When Jaguar Land Rover (JLR) fell victim to their most recent cyber-attack last month, costing the company an estimated £50 million per week in disrupted operations, the UK government’s decision to underwrite a £1.5 billion loan facility may have seemed like pragmatic crisis management.
But while this isn’t technically a “bailing out JLR,” — taxpayers won’t pay unless JLR defaults — the effect is much the same. The government has stepped in to absorb private-sector risk, shielding a multibillion-pound company with billions in cash reserves and existing credit lines from the full consequences of its failures.
That decision has opened a Pandora’s box that threatens to fundamentally undermine corporate accountability in cybersecurity — and we need to talk about it.
The Anatomy of a Preventable Crisis
Let’s examine the facts: JLR wasn’t just unlucky—they were negligent. The company suffered two major cyberattacks within six months, both occurring under the cybersecurity oversight of Tata Consulting Services (TCS). While the full extent of TCS’s role remains contested, reports suggest their employees’ credentials were linked to the recent Marks & Spencer breach, and TCS also provides infrastructure support to the Co-op Group, which suffered a major attack in the same period.
This pattern raises serious questions. When the same provider is connected — directly or indirectly — to multiple high-profile incidents, we may not be looking at unstoppable, sophisticated threats, but at systemic failures in oversight and resilience that should have been addressed after the first incident.
The most telling detail? JLR was reportedly in the middle of negotiating its cyber insurance rates when the attack occurred. That timing reveals a deeper misunderstanding of risk management — one that goes far beyond coincidence.
The Moral Hazard of Government Intervention
To be precise, JLR wasn’t on the verge of collapse. The company holds £3.3 billion in cash, access to a £1.7 billion revolving credit facility, and recently secured an additional £1.5 billion line of credit underwritten by the UK government. That last piece is key: the taxpayer isn’t directly paying out unless JLR defaults. Calling it “not a bailout” may be technically correct — but the practical effect is the same. The government is still absorbing private-sector risk, shielding a multibillion-pound manufacturer from the full consequences of its failures.
It’s what economists call a “moral hazard”—a situation where parties are incentivized to take greater risks because they know someone else will bear the consequences.
Consider the mathematics: JLR’s revenue was approximately £29.0 billion for the full financial year ending March 31, 2025. It faced £50 million in weekly losses, making a £30 million ransom payment (the upper trajectory of a possible ransom payment) seem almost reasonable from a business perspective. But when the government intervenes with taxpayer money, suddenly that £850,000 cyber insurance premium that JLR was allegedly haggling over becomes irrelevant. Why invest in robust cybersecurity when the state will cover your losses?
Yes, protecting small suppliers matters — but that support could have been provided directly and transparently, rather than via a backdoor guarantee to a corporate giant with ample liquidity.
It’s also worth remembering that JLR is not classified as critical national infrastructure. In theory, that means the company could choose to pay a ransom to resume operations. Yet few highlight the legal reality: if those funds end up in the hands of a sanctioned or terrorist-linked group—knowingly or unknowingly—the payment itself is a crime. That’s a trap many organisations, desperate to restart production, fail to acknowledge until it’s too late.
This approach fundamentally shifts the cost-benefit analysis for corporate cybersecurity investments. Instead of viewing security as essential infrastructure, companies may now see it as optional insurance—with taxpayers as the ultimate underwriters.
The Ripple Effect: What This Means for Corporate Responsibility
The implications extend far beyond JLR’s balance sheet. Every business leader is now watching this precedent, asking: “If we’re hacked, will the government bail us out too?”
This expectation creates several concerning dynamics:
- Reduced Security Investment: Why spend millions on cybersecurity when the government might cover breach costs?
- Increased Risk Tolerance: Companies may accept higher cyber risks, knowing external rescue is possible.
- Weakened Due Diligence: Less scrutiny when selecting cybersecurity providers if failures don’t result in full accountability.
The message to cybersecurity vendors like TCS is equally problematic. When client failures don’t result in meaningful consequences—either financial penalties or lost business—there’s reduced incentive to improve service quality.
The Cyber Insurance Red Herring
The focus on cyber insurance as a solution misses a critical point: insurance doesn’t absolve organizations of their data protection responsibilities. Too many leaders treat cyber insurance as a get-out-of-jail-free card, without understanding the limitations embedded in policy fine print.
Cyber insurance policies typically require organizations to maintain specific security standards. When companies fail to meet these requirements, claims can be denied, leaving them exposed despite paying premiums. More importantly, insurance covers financial losses—it doesn’t restore customer trust, protect intellectual property, or prevent regulatory penalties.
The real question isn’t whether JLR had cyber insurance, but whether they had implemented the basic security controls that would have prevented the attack in the first place.
A Better Path Forward: Accountability, Not Bailouts
Instead of normalizing government intervention, we need policies that incentivize proactive cybersecurity investment:
Regulatory Enforcement: Strengthen data protection penalties and ensure they’re consistently applied regardless of company size or economic impact.
Supply Chain Accountability: Hold cybersecurity service providers legally accountable for failures that result from negligence rather than sophisticated attacks.
Transparency Requirements: Mandate public disclosure of cybersecurity incidents, including details about prevention measures that were or weren’t in place.
Economic Incentives: Create tax incentives for companies that invest in robust cybersecurity infrastructure and achieve recognized security certifications.
The Cost of Complacency
The JLR bailout may have prevented short-term economic disruption and eased individual pain, but it has created long-term systemic risk. When companies believe the government will rescue them from cybersecurity failures, we’ve essentially socialized the risks of private sector negligence.
As cybersecurity professionals, we have a responsibility to push back against this narrative. Every successful cyberattack that could have been prevented through basic security measures represents a failure of leadership, not just technology.
The question isn’t whether we can afford to bail out companies like JLR—it’s whether we can afford not to hold them accountable.
Taking Action: Your Role in Driving Change
If you’re a cybersecurity professional or business leader, you have the power to influence how your industry responds to this precedent. Here’s how:
- Audit Your Own Practices: Review your organization’s cybersecurity posture honestly. Are you prepared to defend your security investments and practices? Do you have a plan in place? Have you trained all your employees so they know how to spot attacks, report on them, and what to do in the event of an attack — often missing.
- Engage with Policymakers: Reach out to government representatives to express concern about bailout precedents and advocate for accountability-focused policies.
- Choose Partners Wisely: Evaluate cybersecurity vendors based on track records, not just cost. Demand transparency about past incidents and prevention measures.
- Stress-Test Your Resilience: Don’t just assume your continuity plan will work — run live-fire simulations and tabletop exercises that include identity compromise scenarios. The gaps will reveal themselves in practice, not theory.
- Collaborate Beyond Your Walls: Cybersecurity isn’t just a corporate concern — it’s a way of life, because digital is how we all live today. Share threat intelligence with peers, participate in industry exercises, and don’t forget to include friends and family. Helping everyone in your circle stay aware and protected ensures no one gets left behind when attacks happen. Collective defense raises the bar for everyone.
The cybersecurity community must unite to ensure that the JLR incident becomes a cautionary tale, not a blueprint for corporate irresponsibility.
Now I Want to Hear From You
The JLR case highlights a tension we’ll see more of in the years ahead: when does government intervention protect jobs and industry, and when does it enable corporate negligence?
So here’s my question for you:
Do you think taxpayer-funded bailouts or loan guarantees for companies hit by cyberattacks are justified or should businesses be held fully accountable for their own security resilience?
(Photo credit: William – stock.adobe.com)
