Recent cyberattacks targeting prominent UK retailers have exposed the far-reaching consequences of digital disruption. Helen Nuttall, UK head of cyber incident management at Marsh, explains how risk managers can enhance organisational preparedness, facilitate cross-functional coordination, and refine crisis response strategies.
The recent spate of cyberattacks on major UK retailers has starkly highlighted the impact of digital vulnerabilities.
These incidents have shown how cyber breaches extend beyond mere IT concerns, significantly affecting daily operations - evidenced by disruptions in food supply chains, payment systems, and the undermining of customer trust.
Nuttall asserts that these high-profile attacks should act as a wake-up call for all businesses, not just those in the retail sector. “The attacks have certainly raised the profile of cyber risk, The tangible human impact is evident; when consumers are unable to purchase buy their fresh bananas from their local shops.”
Preparation starts before the breach
The distinction between a crisis and a catastrophe during a cyber incident often comes down to the level of preparedness. This preparation must extend beyond the IT department. The initial response phase is critical, as it can dictate the trajectory of the recovery process.
“Preparation for these events is essential,” she explains. “It is not solely the responsibility of the Chief Information Security Officer (CISO) and their technical team; a well-rehearsed incident response team must be established across the organisation, with clearly defined roles and responsibilities.”
In several recent cases, organisations have come under criticism for their sluggish responses - highlighting the necessity for regular rehearsals of incident response plans, which should be updated in line with evolving threat landscapes.
Risk managers as co-ordinators
One of the most overlooked assets in that critical early phase is the risk manager. Rather than sitting on the periphery of cyber discussions, risk professionals possess the capability and the responsibility to unify disparate teams, drive preparedness, and ensure cohesive action during crises.
Cyber incidents can trigger a range of legal, reputational, regulatory, and financial consequences, which is why risk professionals are uniquely placed to assume leadership roles in response planning. “This is where risk managers can really shine. They can bridge the gap between various specialisms within the business and learn to speak the language of each of those stakeholders.”
Marsh’s approach is to support risk professionals in navigating these complex dynamics. “We possess sufficient technical knowledge to talk to the CISO, but we also have a legal background, so we understand the General Counsel’s concerns and priorities, while also understanding crisis response. We can help to bridge the gap between internal specialists.”
By bringing these siloes together and acting as a central communication hub, risk leaders can ensure the right decision-makers are in the room and prepared to act cohesively under pressure.
Building a better response
What constitutes effective cyber incident preparedness? In addition to the purchase of a robust cyber insurance policy, Nuttall recommends that organisations concentrate on four pillars: a current and tested incident response plan; a dedicated ransomware playbook; a pre-agreed team of external vendors; and secure, out-of-band communication protocols.
Too often, organisations assume they can manage everything in-house – a dangerous misconception amongst large organisations. There is often a belief that they can manage it all themselves. “You have to bring in specialists to support you. You need a Swat team of expert advisors, and they need to be stood up and assisting you within that critical first 24 hours.”
This expert team should include legal advisors, public relations and crisis communication specialists, as well as digital forensics experts, all of whom must be engaged early to contain the breach and manage the fallout.
Communication methods are also critical. Sophisticated threat actors are now known to monitor internal messaging systems, using that intelligence to stay one step ahead of defenders. Nuttall cites the recent Scattered Spider attacks, where threat actors lurked in corporate Teams calls to eavesdrop on response strategies. Organisations must plan for secure, offline communication alternatives.
What to do when the worst happens
When a breach does occur, time is of the essence. “Dig out your incident response plan, mobilise the internal incident response team, and then check cyber insurance coverage,” she advises. “If you have access to a cyber insurance hotline, call it. Swift notifications and early vendor support is critical.”
Beyond response, risk professionals should be pushing for regular testing and scenario-based exercises. Studies show that organisations that have well tested incident response plans spend on average $1.5m less during a cyber incident than those that don’t.
“Testing incident response plans and doing tabletop exercises should be integral to organisational activities,” concludes Nuttall. “Build muscle memory amongst the people that need to make those decisions .”
