Marks and Spencer Group plc – Annual report – 28 March 2026
Industry: retail
PRINCIPAL RISKS AND UNCERTAINTIES (extract 1)
Cyber-security incident and response
At the start of the year, we experienced a cyber-security incident that resulted in unauthorised access to parts of the technology environment. This occurred against a backdrop of increased cyber crime activity across the retail sector.
Cyber-security remains integral to the Group’s operations and transformation and the Group responded promptly by activating established incident and crisis management arrangements, supported by external experts. Immediate actions focused on:
- Containing the threat.
- Safeguarding customers and colleagues.
- Protecting critical systems and data.
- Enhancing monitoring and detection capabilities to improve visibility of malicious activity.
- Strengthening recovery arrangements for the restoration of services.
A longer-term security enhancement programme was established, bringing together existing security improvement activity and incident‑driven actions to strengthen our cyber-security posture.
The programme has executive sponsorship and ongoing oversight through a number of governance forums: Security Committee, Executive Risk & Compliance Committee and Audit & Risk Committee, as well as the Board.
Cyber-security remains a Principal Risk for the Group, reflecting the changing external threat landscape and the complexity of a modern retail technology environment. Our ongoing risk mitigations are set out on page 45.
PRINCIPAL RISKS AND UNCERTAINTIES (extract 2)
AUDIT & RISK COMMITTEE REPORT (extract 1)
AUDIT & RISK COMMITTEE REPORT (extract 2)
Cyber incident
In April 2025, the Group experienced a cyber incident that led to temporary disruption to some of its services, processes and systems, as a result of our proactive management of the incident to protect customers, suppliers, colleagues and the business.
The Committee received updates on engagement with external cyber-security experts which included engagement with the relevant authorities, including reporting the incident to the National Cyber Security Centre and the UK’s Information Commissioner’s Office (ICO), as well as the work undertaken to restore our networks and systems, support business operations through manual and alternative processes, and management’s actions taken to support interim processes with robust interim controls.
The Committee also reviewed management’s assessment of the financial reporting implications of the incident. This included the treatment of certain costs directly related to the incident as adjusting items and the oversight of additional temporary controls put in place to maintain the completeness and integrity of the Group’s financial records, allowing the Committee to be satisfied that the financial statements give a true and fair view of the Group.
In addition, to support the Committee’s understanding and conclusions on the impact of the incident and monitoring of the business recovery, the Committee considered updates and documentation provided by management on the incident, and subsequent recovery. This included input from the Group’s in‑house Digital & Technology team and external advisers. This was considered alongside management’s assessment of going concern and long‑term viability, and whether related disclosures in the Half Year Results and Annual Report are clear, fair, balanced and understandable.
AUDIT & RISK COMMITTEE REPORT (extract 3)
Internal control environment (extract)
Effectiveness
The Committee considered whether the Group’s framework of internal controls operated effectively throughout the financial year 2025/26. Instances where the effectiveness of internal controls were deemed to be insufficient were discussed during the year, either by the Committee or the Board, and the resulting improvement plans were monitored. The Committee also considered the controls findings raised in the Independent Auditor’s Report on pages 99 to 111.
In April 2025, the Board and the Committee were made aware of a cyber incident impacting the business and the steps taken by management to protect the business’ systems, customers and data. Members of the Committee were in regular formal and informal communication with management and Deloitte throughout the year. In particular, they were kept informed on the impact of the cyber incident on the control environment and effectiveness of any interim controls, as well as the roadmap to restoration of pre-incident norms. The Committee received regular updates on priority control activities focused on:
- Identifying a subset of priority controls for recovery from our population of key controls.
- Redeployment of resource from the Financial Controls and IA&R teams to support documentation of interim processes with appropriate controls in place.
- Restoration of business-as-usual control activities and the transfer of any remaining interim control processes back to pre-cyber incident norms by the end of the financial year.
Significant work was undertaken throughout the year to maintain and enhance the overall system of internal controls, both as part of the restoration of control activities to pre-cyber incident norms, and the business’ Provision 29 readiness activities (see more on page 62), so as to give the Committee assurance on the effectiveness of the internal control environment as at the balance sheet date.
Page 62 (extract)
NOTES TO THE FINANCIAL STATEMENTS (extract)
5 Adjusting items (extract)
The total adjusting items reported for the 52-week period ended 28 March 2026 is a net charge of £292.1m (last year: net charge of £363.7m). The adjustments made to reported profit before tax to arrive at adjusted profit are:
Costs associated with the cyber incident (£131.3m)
As announced in April 2025, the Group was the subject of a sophisticated cyber incident. During the period, the Group incurred £131.3m of material system recovery, risk management and specialist advisory costs as a direct result of the incident. £109.3m of these costs related to immediate incident systems response and recovery. Remaining charges incurred relate to third-party costs predominantly for specialist legal and professional services support.
These costs are considered to be adjusting items as they relate to incident response and recovery activities that would not have been incurred without the cyber incident.
Accounts examples 