In the news: Marks & Spencer, Jaguar Land Rover and Kido

• JLR – the attack in August 2025 abruptly halted production lines in the UK, costing the company an estimated £50 million per week and affecting its global supply chain. The disruption to manufacturing, while appearing to spare customer data, is indicative of a shift in attack strategy, from stealing customer data to causing large scale business interruption as the primary means of extortion. It is understood that JLR has secured a £1.5 billion loan to repair the damage of the six week shutdown.
• M&S – targeted over the Easter weekend via a third-party contractor. In response to the threat actors deploying ransomware, M&S took its networks offline while it responded to the breach. This resulted in unprecedented levels of business disruption and losses of over £300 million, over three times the available cyber insurance cover.
• Kido – the international nursery chain faced a disturbing attack where hackers threatened to expose children’s personal data. This is the first time it has been reported that threat actors have taken such highly sensitive personal data. The threat actors claimed they had deleted all the stolen data following backlash and concerns about the hacking group’s own reputation.

Operational and legal risks

The headline-hitting operational disruption caused by these attacks is only part of the story. The legal and financial risks are equally significant:

• Business interruption: it’s not just a question of managing the potential loss of intellectual property, and customer or sensitive personal data. Malware and encryption that prevents normal business operations can have a much more devastating impact on businesses, causing significant daily financial losses while the business attempts to resume operations and service.
• Brand damage: loss of customer trust can have long-term consequences, particularly for consumer-facing brands like M&S and Kido, but also for suppliers, where customers may not return following a switch to a competitor during any business interruption.
• Supply chain fragility: as seen with JLR, cyber incidents can expose significant manufacturing and supply chain vulnerability, especially in the era of digital manufacturing. Additionally, disruption can cause ripple effects and financial distress throughout a supply chain, with SMEs at risk of insolvency as a result of the disruption.
• Contractual liability: breaches can trigger claims from customers, suppliers and partners – especially where service levels or data protection obligations are not met. Where other businesses suffer a cyberattack originating from your systems, there could also be risks of additional claims for resulting losses.
• Shareholder liability: increasingly there is a risk to directors of claims by shareholders, where failures in cyber resilience amount to a breach of directors duties. M&S saw £1.3 billion disappear from their market value following the cyberattack. Where a business incurs significant losses, the shareholders will look to the board for accountability.
• Data protection breaches: under the UK GDPR and Data Protection Act 2018, organisations must report serious breaches to the Information Commissioner’s Office (ICO) within 72 hours. Failure to do so can result in fines of up to the higher of £17.5 million or 4% of global turnover.

The Cyber Governance Code of Practice and directors duties

In response to the ever-growing threat landscape, the UK government launched the Cyber Governance Code of Practice (the Code). The Code is designed to help directors govern cyber risks as they would any other material business risk. The Code is complimented by training and toolkits aimed at improving board-level understanding and oversight, following increasing concerns by the UK Government and security services over the level of resilience of UK businesses.

The Code aligns with directors’ duties under the Companies Act 2006, particularly the duty to exercise reasonable care, skill and diligence, and the duty to act in the company’s best interest to promote its success.

With the prevalence of cyber incidents, and increasing awareness together with available guidance, there is little excuse for directors not to be alive to the risks and ensure that their business is sufficiently prepared to deal with a cyberattack. Where directors fail to do so, such that their failings amount to a breach of their directors duties, they risk liability as a result of action by shareholders or, in the event of insolvency, liquidators and/or creditors.

The Code is a useful starting point, and focuses on five key governance principles and suggested actions for boards:

• Risk management – actions relating to risk assessments, keeping up to date with the changing landscape and the business’s IT security and digital assets.
• Strategy – focusing on actions to ensure the business has a prevention plan and strategy for cyber resilience.
• People – recognising that for businesses, its people are a significant vulnerability and more often than not, the weakness exploited by threat actors. Robust training for staff, including at board level, and process testing, not just the standard slide click-through, is needed to minimise this risk.
• Incident planning, response & recovery – ensuring your business has properly prepared to deal with a cyberattack should the worst happen, including addressing communication and regulatory obligations, as well as the immediate time critical issues as a result of the attack.
• Assurance & oversight – establishing a cyber governance structure, with engagement at board level.

With these principles in mind, here are some practical steps a board can take:

• Ownership – dedicate key individuals at board level to cyber resilience and establish systems and controls for maintaining the right level of protection and preparedness. The Government’s recent Cyber Security Breaches Survey found that only 27% of businesses had board-level responsibility for cyber security.
• Cyber risk agenda – ensure the board remains informed of cyber risks, as with any other material risk to the business.
• Incident response plan – develop a robust plan tailored to your business. Review and stress test the plan at regular intervals. The plan should cover the board’s position on key decisions such as external communications and payment of ransoms, to reduce the pressure on the board when making those decisions in real time.
• Trusted advisers – ensure you know the legal and forensic IT advisers who will be part of your incident response team should your business suffer a cyberattack. In the immediate crisis period following an attack you want to be working with individuals you trust, who know how you and your business work. That will assist directors in making decisions with confidence.
• Insurance – ensure appropriate insurance cover is in place, to protect losses caused to the business and cover the costs of response and recovery.

How can we help

Cyber risk is now a significant trend that demands urgent attention from UK businesses at board level.

Our team of experts from across the firm are here to help, bringing real-world experience and specialist knowledge to the table to make sure you find a way to solve your cybersecurity concerns.

Use our interactive cybersecurity tool to spot gaps in your defence and take the next steps to remedy them, and review our tips on how to prepare and respond to a cyberattack here.

Please contact our cybersecurity and data protection experts for support to protect your business from a ransomware attack or if you have any questions.