Cyber attacks are a constant in the IT press, but every now and again they cut through to the front pages of national newspapers and evening bulletins. The recent attack on Jaguar Land Rover (JLR) gained international attention due to the combination of its recognisable name and the wide-ranging effects.
The fallout from this incident is likely to continue for months, and probably years. With car production halted for over a month and over 5,000 businesses affected, the Cyber Monitoring Centre has estimated a financial impact of £1.9bn, and likely “the most economically damaging cyber event to hit the UK”. The shutdown meant that the number of cars manufactured in September 2025 was the lowest in the UK since 1952.
Reportedly, JLR had “failed to finalise” its cyber insurance cover ahead of the attack and will bear a great deal of this cost. The UK government has underwritten a loan of £1.5bn to JLR to support the company and, crucially, its supply chain.
Undoubtedly, approaches to cyber security will be top of the agenda in boardrooms across the country, as leaders devise plans on how to avoid a similar fate. Chief financial officers (CFOs) and finance directors have likely been asked about levels of insurance coverage, while chief information security officers (CISOs) will be under pressure to strengthen security practices.
Big news stories can shift attitudes. There’s no doubt that insurance vendors and brokers are using this moment to promote their products, but can cyber security teams also use it to help their businesses be better prepared?
A tipping point in perception?
Previously, a business case for digital transformation would be focused on the costs and benefits. Now, security risks are likely to be scrutinised more closely.
Security teams will have a vital role in determining just what this greater awareness of cyber security risks will mean. While it needs to be understood that cyber security threats are very real and can have massive consequences if they are successful, it’s important for businesses to strike a balance, exercising caution rather than being paralysed by fear. The message communicated to the wider business will be key in making sure risks are understood and the right precautions are taken, but not in a way that will stop innovation.
It is also an opportunity to communicate the need for layers of security. It’s not as simple as strong passwords and multi-factor authentication (MFA), but an end-to-end resilience approach is needed to keep a business safe. Cyber insurance can be thought of as one of those layers.
Getting cyber insurance right
Thanks to a greater awareness of cyber insurance, and the risks of not holding it, many businesses will be rushing to check their coverage. Even before the JLR shutdown, cyber insurance was one of the fastest-growing sectors in the global insurance market. Despite this growth, the FCA has warned that the UK is “potentially massively underinsured” against the cyber risks it faces.
For SMEs, cyber insurance policies are often bundled within broader business protection packages, but the terms for payout can be complex. Insurers will, as they do with any claim, scrutinise the business to ensure the policyholder had sufficient safeguards in place at the time of the incident. If those controls were lacking i.e. if the business failed to maintain up-to-date software, lacked MFA, or had poor backup practices, then the claim may be reduced or rejected altogether.
It is, again, the responsibility of cyber security teams to educate the business on how cyber insurance works and what changes may be necessary to make sure a policy is valid. While businesses may understand this principle for other forms of insurance, for example, a fire insurance policy may not pay out if a business holds an impromptu indoor barbecue for its staff, the requirements for cyber insurance may not be so obvious.
Insurance requirements as a guide to better security
Cyber insurance can, in fact, be used to get businesses on the right track when it comes to cyber security requirements. For example, two-factor authentication can often be unpopular with employees who see it as unnecessary, or who have bad experiences as consumers. But if 2FA is a requirement for cyber insurance, then that makes objections easier to overcome. What may be seen as optional before, despite the urging of the security team, will become embedded.
Of course, insurance requirements are not a complete guide to cyber security needs, but for businesses that are lacking in security, they can be a useful guide to help progress and to win internal arguments. Again, this is about using the moment correctly, with minds focused on cyber security, it’s an opportunity to build a better security culture and help everyone in the business understand their shared responsibility.
Fear vs. focused minds
Cyber security teams have a window of opportunity to get their businesses on the path to better security. It’s a rare occasion when those who care about security find that the rest of the business is thinking about the same problem.
While businesses are reflecting on how they can make sure they do not become another headline, security teams should be on hand to offer guidance and counsel, and can set the tone for how to approach the issue. While fear is a great motivator, this is really about striking the right balance, educating on potential threats and how they can be prevented. Insurance is but one piece of the puzzle.
For businesses where security is lacking, these conversations have the potential to be an inflection point, leading to better security. With minds focused on the need to avoid disaster, experts can be the voice of reason and help keep their businesses safe.
Robert Johnston is general manager of Adlumin at N-able.
