Jaguar Land Rover cyber-attack shows need for state action

Back in June, I argued the cyber-attack against Marks & Spencer underlined an uncomfortable truth: insurance alone can’t save the day when cyber criminals bring major retailers to their knees.

The fall-out from the attack on M&S should have been a warning that cyber is not just a balance sheet concern – it’s a national resilience issue.

The alarm bells rung by M&S have only grown louder with the news that Jaguar Land Rover has suffered its own damaging cyber-attack and – unlike one of the nation’s favourite retailers – the car manufacturer is having to cope without the safety net of cyber cover.

Building resilience that focuses on before, during and after prevention and protection is the only way we can avoid prolonged outages that shatter reputations and cripple finances.

JLR is reported to be losing around £50m a week, a cost now being propped up by the government stepping in with the taxpayer’s purse to shield its supply chain.

Compare that with M&S, which Martyn Janes, lead cyber underwriter at rrelentless, says had around £100m of insurance to offset part of its £300m loss.

Even with M&S, the shortfall was sobering and proof that insurance can’t be the total solution in a world where nearly every company relies on online platforms for nearly every business function.

JLR’s position is far more precarious than what befell M&S. With no cyber policy to call upon, the company’s vulnerability has become the state’s problem.

The Labour government faces a critical choice. It can simply write cheques to keep JLR’s suppliers afloat and hope the next crisis doesn’t hit as hard or it can finally start to listen to the alarm bells and recognise cyber risk is not just a commercial issue.

It is a matter of national resilience that demands coordinated action between government, industry and insurers.

Insurance isn’t enough

Cyber insurance remains a vital tool in helping businesses avoid as well as recover from attacks, absorb financial shocks, and access expert support during a crisis.

But the events of recent months have shown insurance alone is not enough to protect critical sectors from systemic disruption.

As Adrian Cox, CEO of Beazley, notes: “While there is no simple solution to this problem, and cyber-attacks are inevitable, it’s time to build a mindset of preparation, not panic.

“Building resilience that focuses on before, during and after prevention and protection is the only way we can avoid prolonged outages that shatter reputations and cripple finances.

“Insurance is an important part of the solution, but it cannot be the only piece.”

Cox is right. Andrew Martin, CEO of DynaRisk, observes the market needs to move from reacting to attacks to predicting them.

“That means putting real focus on third-party and supply chain risk and real-time monitoring, so insurers and their clients can spot risks before they turn into costly claims,” he says.

Insurance is a safety net but when a company of JLR’s size is struck down by these criminals, the implications ripple far beyond its own operations.

JLR is a cornerstone of the UK’s manufacturing base, employing thousands directly and supporting many more through its supply chain.

If cyber criminals can disable operations at the heart of British industry and the only recourse is dipping into the taxpayer’s pockets, that is a vulnerability in the UK’s economic armour.

The government clearly recognises this, given the swift support extended to JLR’s supply chain.

But firefighting after the fact is an expensive strategy and an approach that can’t go on forever. 

Time to act

If Labour is serious about economic security and industrial strategy, it cannot afford to treat cyber as a niche issue for IT teams and insurers to handle.

Government, insurers, and the industry must work together to create a national cyber resilience strategy that integrates insurance into broader preparedness efforts.

This could mirror the public–private terrorism risk pooling model and approach that has been taken to flood risk.

An approach to spread systemic risk and incentivise better prevention practices is required.

Hiscox’s latest Cyber Readiness Report shows 59% of SMEs were attacked in the last 12 months, with 33% facing fines and 30% suffering hits to business performance. Without intervention, these vulnerabilities become systemic.

Grants, tax incentives or shared services for cybersecurity – similar to those offered for energy efficiency – could help SMEs harden their defences.

Just as safety standards are mandated in physical infrastructure, baseline cyber resilience requirements should be introduced for sectors that underpin the economy.

We desperately need cyber security to be pushed out of the “nice to have” category and into the realm of an essential thing you need or are mandated to have to continue to operate.

When should Labour act? Now. Cyber criminals are not waiting. They are evolving their tactics, shifting focus from personal data to sensitive business information such as contracts, financials and intellectual property.

While hitting major retailers and car manufacturers has been painful, what if a critical utility, transport network or healthcare provider was struck? If we are still debating the role of insurance versus government intervention when that happens, it will be too late.