Reporting major cyber attacks should be a legal requirement for all businesses, the boss of Marks & Spencer has said as he claimed two hacks involving “large British companies” had gone unreported in recent months. The retailer faced pressure to recover operations and customer data quickly following a very public attack in April, however, the boss claimed that other British companies had shied away from reporting attacks, keeping customers out of the loop on the status of their data.
The impact of a wide scale cyberattack forced M&S close stores and manage lost revenue for almost 7 weeks. As directors scrambled to stabilise the situation, customers waited in limbo for their orders with website operation completely down. Even though shoppers’ loyalty has been unwavering of the high-street chain, recovery has been difficult since the “trauma” of the incident took its toll.
The incident highlighted the undeniable importance of cybersecurity but also the prevalence of a higher sophistication level of attacks which is difficult to keep up with – M&S adding they did not “leave the back door open”. They spent millions of pounds the previous year to fortify their security systems and block out fraudsters, employing an 80-strong team.
As Norman consulted parliament’s subcommittee for business and trade, he pointed out M&S had been quick to report the attack to higher authorities, the UK’s cyber watchdog and the National Cyber Security Centre. This deed benefited other businesses providing alert and protection from the circle of attacks going around. Norman also criticised the lack of communication around “quite a large number of serious cyber-attacks” that never get reported. He advocated to make reporting to the NCSC mandatory as companies have also tried to negotiate with hackers offering ransoms in some cases.
Dr. Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), has thrown doubt on a new law mandating reporting of attacks.
“Whilst the idea to add another law that would require mandatory reporting of major cyber-attacks in the UK is sound and appealing, it may eventually bring more harm than good unless properly shaped and pragmatically implemented.
First, most “major” cyber-attacks inevitably implicate theft of personal data – thereby triggering the already existing reporting and notification requirements under the UK GDPR. It is true that some companies find “creative” ways to avoid mandatory disclosure of data breaches under dubious legal pretexts, however, merely adding another law will unlikely fix the problem”.
