Pictured: Rebecca Roberts and Jo McLean

A key reason the retail sector is vulnerable to cyber attacks is its inherent supply chain risk. Retailers tend to have a long supply chain, encompassing wholesalers and suppliers, distributors, manufacturers, logistics providers, and ultimately end consumers. When one link in that chain has a vulnerability which is exploited, this impacts other entities along the chain, depending on the level of integration and access which is allowed between the parties.

Outsourced providers present a similar risk. When a business outsources part of its operations (such as IT services) to a third-party provider, it gives up an element of control and oversight in terms of cyber security. These third-party providers can be fairly dominant in the market, with the largest servicing thousands of business customers, and are therefore extremely attractive targets for cyber attackers. For example in 2022, a cyber attack on NHS’s IT service provider, Advanced Computer Software Ltd, caused widespread disruption to some NHS services. Advanced was fined £3 million by the UK Information Commissioner’s Office this year for its security failings.

Under the UK GDPR, all parties in a supply chain that hold personal data have responsibilities to ensure that data is appropriately protected. However, it is retailers as controllers of their customer data who are ultimately responsible for compliance with security obligations, and for ensuring that they only use service providers who can keep data secure. It is also the retailer’s responsibility to report any significant incidents to the ICO.

While the risk of regulatory fines remains present, the biggest risk to retailers is operational, as seen by the recent attacks which have caused significant disruption and loss of revenues and profits. Not to mention the brand and reputational impacts of losing customer trust, and future risk of compensation claims once the dust has settled.

Managing cyber risk is no easy feat – ultimately, any organisation can be a target and attacks are becoming increasingly sophisticated. But there are steps retailers can take to help prepare themselves for the worst case scenario.

The first step is properly escalating cyber risk up the board agenda. There must be senior level understanding of cyber risk and the technical and organisational strategies available to mitigate it. The most recent Cyber Security Breaches Survey published by the Department of Science, Innovation and Technology in April 2025 indicates that the retail sector is lagging behind in terms of board-level engagement, with 44 per cent of retail businesses reporting that cyber risk was a low priority, compared with 27 per cent of businesses overall. This could be because the sector was, until recently, statistically less likely to suffer cyber attack. 

Retailers should now be reconsidering their approach to cyber security in light of recent incidents. While robust internal security measures are a prerequisite, retailers should also take a close look at their supply chain and third party relationships to identify potential vulnerabilities and consider undertaking tabletop training to run through a simulated attack to see how security measures and incident response plans stand up to scrutiny.

At the moment this is recommended best practice, but going forward new laws could obligate organisations to take a closer look at the cyber resilience of their supply chains. Those in the financial services sector will already be familiar with the EU’s Digital Operational Resilience Act, and organisations in energy, transport, healthcare and online services are already subject to the NIS Directive (relating to the security of network and information systems). It was announced last year that a new Cyber Security and Resilience Bill is due to be introduced which will expand cyber resilience obligations to other sectors. If this follows the approach taken in Europe, this will extend to those involved in the production and distribution of food products and other critical products including medical devices, computer equipment and vehicles.

In light of the current threat landscape and forthcoming legislation, now is the time for retailers to cement their defences by scrutinising who they trust with their most valuable data.

Rebecca Roberts and Jo McLean are directors at Burness Paull LLP