Boardroom Sensemaker: M&S’s hacking woes show cyber prepping is key

M&S has revealed a pre-tax profit of £671m for 2025, down roughly a quarter from a year earlier, after a cyber attack last spring cost the supermarket £131m.

So what? This is not just M&S. Cybersecurity has shot to the top of boardroom agendas after a string of debilitating hacks last year knocked an estimated 0.5% off UK GDP. The release of Anthropic’s powerful Claude Mythos AI tool, which identifies cyber vulnerabilities, has also prompted regulators and businesses to begin discussing the threat should it fall into the wrong hands.

Batten down the hatches. “It’s what people are calling ‘the AI bug blizzard’,” explains Ciaran Martin, former chief executive of the National Cyber Security Centre (NCSC). “All these vulnerabilities keep getting found [by AI]. Microsoft just had a record quarter for issuing patches. Even if you have a team that is really good, doing the industry standard of getting all their patches done in 20 days, they’re going to fall over at the moment. They’re just not going to be able to do it.”

Anthropic has now agreed to brief the Financial Stability Board, the global financial watchdog, on the flaws exposed by its new tool, and has allowed 40 companies to preview the technology. It warned: “The fallout – for economies, public safety and national security – could be severe.”

But even below the systemic level, there is work to do. “More than 80% of small and medium businesses effectively have no serious cyber protection. You don’t need Mythos to exploit that. These businesses are vulnerable to quite standard phishing or other attacks,” says Richard Jeens, partner at Slaughter and May.

Getting prepped. “If you were creating a boardroom afresh tomorrow, you would have cyber as a constant standing item, scanning and understanding how it’s evolving at every step,” says Pippa Begg, chief executive of Board Intelligence. She estimates that fewer than 5% of businesses are addressing the threat so regularly.

No picnic. Even when firms do their homework, the fallout can still be disastrous. In submissions to a parliamentary committee on economic security, leaders at M&S said that in the three years leading up to the attack, the company had trebled the number of people working on cybersecurity to more than 80, doubled expenditure on cyber matters and implemented scenario planning and board-level awareness programmes.

It wasn’t enough. Attackers were able to breach M&S through its IT helpdesk run by Tata Consultancy Services (TCS) and went undetected through its systems for weeks. Then outages started and its chief executive, Stuart Machin, received a ransom note via a hijacked internal email account.

Was a ransom paid? Unknown. But chair Archie Norman said at the time that the company adopted a “hands-off approach” to negotiating with the hackers and has since called on the government to mandate companies to report ransomware attacks, so authorities can build a clearer picture of the threat and help victims better.

“There is only so much you can do against a determined adversary,” says Jeens. “It’s not necessarily: we can definitely build a wall and keep them out. It’s: if they get in, how can we limit the damage and get our business back up and running?”

What about liability? Directors won’t be liable if they stay on top of standards, hold their exec team to account and act in good faith when an attack hits. However, regulation can vary massively by jurisdiction and sector. There is a possibility that the Senior Managers Regime – a set of rules in finance that requires individuals to be personally responsible for specific areas of their firm – may be extended.

“In a world going towards more deregulation than regulation, it just heightens that judgment call of responsibility that each individual board needs to take, given their circumstances,” says Begg.

What’s more… The NCSC said it dealt with 204 “nationally significant” cyber attacks in the year to September 2025. That’s more than double the previous record of 89.

Photograph by Mike Kemp/In Pictures via Getty Images