The cyberattacks on Marks & Spencer (M&S) and the Co-operative Group (Co-op) serve as stark reminders that third-party cyber risk is not an IT issue; it is a board-level governance failure. As reliance on external service providers increases, so too does the exposure to threats beyond an organisation’s direct control. The consequences of these incidents, both financial and reputational, demand a systemic shift in how businesses and security professionals approach vendor risk, compliance, and the value of information governance. We need to remember that compliance is not the ceiling; it is the starting point.
Contracts alone don’t secure your data
While contracts are an essential tool in managing third-party risk, their efficacy is often undermined by a lack of integration with real-world security practices. All too often, contracts are drafted without the input of information security professionals or are overly reliant on vague, unenforceable clauses such as “appropriate” or “reasonable” security measures.
If your supplier contracts do not:
- Involve information and cybersecurity experts in drafting or reviewing.
- Clearly define minimum, auditable security standards.
- Include enforceable provisions for regular assessments and breach reporting.
…then you are operating on legal fiction, not risk control.
M&S and Co-op: The High Cost of Inaction
The 2025 breach at M&S exposed personal data of 9.4 million customers and disabled online operations for over three weeks. Financially, this translated into losses of approximately £40 million per week and a £1.3 billion drop in market capitalisation due to a 16% fall in share price (The Times, 2025; Financial Times, 2025).
Co-op’s ransomware incident caused severe logistics disruption, payment failures, and daily revenue losses of £43 million at its peak (Computing, 2025). In both cases, the breaches were facilitated through third-party systems, highlighting systemic failures in supply chain security governance.
Reframing cybersecurity as a strategic investment
Many organisations still perceive data protection and compliance as cost centres. This is a critical failure of positioning by the very professionals responsible for these domains.
Security and data protection professionals must become commercially fluent. If the executive team sees information security as a regulatory hurdle rather than a strategic asset, then the profession has failed to communicate its value proposition.
Ask this: Could your organisation survive losing £40 million per day in revenue? If not, then the business case for investment is clear.
As the adage goes:
“If you think compliance is expensive, try non-compliance.”
According to Gartner (2024), third-party breaches cost organisations 40% more on average than internal ones. Bitsight (2024) reported that implementing a structured third-party security monitoring programme yields a 297% return on investment and reduces breach probability by 45%.
Enhanced Recommendations for Boards and Security Leaders
To address these systemic weaknesses, organisations must operationalise third-party security and professionalise their security leadership. This requires a blend of governance, technical controls, and cultural change.
Embed Security in Legal and Procurement Functions
- Involve information security experts in contract development and supplier due diligence.
- Mandate explicit, measurable controls in all third-party agreements (e.g., ISO 27001 certification, audit rights, breach notification SLAs).
- Ensure risk clauses are actionable and tied to service levels and indemnities.
Formalise Third-Party Assessment Programs
- Conduct structured due diligence pre-engagement, including threat modelling and maturity assessments.
- Require annual or biannual audits, with clear metrics and remediation deadlines.
- Implement continuous monitoring tools (e.g., security scorecards or real-time risk intelligence feeds).
Strengthen Organisational Training and Competency
- Baseline training in information security principles is no longer optional.
- All information governance, data protection, and risk professionals should, at a minimum, hold the BCS Foundation Certificate in Information Security Management Principles (CISMP).
- This country-neutral qualification, delivered by providers such as the Data Privacy Advisory Service, establishes essential knowledge in risk management, governance, compliance frameworks, and threat modelling.
- Boards and senior management should also undertake security awareness training tailored to strategic decision-making and regulatory accountability (e.g., GDPR, NIS2, DORA).
Develop Business Case Competency Across Security Teams
- Train security leaders to articulate ROI using financial language and quantitative risk modelling.
- Present clear loss scenarios and breach impact models to support investment requests.
- Align security projects with broader business objectives—customer trust, operational resilience, and ESG governance.
Create a Cyber-Resilient Culture
- Position third-party risk as an enterprise risk, not just a technology concern.
- Integrate cybersecurity into enterprise risk management (ERM) frameworks and internal audit programmes.
- Ensure board-level visibility of third-party risk exposure and mitigation progress.
Conclusion
The M&S and Co-op breaches expose a truth that can no longer be ignored: failure to manage third-party risk is not a technical lapse—it is a strategic failure. Yet these events also highlight a path forward. By embedding third-party security into core governance processes, investing in commercial and professional development for data professionals, and reframing security as a business enabler, organisations can turn a traditional cost centre into a source of measurable, long-term value.
Now is the time for data protection and information security leaders to stop just enforcing rules and start writing business cases.
By Nigel Gooding
LLM Information Rights Law & Practice. FBCS, PG Dip Information Rights Law and Practice, PG Cert Data Protection Law and Information Governance, PG Cert Management
References
- Bitsight (2024) Bitsight Delivers 297% ROI and Reduces Breach Risk by 45% with Security Performance Management. Available at: https://www.bitsight.com/press-releases/bitsight-delivered-297-roi-reduced-probability-cyber-security-breach-45-across-first-and-third-parties
- Computing (2025) Five cyber tools Co-op used to defeat ransomware attack. Available at: https://www.computing.co.uk/news/2025/security/five-cyber-tools-co-op-used-to-defeat-ransomware-attack
- Financial Times (2025) M&S chief executive faces £1.1mn pay hit after cyber attack. Available at: https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
- Gartner (2024) Cybersecurity Risks in the Digital Supply Chain. (Internal report, cited with permission).
- The Times (2025) M&S bosses under fire after ‘damaging and embarrassing’ cyberattack. Available at: https://www.thetimes.co.uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
- Data Privacy Advisory Service (2024) BCS Foundation Certificate in Information Security Management Principles. Available at: https://www.dataprivacyadvisory.com
