The cyber attack on M&S, one of the UK’s preeminent retailers, is a reminder (as if one were needed) of the threat posed by hackers and the significant and multidimensional damage that can be wreaked by a data breach.

Cyber is certainly not a new threat and has featured prominently on corporate risk registers for years. However, particularly in the current climate, in which organisations are grappling with a range of challenges – such as tariffs, increased national insurance and price of materials, higher borrowing costs, and changing customer behaviour – a major data breach could be existential, potentially tipping the business into financial distress.

Research from insurer Hiscox found that one in five business owners surveyed said a successful cyber attack would render them insolvent.

It’s often said that it’s a matter of when, not if, an organisation experiences some kind of data breach. This is borne out by the statistics. According to UK government figures, four in 10 businesses (43%) and three in 10 charities (30%) reported having experienced cyber security breach or attack of some kind in the last 12 months. In other words, that’s 612,000 UK businesses and 61,000 UK charities.

M&S has said that it expects its services will be disrupted until July, with the company warning its investors that the incident will hit profits by around £300m this year – well beyond the £100m covered by its cyber insurance policy.

The vast majority of UK businesses will be smaller scale than M&S, and many will be less resilient too – in both financial and operational terms.

A successful cyber attack carries huge costs – including damage to consumer trust and brand reputation, disruption to trading, the expense of disabling and rebooting systems, and potential ICO fines, contractual claims, and consequential damages litigation brought by affected data subjects. For that reason, it’s hugely important that legal advisers are engaged to assist on mitigating the impact. Indeed, it’s best practice to bring your advisers in beforehand, to support with preparation and contingency planning. It’s better to put plans in place and not need them than not have them in place when the time comes.

Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks. We have acted on a number of cases where the unexpected financial consequences of a cyber attack have led to financial distress. Where the worst does occur, directors need to be aware of their duties and responsibilities – in particular, being aware of when the financial impact might tip their responsibilities towards the creditors if the breach creates a risk of insolvency.

In the event of financial difficulty, whatever the cause, directors need to keep their financial position under close review and show that they are actively considering the interests of the relevant stakeholders (shareholders in good times sliding towards creditors as the financial difficulties increase). If a cyber breach does trigger financial difficulty, engaging early in dealing with financial difficulties may result in a more positive outcome, as directors are more likely to have options in the early stages of financial difficulty rather than waiting until the point of no return to take action.

Related News, Insights & Events