Unlock the Editor’s Digest for free

Jaguar Land Rover’s lack of cyber insurance means it will shoulder the full bill from a damaging cyber attack that could end up costing the carmaker billions of pounds in lost revenues and profits, according to three people with knowledge of the situation.

The carmaker has suffered mounting losses after the attack forced it to shut down its systems and UK factories on September 1. JLR suppliers and dealers fear production in the UK may not resume for several months.

The attack has wreaked havoc across JLR’s vast supply chain involving roughly 200,000 workers, sparking emergency meetings between UK government officials and suppliers struggling to meet their payments.

Ministers had so far expressed reluctance to offer financial support but business secretary Peter Kyle is considering an unusual scheme where the government could purchase car components from struggling suppliers, which would later be sold to JLR once it resumes production.

“We are looking at all the things we can do,” a person close to the government said. Automotive industry figures questioned how the scheme would work given the difficulties in determining what to buy and from whom — as well as working out where the components would be stored.

If JLR cannot produce vehicles until November, David Bailey, professor at the University of Birmingham, had estimated that the group would suffer a revenue hit of more than £3.5bn, or about £1.3bn in gross profits.

JLR will not be able to recover those losses — and other costs related to the attack — because it was still in discussions with insurance broker Lockton on whether to purchase a policy when the attack happened, one of the people said.

A person close to Lockton disputed the claim that discussions were ongoing, saying that the Tata Motors-owned company had declined cyber-specific cover.

JLR and Lockton declined to comment. JLR’s exposure was first reported by The Insurer.

Businesses have increased their spending on cyber insurance in the wake of rising hacking incidents across a range of sectors over the past decade. However, the policies are also expensive and company responses have varied in terms of how they have weighed their costs and benefits.

UK retailer Marks and Spencer had doubled its cyber insurance cover last year and is expected to recover some of the costs from a devastating cyber attack in April. The Co-op, another retailer that was also targeted, did not have dedicated cyber insurance.

The global cyber insurance market is expected to be worth $16.3bn this year, according to reinsurer Munich Re, which expects that figure to reach $32bn by 2030. Across Europe, premiums paid for cyber insurance totalled $3bn as of 2024.

About 60 to 70 per cent of FTSE 100 companies purchase cyber insurance, according to Kelly Butler, head of UK cyber for broker Marsh.

“This is exactly what a cyber insurance policy is designed to cover,” Butler said, referring to recent attacks in retail and manufacturing. Typical policies would cover business interruption, including lost income due to halting production, she said, as well as incident response, public relations, ransomware negotiators, and credit monitoring services.

However, she added, businesses have shown “a lot of scepticism” about cyber insurance after some groups had tried to file insurance claims under their general insurance policies and found that cyber attacks had been excluded, requiring an additional insurance plan.

On Sunday, Stellantis also announced that there was a breach of customer information, citing “unauthorised access to a third-party service provider’s platform” that supported its North American customer service operations. 

This article has been amended to clarify when JLR halted production at its UK factories.