Why Marks & Spencer’s £60M Breach Should Put Cyber Risk on Every CFO’s Agenda

In April 2025, Marks & Spencer, one of the UK’s most trusted retail giants, suffered a catastrophic cyber breach.

This wasn’t a fringe tech company with limited safeguards. This was a 140-year-old institution, with a global footprint and decades of brand equity.

Yet it still fell victim to a breach that led to over £60 million in lost profits, significant operational disruption, and a widespread compromise of sensitive customer data.

This is more than a story about IT failure. It’s a sobering warning to CFOs: the greatest financial risks are no longer confined to spreadsheets, forecasts, or supply chain volatility. They’re hidden in the gaps of your vendor ecosystem - especially in contract data you can’t see or control.

Why CFOs Can No Longer Delegate Cybersecurity

Cyber risk has long been seen as the responsibility of IT and CISOs. But the Marks & Spencer breach proved that isolating it from the CFO’s remit is a costly mistake.

Hackers didn’t just exploit firewalls - they exploited a systemic lack of oversight in third-party risk management.

Third-party vendors are often the weakest link in the security chain. When their vulnerabilities go undetected, the financial fallout lands squarely on the CFO’s desk.

This fallout comes in the form of:

• Lost revenue
• Regulatory penalties
• Increased insurance premiums
•  Irreparable damage to investor and customer trust.

Cybersecurity is as much a financial discipline as it is a technical one. And CFOs who treat it that way will be better positioned to safeguard their balance sheets.

The Financial Exposure CFOs Must Anticipate and Prevent

Marks & Spencer’s estimated £60 million in lost profits paints only part of the picture. The company’s market cap dropped by nearly a billion pounds in the days following the breach, a collapse driven not just by operational disruption but by investor fear.

Each week that e-commerce operations remained offline reportedly cost M&S £15 million. Beyond the direct hit to revenue, the breach triggered legal exposure, reputational loss, and increased scrutiny from regulators - all of which come with long-term financial consequences.

This wasn’t an isolated event. According to IBM, the average cost of a data breach globally now exceeds £3.5 million and in highly regulated industries, that figure often doubles.

For CFOs, the message is clear: cyber risk has become a board-level financial concern, demanding constant visibility and control.

The Contract and Vendor Cyber Risks Hiding in Plain Sight

Contracts are now cybersecurity assets. They contain sensitive data such as service-level agreements, customer records, and security obligations. When contracts are left unmanaged in silos, they become high-value targets for cyber attackers.

These isolated and often unprotected documents can serve as entry points for data breaches, compliance failures, and ransomware incidents. Every unmonitored contract isn’t just a risk, they're a cyberattack waiting to happen.

Worse still, traditional cybersecurity tools rarely reach these data stores. They focus on networks, endpoints, and infrastructure rather than on the granular obligations, renewal dates, and access rights buried deep within contracts and third-party agreements.

This is the hidden black hole in most organisations’ risk frameworks. And it’s one that CFOs must address urgently if they want to avoid the kind of financial and operational chaos that hit Marks & Spencer.

How Gatekeeper Equips CFOs to Close the Cyber Security Risk Gap

1. Proactively Manage Cyber Threats with Market IQ Cyber and SecurityScorecard

Gatekeeper’s Market IQ Cyber, powered by its partnership with SecurityScorecard, provides CFOs with automated, real-time visibility into the cybersecurity posture of every vendor - without requiring manual checks or technical interpretation.

Vendors are continuously assessed and assigned a security rating, based on dozens of externally observable threat signals, including malware infections, exposed credentials, open ports, patch cadence, and more.

These ratings are automatically updated and surfaced within Gatekeeper’s platform, giving finance leaders a constantly evolving picture of cyber exposure across their vendor landscape.

What makes this powerful for CFOs is the ability to:

• Identify high-risk vendors before contracts are signed
• Prioritise mitigation based on risk severity and vendor criticality
• Monitor compliance with security standards throughout the vendor lifecycle

This is proactive risk intelligence seamlessly built into your contract workflows. No delays.  Just actionable insight delivered in business terms, empowering you to prevent issues before they become incidents.

2. Automate Due Diligence and Eliminate Compliance Gaps

Gatekeeper replaces fragmented onboarding processes and spreadsheet-based risk checks with automated Due Diligence Questionnaires (DDQs) that ensure consistent, rigorous vendor assessments at scale.

These DDQs are fully customisable and automatically issued to vendors based on contract type, geography, spend threshold, or risk category. Vendors complete the assessments through a centralised portal and their responses are tracked, scored, and flagged if they fall below compliance thresholds.

For CFOs, this means:

• No more manual chasing or missed steps during onboarding
• A full audit trail of compliance documentation and responses
• Continuous alignment with internal controls and external regulatory expectations

It’s a zero-touch process for finance teams, but delivers a high-impact layer of assurance that ensures your organisation never skips a security check or lets risk creep in unnoticed.

3. Accelerate Insight with AI-Powered Summaries and Secure Repository

Every vendor contract, DDQ, certificate, and policy is stored in a secure, centralised repository - backed by role-based permissions and full encryption. But storage is just the beginning.

Gatekeeper’s AI-powered extract and summary capabilities let you query your contract and vendor estate in plain English. Need to find all contracts without cyber liability insurance? Or all vendors who store customer data outside the UK? Contract summaries can provide instant, precise results.

For CFOs, this delivers:

• Immediate visibility into potential gaps in your risk posture
• The ability to surface risky terms and obligations without legal support
• More informed, faster decision-making when a threat emerges

No more combing through PDFs. No more waiting for reviews. Just answers, on demand.

4. Gain Strategic Control with CFO-Focused Risk Dashboards

Gatekeeper tracks risk and visualises it in a way that CFOs can act on. Its dashboards provide a real-time overview of your entire contract and vendor risk landscape, aligned to financial and strategic priorities.

With a single view, you can:

• Monitor open risks by category, vendor, or geography
• Track the status of due diligence and compliance workflows
• Report on cyber risk exposure to the board or auditors with clarity and confidence

These dashboards are tools for governance and decision-making, empowering CFOs to lead on risk, allocate resources wisely, and prove to stakeholders that the organisation is in control.

The Time for CFO Leadership on Cyber Risk Is Now

The Marks & Spencer cyber breach was a financial event with board-level consequences. And it won’t be the last. As cyber threats become more sophisticated and regulatory scrutiny intensifies, CFOs can no longer afford to treat cybersecurity as someone else’s job.

The financial impact of poor vendor oversight from operational downtime to reputational damage, is simply too high. But with the right systems in place, you don’t need to trade your strategic priorities for firefighting.

Own the risk. Protect the value. Future-proof your finance strategy. Book your demo today.