Preparedness and Principles – Governance, IR Retainers, and the Ransom Question

Part 4 of Our Series on the 2025 M&S and Co-op Cyber Incidents

In Part 3, we examined how network segmentation and legacy management shaped the very different impacts of the April 2025 cyber-attacks on Marks & Spencer (M&S) and the Co-op Group. The same attacker used near-identical social engineering tactics to breach both retailers, but Co-op’s segmented design meant the breach was contained with minimal disruption, while M&S’s interconnected legacy environment required widespread shutdowns.  

However, architecture is only part of the resilience equation. In Part 4, we turn to leadership, preparation, and principles – the human and organisational factors that can decide how effectively an incident is managed and how the company is perceived during and after the crisis. 

Governance in Practice: Rehearsal vs Recognition

The Co-op’s preparedness was no accident. As revealed in the 8 July 2025 Parliamentary hearing, Co-op had rehearsed this exact scenario at both board and operational levels. Rob Elsey, the Co-op’s Chief Digital Information Officer, described how the organisation had run “red-team” simulations and full leadership crisis exercises. These weren’t tick-box compliance exercises. They were hands-on, cross-functional rehearsals that helped everyone understand roles, decision pathways, and continuity options under duress.  

When the real attack struck, that preparation paid off. Elsey and Dominic Kendal-Ward, Co-op’s Group General Counsel, noted that many functions were able to switch to manual processes. Distribution centre staff reverted to pen and paper; funeral care teams maintained service with paper-based backups. This wasn’t improvisation – it was trained muscle memory.  

Meanwhile, M&S also had governance frameworks in place. Chairman Archie Norman explained that cyber risk sat at the top of the board’s risk register. The Audit & Risk Committee had invested heavily in cyber security, tripling cyber headcount and doubling cyber spend in the two to three years prior. However, when the incident struck, it became clear that governance plans didn’t translate into seamless execution. While M&S managed to keep stores running and call an emergency meeting quickly, there were signs that the response was more reactive than rehearsed.  

In short: Co-op ran scenarios so that its response felt familiar. M&S recognised the risk but didn’t appear to have fully stress-tested its readiness. 

Retained Expertise: Partners Ready to Deploy

One of the clearest technical differentiators between the two responses was Co-op’s use of a pre-arranged incident response retainer.  

As Elsey testified, Co-op had contracted with digital forensics and cyber response experts well before the attack. By Day 2, those teams were already on site, working in tandem with Co-op’s internal response effort. This not only accelerated containment and recovery but allowed the Co-op to maintain control of the narrative. They didn’t scramble to procure help mid-crisis, since they had already done the legwork.  

M&S also engaged external advisers, including law enforcement and the NCSC, and even liaised with the FBI via its security consultants. However, the hearings gave no indication that M&S had a pre-agreed IR retainer in place. That doesn’t mean support wasn’t good, but it may not have been immediate. If contracts, access, or NDAs had to be negotiated during the attack, even minor delays could have made a major difference to attacker dwell time and recovery planning.  

This reinforces a critical principle for security leaders: you should know who you’ll call – and have them under contract – before the breach. 

The Ethics of Paying Up

Co-op and M&S were asked directly whether they paid.

Co-op’s answer was unequivocal. “No, it was not. We did not pay a ransom, and nor did we contemplate or at any point discuss paying a ransom,” said Kendal-Ward. “We did not engage at any point with the criminal attackers”. This aligns with UK law enforcement guidance, which advises against paying under any circumstances, and underscores the Co-op’s values-based stance on not fuelling the criminal economy.  

M&S took a different approach. When asked directly by MPs if a ransom had been paid, Archie Norman refused to confirm or deny. “We have passed all of the information we have to the authorities… We don’t think it’s in the public interest to go into that subject,” he told the Committee.  

This vagueness, while legally prudent, opened the door to speculation. One MP had already suggested in the Commons that a UK company had recently paid “a very large sum to its blackmailer”, leading many to infer that M&S may have at least considered it. If so, it’s understandable. With millions in revenue bleeding out every week, paying might have seemed like the fastest route to resolution.  

Still, Co-op’s clarity offered a reputational benefit. They could stand in front of customers and regulators and say: we refused, we stood our ground, and we still won.  

For security leaders, this highlights a vital need: set your ransomware response policy in advance. When emotions are high, systems are down, and pressure is mounting, the worst time to make a principled decision is in the heat of crisis. 

People and Principles Go Hand in Hand

The common thread through all of this isn’t just governance or tooling – it’s leadership culture.  

Co-op’s security strategy wasn’t just technical; it was organisational. It involved the legal team, operations, comms, and executives in a collective understanding of what risk looks like – and what resilience requires. As a result, they were unified, calm, and clear-headed under pressure.  

M&S, for all its investment, felt more fractured in the hearings. They were transparent and committed, but perhaps not as unified or practised in real-world cyber crisis response. Their tone was one of learning through fire rather than executing a plan they’d already internalised.  

That’s a powerful lesson: cyber resilience is as much about behaviour and coordination as it is about tooling and spend. 

Five Takeaways for Security Leaders

  1. Run realistic simulations – not just for technical teams, but across executive, legal, and operational functions.  
  2. Secure an IR retainer contract – have forensics and response experts pre-contracted and ready to engage instantly.
  3. Define your ransom policy now – make it a board-level, values-based decision well before you’re under pressure.  
  4. Invest in decision-making protocols – incident command structures and escalation paths must be understood by all.  
  5. Make governance active, not passivedon’t just list cyber on the risk register. Practise what will happen when it moves to the top of the agenda. 

Final Thought

When a cyber crisis strikes, governance makes the difference between reaction and resilience. Effective leadership isn’t just measured by how your organisation performs technically, but in how you create confidence, clarity, and capability during even the most chaotic moments.    

The Co-op’s experience shows what’s possible when leadership is proactive and practised. M&S’s challenges highlight where improvement is needed. For IT leaders, this is the time to evaluate – if a cyber-attack hit today, is your governance ready?    

MTI works with organisations across sectors to design resilient governance frameworks, run realistic simulations, and establish retained incident response agreements. By partnering with MTI, security leaders can turn preparation into practice and ensure that when the unexpected happens, their teams respond with confidence. 

Our series concludes next with a detailed exploration of measuring the true cost of recovery – from financial impacts to reputational risks. Stay tuned. 

 

Ready to strengthen your cyber resilience? Contact MTI today to start the conversation.