Marks & Spencer’s Cyber Incident Recovery

Can a solid IT system withstand an unusual “human error” like one caused by a third-party supplier influenced by cybercriminals? Isn’t it surprising that this situation could potentially cost as much as £300 million? It took Marks & Spencer, one of the UK’s largest retailers, four and a half weeks to get their website back to functioning properly.

CEO Stuart Männ addressed these concerns. He emphasized that the incident wasn’t due to a lack of investment in IT and noted that every company is at risk. M&S just happened to be unlucky in this instance. He referred to it as a “momentary moment,” suggesting that things would return to normal by July at the latest.

Now, do we want to critique M&S’s preparedness? It’s perhaps not entirely fair without knowing the full scope of their response to such cyberattacks. They can’t disclose specific details, which can make evaluations tricky. It seems their response was more effective than many others, but there’s no standard to measure against. For now, they await potential fines from the information commission regarding customer data breaches.

Financially, there seems to be a buffer. If M&S manages to trim the potential £300 million hit down to around £150 million through negotiations with insurers and cost management measures, it could significantly lessen the impact on their overall business recovery.

The company recently reported a 22% rise in underlying pre-tax profit, totaling £876 million, which is the highest since 2017. Their balance sheet appears quite conservative, showing net cash at the year’s end while disregarding a £438 million lease liability. Provided they effectively manage and resolve their IT and cyber issues, M&S should withstand economic shocks. Their website sales represent only a fraction of their overall revenue, so ensuring a cautious comeback rather than rushing seems prudent.

It’s hard to gauge customer reactions, though. M&S might be reading too much into the supportive feedback they receive. The real concern lies in whether they’ll affect long-standing customer habits. Jonathan Pritchard from Broker Peel Hunt touched on this point, and it’s a valid worry. Yet, it’s also possible customers may revert to their previous positive sentiment. Most shoppers aren’t really experts in assessing such situations.

The company’s reputation, along with its profits from past incidents, helped mitigate some of the stock’s losses, leading to a 2.5% increase on Wednesday. Nonetheless, shares have dropped about 8% since the cyberattack over Easter. It feels like the response has been handled reasonably well. This was undoubtedly a significant and embarrassing incident, and it’s not fully resolved yet. However, if M&S’s final costs amount to £150 million—and if they can avoid a repeat incident—don’t count them out just yet.