M&S Chairman Archie Norman urges UK gov to mandate cyberattack reporting after £400M hack, citing intel gaps for businesses and agencies.
The chairman of Marks & Spencer, the British department-store chain targeted by hackers in an April social-engineering attack, said Tuesday that the British government should require companies to report major cyberattacks.
M&S chairman Archie Norman told a House of Commons subcommittee that two major U.K. companies may have been attacked over the past four months, but the companies have yet to publicly confirm the incidents.
Norman argued that the lack of such information can create a significant intelligence deficit for government agencies and other companies that may be targeted.
“I don’t think it would be regulatory overkill to say that if you have a material attack — define ‘material’ — on a company of a certain size, you are required, within a time limit, to report it to the NCSC,” Norman told members of Parliament, referring to the U.K.’s National Cyber Security Centre. “That would enhance the central intelligence body in the area.”
The issue of public disclosure has been a top consideration of government regulators and security operations teams in recent years as ransomware and other malicious attacks have scaled considerably.
The U.S. Securities and Exchange Commission requires publicly traded companies to disclose attacks within four business days of determining that they are material, but many business leaders have opposed the rule.
After the 2021 Colonial Pipeline ransomware attack, company executives urged U.S. officials to share more actionable intelligence that would help businesses mitigate risks before a major attack.
After its hack, Marks & Spencer experienced weeks of disruptions to its department-store business, particularly online transactions and fulfillment. The company estimated the attack will cost more than $400 million in operating impact before insurance proceeds are factored in.
The same attack spree also hit the major U.K. department store Harrods and the British retailer Co-op before the hackers shifted their focus to U.S. retailers.
Testifying before Parliament, Norman confirmed that the ransomware group DragonForce was responsible for the M&S hack, although he suggested the group collaborated with the notorious cybercrime gang Scattered Spider.
