A succession of high profile ransomware incidents has affected leading UK retailers over the past fortnight, disrupting operations at Marks & Spencer, the Co operative Group and Harrods. Although no direct link between the incidents has been proven, the pattern is familiar: initial foothold, rapid lateral movement, and, when detected, a scramble to keep trading while restoring faith with customers, regulators and investors. The pattern highlights the sector’s exposure to sophisticated, financially motivated threat actors and the speed at which an operational issue can escalate into a legal and regulatory crisis.
Absolute immunity from cyber risk is unattainable; decisive, well rehearsed response is not. This article briefly sets out an eight point framework for boards and senior management to deploy when preparing for - or responding to - a cyber or data security incident.
A successful cyber attack can cause an entire IT system to be unavailable in the immediate aftermath, so your business should pre select a core incident response team and establish in advance the secure channels through which its members will communicate.
When key IT systems are out of action, the swiftest way to confirm the breach and pinpoint exploited vulnerabilities usually involves engaging incident-response specialists. It is just as important to also know, ahead of time, which specialists can support managing reputational fallout and how your insurers are likely to respond.
It is important to instruct external counsel at the outset so that investigations, ransom deliberations and board discussions benefit from legal professional and, where relevant, litigation privilege, and confirm any disclosure obligations that arise.
An effective communications plan is very important, particularly when the breach extends beyond your own systems and directly touches customers or other data subjects.
Attackers often compound the damage by sending follow up login attempts or extortion emails, so authoritative, coordinated messaging is essential to stem secondary harm. UK GDPR obliges you to notify affected individuals, and contractual undertakings mean that customers and supply chain partners will also expect prompt, transparent updates. Accordingly, you should designate in advance who has authority to craft and approve statements, determine the channels for dissemination, and ensure that internal briefings mirror the external narrative so every audience receives timely, consistent information.
A data incident - whether it involves unauthorised disclosure, alteration or simply a period of inaccessibility - can trigger mandatory reporting duties. In most circumstances the Information Commissioner’s Office must receive notice under the UK GDPR, and parallel obligations may arise for other oversight bodies such as the FCA, Ofcom or sector specific regulators.
Notifications should be drafted and dispatched promptly, providing each regulator with sufficient detail to assess the incident and determine any follow up action.
Because extortionate cyber attacks invariably entail criminal conduct, the matter should be reported to law enforcement without delay - via Action Fraud, the UK’s national clearing house for fraud and cyber crime. Victim organisations must also recognise that settling a ransom demand can itself constitute an offence, potentially transforming the target into a perpetrator.
Many businesses maintain cyber or blended insurance programmes that respond both to the incident itself and to the resulting financial exposure. Such policies typically reimburse first party losses - business interruption shortfall, restoration expenses and, where lawful, ransom payments - as well as third party liabilities, including data subject claims, subrogated property damage actions and regulatory defence costs. Coverage is not automatic: wordings usually impose stringent, sometimes same day, notification and co operation requirements. Timely, documented notice allows the insurer to investigate, deploy its panel experts and confirm indemnity; delay or non compliance can jeopardise recovery.
Depending on the circumstances, you may be contractually bound to alert key stakeholders - such as lenders, insurers and critical suppliers - when a breach occurs. Insurance policies, loan agreements and supply chain contracts often contain stringent “prompt notification” and cooperation clauses, so those documents should be checked in advance and the relevant parties informed without delay.
For tailored advice on refining your cyber resilience strategy or managing an ongoing incident, please contact David Varney (Partner) in Ashfords’ cyber security team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up