You might not shop there, but you should pay attention.

Marks & Spencer, or M&S, is a British retail giant—think Macy’s meets Whole Foods. They’re one of the most recognizable names in UK retail. Hundreds of locations. Thousands of employees. Billions in revenue.

And still—completely unprepared.

Last week, an insider revealed that in the wake of a cyberattack, M&S staff were forced to operate with pen and paper. Not for a few hours. Not for a day.

Over a week.

No systems. No automation. Just paranoia, chaos—and employees literally sleeping in the office.

Why? Because they had no incident response plan. Nothing. No documented steps. No checklist. No leadership strategy to follow.

This Isn’t Just a UK Problem. It’s a Global Wake-Up Call.

For those of you outside the UK, don’t scroll past this story thinking, “That could never happen here.”

That’s exactly the mindset that’s making you a bigger target.

Here’s the deal:

If you’re in Canada, Europe, or any region where compliance is still treated like a checkbox and cyber insurance is considered optional, guess what?

You’re now a bigger bullseye than the United States.

Why? Because hackers follow the same logic any criminal does—they go where the alarms are off and the doors are unlocked. And right now, too many businesses outside the U.S. are still playing catch-up when it comes to cybersecurity readiness.

Hackers know this. They see it in your slow MFA rollouts. They see it in your untested backups. They see it when your policies are written once, printed, and shoved in a binder.

Marks & Spencer is just the canary in the coal mine.

Cyber Insurance Denials Start with a Missing IR Plan

We don’t know if M&S had cyber insurance. We don’t know if their claim was denied.

But we do know this:

Cyber insurance claims get denied when you try to make a claim and don’t have a documented, written incident response plan.

So let’s not pretend we don’t know where this is going.

Insurers are no longer in the business of handing out blank checks. They are in the business of finding just enough reason to walk away from your claim—and a missing IR plan is Exhibit A.

51 Days of Chaos—or 20 Days of Control

Recovery times tell the real story:

  • No plan? You’re looking at 71 days of scrambled communication, makeshift systems, and business at a standstill.
  • With a tested plan? You’re back on your feet in 20 days.

That’s a 51-day gap. And every one of those days costs you money, clients, and reputation.

Marks & Spencer didn’t just lose operational capacity—they lost control. They lost trust. And they gave the world a masterclass in how not to respond to a breach.

No Plan = No Protection = No Business

Downtime is only part of the damage. The bigger problems come after:

  • Regulatory fines when you can’t show what steps you took.
  • Lost future revenue when customers defect during the outage.
  • Legal exposure when your “best effort” can’t be proven.
  • Insurance denial when you can’t hand over a plan.

This isn’t paranoia. It’s precedent. These are the exact reasons claims get denied and lawsuits get filed. When investigators show up, they aren’t asking if you meant to do the right thing. They want documentation.

If you don’t have it, you’re the one getting sued. You’re the one who looks negligent. You’re the one paying for it.

If M&S Can’t Handle This, Can You?

M&S is a billion-pound retailer. They’ll recover—eventually.

But your business?

Can you absorb 51 days of downtime? Can you operate without systems, documentation, and trust from your customers? Can you survive the audits, fines, and PR fallout?

Or will you end up scribbling orders on napkins, praying the next call isn’t from your insurer—or your attorney?

Here’s What You Can Do Right Now

If you don’t have a documented, tested incident response plan, let’s fix that. Immediately.

We help businesses:

  • Build IR plans that pass legal and regulatory scrutiny
  • Document decisions in a way that insurance carriers can’t ignore
  • Run tabletop exercises to test your readiness and expose the holes before attackers do

This isn’t theoretical. It’s operational survival.

Book a meeting with us. We’ll walk you through what your plan should include, what your insurer expects, and how to build a response strategy that doesn’t crumble under pressure.

Because “no plan” isn’t just bad strategy.

It’s a countdown to catastrophe.