A high-profile cyberattack at Marks & Spencer has reignited calls for stricter reporting laws. But the lessons aren’t just for retailers – they’re for every UK business.
M&S Chair Says It’s “Crazy” That Cyberattacks Don’t Have to Be Reported
In a recent interview with The Times, Marks & Spencer Chairman Archie Norman revealed that the retailer had suffered a significant cyberattack – one that remained undisclosed for weeks and reportedly cost the business close to £300 million.
“There’s no obligation to report [cyber incidents] in the UK, which I think is crazy,” Norman said in an interview with The Times. “It’s the equivalent of having a fire and not reporting it.”
The breach was never officially reported, highlighting a major gap in UK cybersecurity regulations. Norman is now urging the government to introduce mandatory reporting for ransomware and other serious cyber incidents.
Why This Matters for Mid-Sized Businesses, Not Just Enterprises
While major breaches like this often grab headlines, the risks and responsibilities affect every business, especially those without dedicated cyber security teams.
Many UK companies still operate under the assumption that silence is the safest option. But that mindset can have serious consequences – not only for compliance, but for resilience and recovery.
At Dr Logic, we help growing businesses across London and the UK take a proactive approach to cyber security, including what to do when something goes wrong.
The Hidden Cost of Unreported Cyberattacks
A growing number of security experts – including the National Cyber Security Centre (NCSC) – warn that cyber incidents are massively underreported in the UK.
Why? The reasons range from reputational fears to legal uncertainty, or even a lack of awareness that an incident has occurred. But staying silent doesn’t just protect your reputation – it weakens national defences and leaves others vulnerable.
“You can’t fight what you can’t see. And if businesses are fighting cyberattacks in silence, we all lose,” says a senior analyst at the NCSC.
Without open reporting and shared intelligence, we miss opportunities to learn from each other, and stop the same attacks happening again.
What Your Business Can Do Now – Before Reporting Becomes Law
Even without mandatory disclosure laws in place (yet), UK businesses can take important steps to prepare for – and bounce back from – cyber incidents.
1. Know What Needs Reporting
Not every IT hiccup needs to be logged externally. But major incidents – like ransomware, data breaches, or sustained downtime – may require internal escalation or external reporting (especially under GDPR).
Understand your thresholds, and make sure your team does too.
2. Build a Clear Incident Response Plan
A strong cyber response plan shouldn’t live in someone’s head. It should be written down, tested, and regularly updated. It should include:
- Who leads the response and who needs to be notified
- How you assess damage and restore systems
- How you communicate with staff, clients, and regulators
- When to escalate to your IT provider, cyber specialists, or legal advisors
At Dr Logic, we help clients create and maintain practical, actionable incident response plans.
3. Check Your Backups and Logging
To recover quickly, you need both good logs (to trace the attack) and clean backups (to restore systems). Regular testing is key – don’t wait until a breach to find out your recovery plan doesn’t work.
4. Train Your Team to Spot the Signs
Phishing remains one of the most common entry points for attackers. Ongoing staff training is one of the simplest, most cost-effective defences you can implement.
5. Understand Your Legal Obligations
Depending on your industry or data practices, you may already have legal or contractual reporting requirements. Review your obligations under GDPR and any client agreements. Make sure your policies are up to date and clearly understood across the business.
Cyber Security Is a Business Issue – Not Just a Tech One
Whether or not mandatory reporting becomes law this year, cyber readiness is no longer optional. It’s a board-level priority – and increasingly, a reputational one.
Businesses that act now will be in a far stronger position to protect their systems, comply with future regulations, and respond quickly when the unexpected happens.
At Dr Logic, we take a proactive, cyber-first approach to IT. That means helping clients build resilience into every layer of their business, from devices and networks to people and processes.
Final Thought: Don’t Wait for Policy to Catch Up
Archie Norman’s comments may accelerate policy change, but your business doesn’t need to wait. By investing in strong IT systems, up-to-date processes, and experienced partners, you can protect your operations and reputation, whatever the law requires.
If you’re unsure how prepared your business is – or what your obligations might be – we’re here to help.
Get in touch to schedule a Cyber Readiness Review with our team.
