … for companies of a certain size you are required within a time limit to report those to the NCSC.”

Norman declined to say if M&S had paid any ransom but said that subject was “fully shared” with the National Crime Agency and other authorities.

He said “loosely aligned parties” worked together on the M&S cyberattack.

He said M&S didn’t hear from the threat actor for about a week after it initially penetrated its systems on April 17 through a “social engineering” operation.

In May, M&S said the attack would cost it about 300 million pounds ($409 million) in lost operating profit.