Cyber ​​attacks are a regular feature of the IT press, but from time to time they make it onto the front pages of national newspapers and evening bulletins. Recent attack on Jaguar Land Rover (JLR) has attracted international attention due to the combination of its recognizable name and wide range of effects.
The fallout from this incident will likely last for months, and possibly years. The Cyber ​​Monitoring Center estimates that car production was stopped for more than a month and more than 5,000 enterprises were affected. financial impact of £1.9 billionand probably “the most economically destructive cyber event to hit the UK”. The shutdown resulted in the number of cars produced in September 2025 being the lowest in the UK since 1952.
Reportedly JLR 'failed to complete' its cyber insurance ahead of attack and will bear most of these costs. The UK government has provided JLR with a £1.5 billion loan to support the company and, crucially, its supply chain.
Cybersecurity approaches will undoubtedly be the focus of boardrooms across the country as leaders develop plans to avoid a similar fate. Chief financial officers (CFOs) and chief financial officers are likely to be asked about insurance coverage levels, while chief information security officers (CISOs) will be under pressure to beef up security practices.
Big news can change attitudes. There's no doubt that insurance companies and brokers are using this moment to promote their products, but can cybersecurity teams also use it to help their businesses be better prepared?
A tipping point in perception?
Previously, the business case for digital transformation focused on costs and benefits. Security risks are now likely to be scrutinized.
Security teams will play a vital role in defining what increased awareness of cybersecurity risks will mean. While it is important to understand that cybersecurity threats are very real and can have serious consequences if successful, it is important for businesses to strike a balance by being cautious rather than paralyzed by fear. The message communicated to the wider business will be key to understanding the risks and taking the right precautions, but not in a way that stops innovation.
This is also an opportunity to communicate the need to create security layers. It's not as simple as strong passwords and multi-factor authentication (MFA), but keeping your business secure requires a comprehensive approach to resilience. Cyber ​​insurance can be seen as one such layer.
The Right Cyber ​​Insurance
With greater awareness of cyber insurance and the risks associated with not having it, many businesses will be rushing to check their insurance coverage. Even before the demise of JLR, cyber insurance was one of the fastest growing sectors of the global insurance market. Despite this rise, the FCA warned that the UK is “potentially underinsured” from the cyber risks it faces.
For SMEs, cyber insurance policies are often included as part of broader business protection packages, but payout terms can be complex. Insurers, as with any claim, will scrutinize the business carefully to ensure that the insured had sufficient warranties at the time of the incident. If these controls were missing, for example if the business did not maintain up-to-date software, did not have MFA, or had ineffective backup methods, then the claim may be reduced or denied entirely.
Again, it is the responsibility of cybersecurity teams to educate the business about how cyber insurance works and what changes may be required to ensure the policy is valid. While businesses may understand this principle for other forms of insurance—for example, a fire insurance policy may not pay out if a business hosts an impromptu barbecue on the premises for its employees—the requirements for cyber insurance may not be as clear-cut.
Insurance requirements as a guide to improving safety
Cyber ​​insurance can essentially be used to put a business on the right track when it comes to cybersecurity requirements. For example, two-factor authentication can often be unpopular among employees who consider it unnecessary or have a poor experience as consumers. But if 2FA is a cyber insurance requirement, then objections will be easier to overcome. What previously seemed optional, despite the insistent demands of the security service, will become built-in.
Of course, insurance requirements are not a complete guide to cybersecurity needs, but for businesses that lack security, they can be a useful guide to help progress and win internal disputes. Again, it's about seizing the moment, focusing on cybersecurity, this is an opportunity to build a better security culture and help everyone in the business understand their shared responsibility.
Fear vs. Focused Mind
Cybersecurity teams have the opportunity to put their business on the path to improved security. It's a rare occasion when those who care about security find that the rest of the business is thinking about the same problem.
As companies consider how they can ensure they don't become another headline, security teams should be prepared to offer guidance and advice, and can set the tone for how to approach the problem. While fear is a great motivator, it's really about finding the right balance, learning about potential threats and how they can be prevented. Insurance is just one piece of the puzzle.
For businesses where security is lacking, these conversations can be the tipping point that leads to improved security. As minds focus on the need to avoid disaster, experts can be the voice of reason and help keep your business safe.
Robert Johnston – CEO Adlumine in N-ability.
