6 hours ago
9
Shouldn’t a robust IT system be able to withstand the odd “human error”, such as somebody at a third-party supplier being hoodwinked by devious cybercriminals? Isn’t £300m at the expensive end for these events? And should it really take four-and-a-half weeks, and counting, for one of the UK’s biggest and well-resourced retailers to restore its website to working order?
The response of Marks & Spencer’s chief executive, Stuart Machin, to such questions ran along these lines: the incident had nothing to do with underinvestment in IT; everyone is vulnerable; M&S was unlucky; the “moment in time” will pass and everything will be back to normal by July at the latest.
after newsletter promotion
Too complacent? Marking his own homework? Well, before joining the chorus that says M&S should have been better prepared, one should probably say that assessing corporate responses to these cyber-attacks is impossible from the outside. M&S can’t share the full details of what happened, just as nobody ever does. One suspects its reaction was better than most, but there isn’t a league table to consult. We will have to wait to see what, if any, fine is dished out by the Information Commissioner’s Office for breaches of customers’ data.
But Machin is probably on safe ground with his “bump in the road” financial thesis. If the top-line hit of £300m can be whittled down to £150m-ish after the arm-wrestle with the insurers plus management of costs “and other trading actions”, one is looking at a number that, while large, is a long way from upsetting M&S’s broader revival.
This is a group that has just reported a 22% jump in underlying pre-tax profits to £876m, its best result in 17 years, and the balance sheet these days is a model of conservatism, showing year-end net cash of £438m ignoring lease liabilities. As long as the IT/cyber issues are contained and fixable, M&S can handle the financial blow. The website, which is where the crisis was concentrated (and still is), accounts for only a tenth of sales. Ensuring it comes back reliably, as opposed to prioritising absolute speed, sounds sensible.
It is hard to know how customers will react, of course. Machin probably shouldn’t place too much weight on the fact that many are telling him they’re terribly supportive; the ones to worry about are the non-communicative sort. “We are nervous that customers will have their long-term habits changed,” says Jonathan Pritchard at the broker Peel Hunt. It’s a legitimate concern but, equally, it’s entirely possible that customers take a sanguine view and carry on as before. Most of us, let’s be honest, aren’t making amateur IT appraisals when we shop.
The show of corporate confidence – plus the forecast-beating pre-attack profit numbers – were enough to repair some of the damage to the share price. It rose 2.5% on Wednesday, meaning it’s down a net 8% since the Easter cyber villainy. That reaction feels roughly right. This was a severe incident, it’s embarrassing and it’s not yet over. But if £150m is the ultimate one-off net cost to M&S – and, crucially, if there is no repetition – the roof has not fallen in.
