When news of the M&S cyberattack broke, it struck a familiar chord. Although our organization is smaller in scale and resources compared to a UK retail giant like Marks & Spencer, I recall a similar situation that tested our crisis readiness—and ultimately showcased the value of swift coordination and sound governance.
It was late March, just days before our financial year-end, when I had barely settled into my new role as Head of Internal Audit. One morning, I was urgently called into a crisis managment meeting. Our Malaysia operations—comprising 90 retail stores—had just experienced a serious cyber incident. While the details were still emerging, the urgency was clear.
By the time I joined the virtual war room, the initial containment actions were already completed by our IT security team. The meeting brought together key stakeholders: the General Manager of Malaysia, the Group General Counsel, our CTO, and the Head of IT in Malaysia. In less than a hour, we were making crucial decisions:
-
How to activate our disaster recovery plan effectively
-
How to ensure compliance with Malaysia’s Personal Data Protection Act (PDPA)
-
How to manage public communications, including appointing a local PR agency
Within several days, our operations were back to normal. There was no material financial loss. Yes, there was some loss of customer data, but we quickly deployed human resources to manually restore and validate records. From an internal audit standpoint, I treated the experience as a turning point—drafting and institutionalizing a formal Crisis Management Policy that now serves as our organization’s blueprint for incident response.
A Comparison with the M&S Case
Of course, we shouldn’t draw a direct comparison between our organization and Marks & Spencer. M&S is a legacy brand with deep roots and a much larger operational footprint. However, in terms of response speed and agility, I believe our efforts reflect certain cultural strengths—particularly in Asia, where teams are often more hands-on and flexible in mobilizing a crisis response.
We didn’t wait for a perfect solution—we worked tirelessly to back up systems, restore data, and anticipate regulatory and public relations requirements. Compliance wasn't treated as an afterthought; it was embedded in every action.
Whereas in the M&S case, public reporting was notably delayed and market disclosures were unclear, we took the opposite approach: proactive, transparent, and structured.
Why This Matters for Internal Audit
For internal auditors, a cyberattack is not merely an IT issue—it’s a cross-functional risk event. We are increasingly expected to evaluate how well our organizations handle these incidents—not just in technical controls, but in governance, accountability, and communication.
And importantly, Internal Audit wasn’t just a passive observer. We contributed in real time—validating response plans, flagging compliance risks, and supporting recovery testing. That frontline experience gave IA deeper insight and relevance when drafting the crisis management policy post-event.
Cyber Crisis Readiness Checklist
|
Category |
Key Questions / Audit Considerations |
|
Governance & Oversight |
Is there a Crisis Management Team (CMT) with defined
roles? Is Internal Audit part of the escalation protocol? |
|
Containment & Detection |
Are there playbooks for ransomware, phishing, and system
breaches? Are SIEM or behavioral tools in place and tuned for early
detection? |
|
Business Continuity & DRP |
Are disaster recovery plans tested annually? Was the last
test realistic and cross-functional? |
|
Legal & Compliance |
Are data breach notification laws understood across
jurisdictions (e.g., PDPO, PDPA, GDPR)? Is there a legal counsel involved
early? |
|
External Communications |
Is there a vetted PR firm ready to engage? Are
communication templates pre-approved for media, investors, and regulators? |
|
Post-Incident Review |
Was a lessons-learned report drafted? Did IA or Risk
Management independently validate findings? Are improvements tracked? |
Comments
Post a Comment