UK retailer M&S recently suffered a cyber-attack, with online orders, remote workers, and contactless payments all impacted. What are the best practices for companies to follow in the wake of a cyber incident?
Shutterstock.com/WD Stock Photos
Cybercrimes are more prolific than ever. More than 4,000 cyber-attacks take place every day, equivalent to one every 14 seconds.
Half of UK businesses experienced a cyber-attack in 2024, and recent attacks have impacted Barclays, local councils, and schools.
UK retail behemoth Marks & Spencer reported on 23 April 2025 that it had suffered a “cyber incident and advised customers that they could continue to shop on its website and app, but stopped taking contactless payments.
Two days later, M&S paused orders from its websites and apps and announced it was not accepting gift cards, e-gift cards and credit receipts as a payment method in store or online.
The company reportedly (subscription required) locked some of its remote staff out of its IT systems as the company sought to contain the fallout from the attack. Meanwhile, M&S told agency workers at its main warehouse in the UK to stay home on 28 April 2025, with the company feeling the impact of the cyber-attack almost a week later.
The company’s share price has fallen 9% since it announced the cyber-attack.
As of 28 April 2025, the cause of the incident has not yet been reported.
Governments are stepping up the fight against cyber-attacks. EU Member States had until 17 October 2024 to transpose the EU’s Network and Information Security Directive (NIS2) into local legislation. Recently, the UK government set out legislative proposals for the Cyber Security and Resilience Bill (CSRB) which will be introduced to Parliament during 2025.
Lexology PRO takes a look at M&S’ response to the crisis and best practices other companies should consider following a cyber-attack.
What are the best practices for other companies following a cyber-attack?
Each jurisdiction will have distinct requirements for incident reporting and cybersecurity measures, making it crucial for companies to stay abreast and compliant with the specific legal frameworks in which they operate.
Failure to adhere to local laws can result in significant penalties, reputational damage, and operational disruptions. Therefore, developing a robust incident response plan that incorporates legal advice and aligns with the specific regulatory requirements of each jurisdiction is essential for mitigating risks and ensuring swift, compliant action during a cyber incident.
Businesses should consider the following when planning how to respond to a cyber-attack.
Reporting obligations
To effectively manage reporting obligations, companies should implement robust internal mechanisms and preparations. This should include clear procedures for reporting potential cyber incidents internally and externally.
Companies operating globally must adhere to diverse reporting obligations depending on the jurisdiction. These obligations can vary significantly, requiring tailored approaches to ensure compliance.
In-house legal and compliance teams should understand the reporting obligations of their business and the timeframes to deliver information.
The EU’s NIS2 imposes strict reporting requirements on entities for example. Entities must submit an incident notification without undue delay and within 72 hours of becoming aware of a significant incident. Companies should submit a final report no later than one month after the incident notification.
In the UK, the upcoming CSRB is also set to strengthen incident reporting requirements. The bill is aligned with the NIS2 and will require businesses to report significant incidents within 24 hours of becoming aware, followed by a detailed incident report within 72 hours. The bill also includes additional transparency requirements for digital services and data centres.
For any cyber-attack that results in data breaches, UK companies must inform the Information Commissioner’ s Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk to individuals' rights and freedoms, affected individuals must also be informed without “undue delay.”
In the wake of its recent cyber-attack, M&S reported the incident to the UK National Cyber Security Centre (NCSC), whilst the National Crime Agency announced it was working with the NCSC to support M&S. The ICO announced it was “assessing the information provided” after M&S informed it of the incident.
Incident response plans
Companies should have an incident response plan to minimise the impact of cyber-attacks, helping to resume normal operations as quickly as possible.
These plans should detail members of the incident response team, their role, responsibilities, and contact information. This could include members of the IT team, as well as senior directors or in-house legal and compliance professionals. Each member of the group should understand their place on the team and what they need to do in the event of a cyber-attack.
These plans should also address the severity of the incident, to allow the team to determine how urgent the response should be.
The specifics of what should be included in an incident response plan will depend on the size of the business, but the UK NCSC suggests that it includes key contacts, escalation criteria, flowcharts, and guidance on legal or regulatory requirements. According to the NCSC, an enhanced plan should include checklists, documentation and tracking of the incident and post-incident reviews, as well as playbooks or guidance on specific types of incidents.
In addition to incident response plans, business continuity plans provide a detailed strategy and set of systems designed to ensure a company can prevent or rapidly recover from a significant disruption to its operations, such as a cyber incident.
Any crisis management plan should be flexible enough to suit the needs of any particular crisis since it is impossible to predict the exact incident and its impact on the business. In-house legal and compliance teams should regularly review these plans to ensure they are still fit for purpose.
Post-incident reviews
A thorough post-incident review is crucial for companies to learn from cyber-attacks and enhance their resilience. This process involves an objective analysis of the incident, including what happened, how it was detected, and the response actions taken.
Even after most IT systems and applications have resumed normal functionality, there may still be residual effects or impairments within the business. Identifying and addressing these lingering issues is essential for full recovery. Companies can use methods such as the five whys or fishbone diagrams to identify the root cause of the incident.
The recovery phase also provides businesses with an opportunity to reassess, reorganise, and enhance their IT security measures, update outdated systems, and implement new technologies to improve the company’s cyber and data security.
Communication strategies
Businesses should communicate quickly after the incident has been identified, for instance in the form of a holding statement to acknowledge that a cyber-attack has occurred and to reassure customers that the IT team is working on a resolution.
For instance, M&S issued a press release soon after it identified the cyber incident and distributed the message on social media to reach as many customers as possible. The message was consistent across these platforms.
Companies should try to avoid using technical jargon in these communications. Instead, businesses should focus on using clear language that all customers and stakeholders will understand.
Many businesses choose to appoint internal or external communications specialists to assist them in planning for breach incidents by implementing a clear, transparent communication strategy.