retailer said total cost of hacks would total £300m in earnings
Our UK readers – and shoppers – will no doubt have been keeping up with the news that high-street stalwart Marks & Spencer has been targeted by a widespread cyber attack.
It comes in the same week that fellow retailer Co-op, as well as London’s luxury department store Harrod’s, had been forced to shut down IT systems and restrict internet access to thwart similar attacks.
Speaking alongside M&S’s annual results this week, chief executive Stuart Machin said the overall impact would come up to something like £300 mn due to ongoing disruption. How companies – and IR teams – can continue to react to cyber incidents like this will surely stay in the spotlight over the second half of the year.
It’s hard to plan for such situations. For one, there’s no standard playbook, as my colleague Garnet Roach discovered during her conversation with an experienced IR professional whose firm was targeted to a major hack as part of her wider exploration of how IR teams can respond to cyber criminals.
‘Our IT systems detected [the hack] in the middle of the night,’ the IRO explains. ‘I wasn’t immediately woken up – I just saw my messages in the morning – but I know the CEO and others were woken up in the middle of the night.
Getting a handle on the scope of the attack is a first port of call, but the second and more crucial question is to establish how much to say publicly?
As that same IRO put it: ‘If we underplay it, we lose credibility if it is worse than initially thought. If we present a worse outcome and it turns out to be not so bad, not only do we lose credibility again, but investors would also immediately dump the shares – at any price.’
For Machin at M&S, his approach has proved that despite the widespread disruption to the retailer’s online store, its operations and the theft of customer data, its share price impact has been relatively dampened by a strong response: despite falling to lows in the immediate aftermath, shares in the firm are trading back at expected levels, currently just 3 percent down on the year to date (and 38 percent higher than in May 2024).
Crucially, the M&S boss reassured investors this week that the cyber attack would have little impact on M&S’s long-term transformation plans, which investors have been waiting for. He also noted that M&S would overhaul some of its technology systems sooner than expected – over the next six months rather than the next two years, as originally planned.
So will other companies follow suit? Interestingly, the topic is being mentioned in a dwindling number of earnings calls, according to data from Alphasense, which shows mentions of ‘cyber attack’ in transcripts steadily dropping between January and March 2025.
Overall, however, the prevalence of ‘cyber attack’ being mentioned in major company filings, presentations and press releases is significantly higher in 2025 so far, a trend that looks set to continue: that suggests that companies are aware of the threat, though are not conveying that awareness explicitly to investors.
For companies wanting to stay as prepared as possible, I recommend reading the rest of Roach’s piece that directly addresses it. But I’ll leave you with our anonymous IRO’s parting thoughts:
‘Our natural instinct in IR is to over-communicate: the investors are our friends, they trust us and the last thing we want to do is pull the wool over their eyes,’ they say. ‘But you also don’t want to blow it out of proportion and do irreparable harm.’
How prepared are you and your company for a cyber attack – and how do you prepare your management and board for such an event? Let us know, either via email at [email protected] or via LinkedIn.
