Jaguar Land Rover's cyber bailout sets worrying precedent, watchdog warns
- Reference: 1774010530
- News link: https://www.theregister.co.uk/2026/03/20/jlr_bailout_cmc/
- Source link:
Speaking at an [1]event marking the Cyber Monitoring Centre's (CMC) first operational year, Ciaran Martin, chair of the CMC's technical committee and a distinguished fellow at RUSI, said [2]the government's response to the JLR cyberattack could create longer-term problems if repeated without a clear framework.
"I think the loan guarantee is an unfortunate precedent because the government intervened in a case-specific way... without clear criteria," Martin said. "Otherwise you'll just end up with a series of ad hoc precedents that will leave nobody any the wiser."
[3]
The warning comes as the country's Ministry of Defence on Friday [4]confirmed that the British Army will retire its Land Rover fleet after more than 70 years of service, as it looks to replace thousands of vehicles with a modern successor.
[5]
[6]
It follows a year in which the CMC has tried to put hard numbers on the financial impact of major cyber incidents on the UK economy, including the JLR attack, which it estimates cost up to £1.9 billion. Separate attacks on retailers [7]Marks & Spencer and the [8]Co-op were pegged at a combined £355 million.
But beyond the headline figures, the discussion highlighted a deeper problem: the widening gap between the economic damage from cyberattacks and what the insurance market can realistically absorb.
[9]
Tracy Poole, chief communications officer at Pool Re, said the cyber insurance "protection gap" could be as high as 90 percent, meaning most losses from large-scale incidents are effectively uninsured. While insurance can cover individual companies, she warned it falls short when the damage spills into supply chains and local economies.
[10]Jaguar Land Rover wholesale volumes plummet 43% in cyberattack aftermath
[11]JLR: Payroll data stolen in cybercrime that shook UK economy
[12]Bank of England says JLR's cyberattack contributed to UK's unexpectedly slower GDP growth
[13]Jaguar Land Rover cyber-meltdown tipped to cost the UK almost £2B
"They can insure a company, but they can't insure a community and the impact on the wider community," she said.
That mismatch helps explain why governments end up stepping in when things go wrong, but Martin warned that doing it without clear rules risks sending the wrong signal. Cybersecurity, he said, is driven by how companies assess risk, and if they think the state will ride to the rescue, they may be less inclined to invest in resilience.
"It would be better to have a framework... rather than a response to events," he said, suggesting options could include mandatory insurance, tax incentives, or some form of government-backed safety net.
Alongside the policy debate, the CMC used the event to show how its work is evolving. The organization said it is working with the Office for National Statistics to introduce post-incident business polling after widespread cyber events, and is preparing a white paper examining the UK's exposure to cloud-related risks.
[14]
It also confirmed plans to expand beyond the UK. "We're in the process of establishing a US cyber monitoring center," said CMC head of operations Ruth Goodwin. The effort will start with appointing a technical committee and setting up a US legal entity closely linked to the UK operation, with live incident categorizations potentially landing in 2027.
The move reflects growing demand for clearer, standardized ways of measuring cyber damage, something that remains patchy across the industry. Martin acknowledged that while disruptive ransomware attacks are relatively straightforward to cost, the financial impact of data breaches is far harder to pin down.
That uncertainty, combined with the scale of recent incidents, suggests the UK is only just getting to grips with the true economic fallout of cyberattacks. If the JLR case is anything to go by, the question of who ultimately foots the bill is still very much up for debate. ®
Get our [15]Tech Resources
[1] https://www.youtube.com/watch?v=lzGnGwqQGh4
[2] https://www.theregister.com/2025/09/29/jlr_government_loan/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ab19MvJa0jIMesk6OOHCDAAAAQY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.gov.uk/government/news/lights-out-for-the-landy-british-army-to-retire-iconic-land-rover-fleet
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MvJa0jIMesk6OOHCDAAAAQY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ab19MvJa0jIMesk6OOHCDAAAAQY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/05/13/ms_confirms_customer_data_stolen/
[8] https://www.theregister.com/2025/07/16/coop_data_stolen/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ab19MvJa0jIMesk6OOHCDAAAAQY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2026/01/07/jlr_wholesale_volumes/
[11] https://www.theregister.com/2025/12/15/jlr_payroll_data_stolen_in/
[12] https://www.theregister.com/2025/11/07/bank_of_england_says_jlrs/
[13] https://www.theregister.com/2025/10/22/jaguar_lander_rover_cost/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ab19MvJa0jIMesk6OOHCDAAAAQY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
What bailout?
JLR were offered a government loan, but never actually took it up. The idea that offering a loan to nationally significant company will somehow deter other companies from spending on cyber defences is bollocks. JLR took a hit of around £2.2bn due to the cyber attack, suffered massive reputational damage. That's what every other business saw, that's what they'll remember.
I find it rather worrying that CMC leadership think that (a) JLR were bailed out, and (b) that they seem to think that businesses won't have spotted the brown stuff splattering.
Re: What bailout?
I think you have no idea how big corporations operate.
Suffering a cyber attack puts you on the map, validates your corporation as important and the mere fact that government offered a loan means shareholders can sleep tight.
I'd see that more companies will actually cut spending on cybersecurity to find themselves in similar position.
It's a badge of honour these days.
Re: What bailout?
Still results in risk being mispriced and prevention being misvalued when a company's recovery plan is a taxpayer bailout rather than an insurance payout.
Insurance companies are sticklers for security, whether they're covering enterprise IT or a painting hanging on the wall. Not up to standards? Then you pay more. For clueless companies, that could be a lot more. Accurately priced risk creates financial incentives to invest in prevention. Bailouts externalize the risk to the commons.
Insurance companies shouldn't be the end-all for cybersecurity standards, but their standards are often well more advanced than the managers who love pretending cyber incidents only happen to other people, and definitely more advanced that government demands. Sloppy companies will see their rates go up or their coverage denied if no insurer wants to be around to pay out when the shit hits the fan.
We wouldn't want government bailing out any business which burns down either. That leads to more fires. We want the fire marshal working with fire insurers to say "that's a fire trap, fix it" before people get burnt up in an avoidable fire trap. Who is supposed to speak up?
Re: What bailout?
You are correct, but also wrong.
A loan guarantee is also a bailout, because it is not on commercial terms. Knowing 100% for sure that the government is underwriting 80% of the risk is not something to be sniffed at.
Typical IT department incompetence
They should have replaced all of the bulkhead outriggers on the firewall before double-declutching.
Amateurs.
An effective deterrent
How about if a gov bailout is necessary to "save" a company, then the C-suite is fired, the board is fired, and all current and former C-suite have their pensions voided. Any outstanding stock options are voided, and some clawback of prior compensation for exec's serving in the prior 3 years, 70% year 1, 50% year 2, 30% year 3.
That would get their attention, and it would be in their interest to protect their money, so they will do the spend for security. I'd wager security might become their primary management interest.
Re: An effective deterrent
I think in case of bailout, the government / ultimately tax payer should take ownership of the corporation and sack entire C-suite.
Re: An effective deterrent
Absolutely - paid them cash, the Government and thereby the public should own the company. The profits can help fund the Governments latest mad schemes
Re: An effective deterrent
I still think you need the clawback. The Warner/Paramount merger just gave the guy 800M golden parachute I think it was. If it was his "leadership" that caused 800M worth of value, then it was his "leadership" if they get porned by a cyber attack in the next year or two. And he should get the cost as well as the benefit of his "leadership".
Sherlock
^^ No shit.
That said, how successive governments bend over backwards for Indian IT corporations (despite how much damage they create to UK economy) is suspicious to say the least.
But as usual the watchers are asleep, perhaps after eating so much wine and steak.
Then Insurers and/or Governments need to put conditions on insured parties to spend actual time and money on cyber security. technical and staff training measures.
Let me guess
>> as it looks to replace thousands of vehicles with a modern successor.
Each to be equipped with the recently touted 300GB of RAM, AI to avoid potholes, and turn on the lights when it gets dark. And probably far more expensive to run. And harder to maintain, with oodles of electronic equipment 'necessary' to diagnose faults in the oodles of built in electronic equipment.
And vendor-only headlamps to ream the taxpayer.
Big enough impact = very low risk
As seen in banking and other corporate failures.
Ensure the blast radius of a failure is big enough and government will step in with other people's money to sort it.
All you need is the paperwork to cover backside (theatre of governance and risk management) and blame some mid-level minion for the failure.
Donations to political funds, or visible government initiatives help manage risk of actual consequences and you can safely increase exec bonus pay-outs with little risk to self.
Happy days.
Turbocharged Moral Hazard
Too many managers embrace a troubling attitude towards enterprise cybersecurity: a dollar spent is "wasted" if there are no attacks and "ineffective" if there are. Thus, they choose to underinvest in prevention.
Politicians don't seem to get this. Their attitude towards cybersecurity is giving contracts to their friends (whether it works or not) and leaving someone else to clean up the mess when it goes wrong.
This bailout turbocharges moral hazard. Why invest in prevention if the taxpayers will pick up the tab for cybersecurity failures.
What we need are stronger national standards and practices, as well as a requirement that publicly-traded companies truthfully disclose their adherence and spending in public reports. If the consequences of a cyberattack aren't enough to motivate the PHBs, then perhaps the consequences for misleading shareholders will be.