In April 2025, two of Britain’s most iconic retailers – Marks & Spencer (M&S) and the Co-op – were hit by severe cyber-attacks that disrupted operations for weeks and cost M&S an estimated £300 million in lost profit. These incidents triggered a UK Parliament inquiry on economic security, where business leaders and experts shared candid lessons. The message to boardrooms across all sectors was loud and clear: no one is immune, and cyber risk is a board-level issue. Below, we distil key takeaways from the inquiry covering governance, legacy IT, crisis preparation, resilience planning, and the oft-forgotten basics to help board members strengthen their organisations against the next cyber crisis.
No One Is Immune to Cyber Threats
If a Fortune 500-scale company like M&S, with significant cybersecurity investment – can be brought to its knees, any organisation can. As the Committee Chair Liam Byrne warned, the breach of these “cherished retail institutions” should “ring alarm bells. Because if attackers can reach these giants, they can reach anyone.” Co-op’s General Counsel reinforced this reality, stating, “no organisation, regardless of how prepared, is entirely invulnerable” to sophisticated attacks.
Cyber threats affect every organisation – public or private, large or small. Boards must shed any sense of complacency. The stark reality is that cyber risk is pervasive and, as Byrne highlighted, potentially “uninsurable,” with challenges so substantial that insurers are worried about coverage limitations.
The first lesson to draw from this wake-up call is humility – boards must assume breaches are a matter of “when,” not “if,” and build their defences with that inevitability in mind.
Treat Cyber Risk as a Board-Level Continuity Issue
A major theme from the inquiry was the recognition that cybersecurity is not merely an IT problem – it is a critical business continuity issue requiring board-level stewardship. Authorities like the UK’s National Cyber Security Centre (NCSC) have stressed that cyber risk should receive the same attention as financial or legal risks in governance. Simply put, cyber resilience must be tightly integrated into an organisation’s overall risk management framework, not relegated to the IT department. Crucially, “cyber security is not just ‘good IT’, it underpins operational resilience”. An attack can halt your ability to operate overnight.
Board members don’t need to be technical experts, but they must ask the right questions and ensure robust defences and response plans are in place. Archie Norman, M&S Chairman, shared that his company’s cyber risk had been a top priority for its Audit & Risk Committee well before the breach occurred. As Norman observed, when a serious incident strikes, “it is a chief executive level of issue” requiring leadership engagement at the very top. In short, boards must own the cyber risk, champion a culture of security, and be ready to lead in a crisis – not just delegate it away.
Actionable Guidance:
- Review the NCSC Cyber Security Toolkit for Boards to better integrate cybersecurity into corporate governance.
- Demand regular risk reports and incident drill feedback.
- Allocate dedicated budgets for updating and enhancing defences.
Modernise Legacy Systems – Secure by Design
M&S learned the hard way how legacy IT can create hidden risks. Their hybrid of old and modern systems made it difficult to compartmentalise the network, which in turn hindered efforts to contain the attack once it was underway.
The takeaway for boards is to prioritise legacy system modernisation with security by design. Notably, the cost of those deferred IT upgrades would likely have been far less than the £300 million impact of the breach.
Boards should ask management: What legacy systems or technical debt might be putting us at risk? Ensure your IT strategy includes a plan to retire or harden them before attackers find the chinks in your armour.
Actionable Guidance:
- Assess technical debt and prioritise retiring or upgrading legacy systems.
- Enforce security-by-design principles in all IT infrastructure decisions.
- Ensure networks are properly segmented to limit intruder access.
Practice Breaches – Crisis Drills Pay Dividends
Another clear lesson was the value of preparing for the worst through realistic exercises. You don’t want your executive team’s first cyber crisis meeting to take place during a real attack. Co-op’s leadership had war-gamed a cyberattack scenario in advance, using a “bronze, silver, gold” incident command framework. When the breach occurred, “the board itself was very well prepared for who would take what role. That definitely paid dividends through the crisis.” In other words, their rehearsed crisis management structure meant less panic and clearer decision-making under pressure. Every board should ensure there is a defined cyber incident response chain of command, and that top leaders have drilled their roles in a tabletop exercise.
Co-op’s proactive red team exercises, which simulate attacks using ethical hackers, were also instrumental in preparing for threats. These initiatives not only identified vulnerabilities but also provided continuous opportunities to improve practices.
Of course, no drill can ever fully replicate the chaos of a live attack. M&S had conducted scenario-planning workshops and red team tests, yet found that “nothing survives the first whiff of gunshot” when the real thing hit. The key point for boards: practice still pays off. Simulations will reveal gaps in your plans, and the muscle memory built through exercises will significantly improve your organisation’s response when an actual crisis strikes.
Actionable Guidance:
- Schedule regular cyberattack simulations, including leadership participation.
- Implement red-team or purple-team exercises to stress-test defences.
- Foster a culture of continuous security improvement.
Resilience Planning – Continuity and Insurance
Resilience planning is vital – even when the best cybersecurity measures are in place, they can still fail. Both M&S and Co-op had to rely on manual workarounds to maintain core operations. M&S General Counsel Nick Folland advised, “Make sure you can run your business on pen and paper,” underscoring the importance of analogue backups.
Insurance, while valuable, is not an infallible safety net. As Folland explained, they had previously been “insuring for the trivia and not for the catastrophic,” so they wisely restructured their policy to cover worst-case scenarios – accepting a higher deductible for minor incidents. This proved prescient. However, even with the right coverage, payouts aren’t immediate or guaranteed. M&S estimates it will take 18 months to settle their claim, and they “don’t know how much” will ultimately be recovered.
An often-underappreciated element of resilience is having the right external expertise on standby. When Co-op detected its breach, it immediately “brought in [our] pre-agreed forensics teams, which we had on contract prior to these events.” In other words, they had an incident response firm on retainer and ready to deploy. During an attack, every minute counts – and you won’t have time to shop around. Having those experts in the room from “day one” (as Co-op did) can significantly accelerate containment and recovery.
Actionable Guidance:
- Enforce the regular testing of business continuity plans, including manual backups.
- Evaluate the scope of cyber insurance policies to cover catastrophic scenarios.
- Keep top-tier incident response experts on retainer for mobilising during crises.
Know Your Assets – A Foundational Risk Step
Archie Norman urged boards to prioritise thoroughly mapping their IT systems. Many breaches begin with gaps in understanding or securing interconnected networks, as M&S’s experience revealed.
“Mapping your systems sounds basic, but it’s vital” he shared, reinforcing the need to document all software, hardware, data, and accounts. Robust asset visibility underpins effective cybersecurity measures. As Norman put it, “having an absolutely rigorous map of exactly how they all interface, what is hosted in each server and who has access to it… is one of the things I would advise everybody to do.”
Actionable Guidance:
- Push for a comprehensive IT asset review across your organisation.
- Request periodic assessments of data access privileges to minimise risk.
- Invest in security awareness training across all staff to amplify human factor defences.
The unprecedented attacks on M&S and Co-op, and the subsequent parliamentary inquiry, should serve as a wake-up call for boardrooms far beyond the retail sector. Cyberattacks are no longer a matter of if, but when, for businesses of all sizes. The fallout can be severe – operational paralysis, financial loss, legal liabilities, and reputational damage, but with foresight and preparation, it doesn’t have to be fatal. As we’ve learned, leadership plays a critical role in these moments. A board that treats cyber risk as a core business issue, invests in addressing vulnerabilities, rehearses its response, and plans for continuity under pressure will be far better positioned when the “digital storm” hits.
Perhaps the most important lesson is to take collective action before a crisis strikes. Don’t wait to learn about your company’s breach from the morning headlines or breaking news alerts. Heed the lessons shared by those who’ve already been through the fire.
At MTI Technology, we partner with boards to deliver robust cybersecurity strategies tailored to today’s threats. Our expertise in risk governance and infrastructure modernisation can empower organisations to prioritise and achieve true cyber resilience. Discover how MTI can support your board’s cybersecurity efforts.
Take proactive steps now – because cybersecurity leadership starts in the boardroom.