M&S chairman calls for mandatory disclosure of material cyberattacks

The chairman of Marks & Spencer, the British department-store chain targeted by hackers in an April social-engineering attack, said Tuesday that the British government should require companies to report major cyberattacks.

M&S chairman Archie Norman told a House of Commons subcommittee that two major U.K. companies may have been attacked over the past four months but have yet to publicly confirm the incidents. 

The lack of such information can create a significant intelligence deficit for government agencies and other companies that may be targeted, Norman argued. 

“I don’t think it would be regulatory overkill to say that if you have a material attack — define ‘material’ — on a company of a certain size, you are required, within a time limit, to report it to the NCSC,” Norman told members of Parliament, referring to the U.K.’s National Cyber Security Centre. “That would enhance the central intelligence body in the area.” 

The issue of public disclosure has been a top consideration of government regulators and security operations teams in recent years as ransomware and other malicious attacks have scaled considerably. 

The U.S. Securities and Exchange Commission requires publicly traded companies to disclose attacks within four business days of determining that they are material, but the rule has faced considerable pushback from many business leaders. 

After the 2021 Colonial Pipeline ransomware attack, executives from the company urged U.S. officials to share more actionable intelligence that would help businesses mitigate risks before a major attack. 

Marks & Spencer experienced weeks of disruptions to its department-store business, particularly online transactions and fulfillment, after its hack. The company estimated the attack will cost more than $400 million in operating impact before insurance proceeds are factored in. 

The same attack spree also hit the major U.K. department store Harrods and the British retailer Coop before the hackers shifted their focus to U.S. retailers.

Testifying before Parliament, Norman confirmed that the ransomware group DragonForce was responsible for the M&S hack, although he suggested the group was collaborating with the notorious cybercrime gang Scattered Spider.