The decision, disclosed in the company's annual report for the 12 months to April 2025, is one of the clearest examples in recent years of a remuneration committee withholding incentive pay over an operational failure that was not directly attributable to management conduct. For boards across UK business, particularly at SMEs and scale-ups with less resilience to absorb a comparable shock, the episode offers a pointed case study in cyber-risk governance, insurance planning, and the pay consequences that follow a major incident.

What the remuneration committee decided, and why

The M&S remuneration committee confirmed there would be "no bonus scheme" for the financial year, according to the company's annual report. The wording is notable: the committee did not simply reduce payouts or apply discretionary clawback. It eliminated the scheme altogether.

The committee acknowledged the tension in its reasoning. In the annual report, it stated:

"In reaching this decision, careful consideration was given to the exceptional commitment and leadership demonstrated by the management team during a period of significant challenge, recognising that they worked harder than ever to successfully lead the business through such a difficult time. However, it was concluded that, in the circumstances, and having particular regard to the experience of our shareholders, it would not be appropriate to make a bonus payment."

The phrase "having particular regard to the experience of our shareholders" is the operative clause. M&S's board concluded that paying bonuses while shareholders absorbed a 29 per cent profit decline would be untenable, regardless of how well executives managed the crisis itself.

Machin's prior-year pay of £7m had included a £1.65m bonus and £4.5m from the performance share plan (PSP), earned during a period in which M&S's share price more than doubled, as reported by City AM. In the latest year, the bonus component dropped to zero. His PSP payout also fell, to approximately £3.1m from £4.5m, reflecting the cyberattack's drag on the performance targets that govern share awards.

The net effect was a reduction of more than 40 per cent in total remuneration.

The £133m cyberattack: costs, insurance and profit impact

M&S disclosed the total cost of the April 2025 cyberattack at £133.3m, according to the annual report. The incident ground the retailer's online services to a halt for weeks and forced several stores to stop accepting card payments, as reported by City AM.

The group has recovered more than £100m of that figure through an insurance claim, limiting the net cash impact. Even so, the disruption was severe enough to leave group profit 29 per cent lower year-on-year.

Chairman Archie Norman, a former Conservative MP who has led the M&S board since 2017, said in his chairman's letter that "the cyber incident starting in April coloured the financial performance for the whole year and put many of our financial ambitions into abeyance," according to the annual report.

The insurance recovery is significant. A net exposure of roughly £30m on a £133.3m gross loss suggests M&S held a relatively comprehensive cyber-insurance programme, with limits and coverage terms that proved adequate for a prolonged operational disruption. Many smaller retailers would not carry equivalent cover. According to government survey data published in recent years, a substantial proportion of UK SMEs lack any dedicated cyber-insurance policy, leaving them fully exposed to comparable incidents.

Operational fallout

Beyond the headline financial cost, the attack forced M&S to suspend online ordering for an extended period and disrupted in-store payment systems. For a retailer that has invested heavily in digital channels as part of its turnaround strategy, the reputational and operational cost extended well beyond the insurance-recoverable losses.

Norman's warning on regulation and the high street

Norman used the annual report to deliver a pointed critique of the UK policy environment facing retailers. His comments, as reported by City AM, echo longstanding sector complaints but carry additional weight given M&S's scale and the chairman's political background.

"We have of course some headwinds: there has rarely in the history of M&S been a time where the regulatory environment has been less friendly to growth and investment and our tax burden increased substantially during the year," Norman wrote in the annual report.

He added that the impact "has however been felt more keenly by smaller competitors and the result is reflected in the continued decline of many high streets and town centres."

The timing aligns with two specific policy changes that took effect in the 2025-26 tax year: the increase in employer National Insurance contributions and revisions to the business-rates system. Both measures hit labour-intensive, property-heavy businesses such as high-street retailers disproportionately hard.

For SME retailers, the message is blunt. If a business with M&S's scale and negotiating power describes the environment as historically hostile, smaller operators face an even steeper climb. Norman's framing, that M&S can "sail into the wind and ride the waves" while smaller competitors cannot, implicitly acknowledges that consolidation pressure on the high street is intensifying.

Lessons for boards: structuring pay around exogenous risk

The M&S remuneration committee's decision raises a governance question that extends well beyond one retailer's annual report. How should boards design incentive structures that can withstand exogenous shocks, events that damage shareholder value but fall outside management's direct control?

Three observations stand out from the M&S approach.

First, the shareholder-experience test proved decisive. The committee did not argue that Machin or his team were at fault for the cyberattack. It praised their crisis management explicitly. But it concluded that paying bonuses against a backdrop of a 29 per cent profit decline would be inappropriate given the shareholder experience. This is a reputational and governance judgment, not a performance one.

Second, the PSP provided a partial buffer. Machin still received £3.1m through the performance share plan, albeit reduced from the prior year. Long-term incentive plans tied to multi-year targets are inherently less binary than annual bonus schemes. They allowed the board to reduce, rather than eliminate, this component of pay without rewriting the plan's rules.

Third, insurance recovery did not change the pay outcome. Despite clawing back more than £100m of the £133.3m cost, the board still zeroed out bonuses. This suggests that remuneration committees may increasingly treat the gross impact of an incident, not the net insured loss, as the relevant benchmark when assessing whether incentive payments are appropriate.

For boards at smaller organisations, the practical takeaway is that cyber-risk governance now sits firmly within the remuneration committee's remit, not just the audit or risk committee's. Any organisation with a material digital exposure should stress-test its incentive structures against a scenario in which a major cyber incident wipes out a quarter or more of annual profit. The question is not whether management is to blame. It is whether paying bonuses in that context is defensible to shareholders, employees, and the public.

M&S's handling of the episode is neither punitive nor exonerative. It is pragmatic. That pragmatism, however uncomfortable for executives who managed a crisis they did not cause, may prove to be the model other boards follow.