The 2000s brought us mark-to-market creative accounting, 2008 brought us subprime mortgages, and 2025 brings us…hackers. What do they have in common? Each situation was supposed to be a too big to fail moment. This brings us to the UK government extending a 1.5 billion GBP guaranteed loan to Jaguar Land Rover (JLR) to keep operations running after a debilitating ransomware attack that halted production for over four weeks.

The Breach Bailout

JLR told much of its 33,000 staff across the three manufacturing facilities in the UK to stay home until production resumes in some capacity on October 1. Ten companies and another 100,000 employees in JLR’s supply chain expressed concerns about their future during a meeting with the government’s Business and Trade Committee last week, with some stating they had just days of available cash left. The loan, provided by a commercial bank, is intended to give suppliers greater confidence and provide relief to workers. The government will support it through the export development guarantee program, designed to assist UK exporters. Repayment will take place over a five-year period.

This cyber-attack proves once again that the resulting cascading economic hardship isn’t about one company with disrupted operations. It’s about systemic economic consequences when a major national employer experiences a devastating outage.

Conglomerate Convenience Leads To Cyber Compromise?

Several UK outages, including the one that crippled JLR, are linked to Tata Consulting Services (TCS), raising questions about whether conglomerate ownership is shielding poor supplier performance. With TCS serving multiple affected firms and sharing a parent company with JLR, scrutiny from the UK’s Business and Trade Committee intensified recently. JLR is owned by Tata Motors, which is owned by Tata Group. Tata Consulting Services (TCS) is also owned by Tata Group (though it’s also a publicly traded company on its own). In a five year £800 million deal announced in 2023 both companies extended what was described as a “long-standing” relationship.

On one hand, TCS has incentives to provide the best services possible to an important portfolio company under the Tata Group umbrella. On the other hand, any tech leader or CISO that’s dealt with conglomerates and private equity knows the dance of “staying in the portfolio” when it comes to selecting suppliers.

A Cyber Insurance Gap Adds To The Pain

JLR was reported to be in the middle of negotiating a cyber insurance policy at the time of the attack. Cyber insurance coverage can help absorb some of the costs in a breach such as business interruption and incident response services. Forrester’s Security Survey, 2025, shows that 87% of enterprise security technology decision-makers have some form of cyber insurance coverage today, whether it is through a standalone cyber insurance policy or endorsements attached to other business insurance policies. Without insurance coverage, the BBC estimates JLR’s business interruption costs could be £50 million ($68 million) per week.

What to do about it

Corporate collapses and government bailouts often result in legislation. Corporate accounting scandals of the 2000s in the US led to the Sarbanes-Oxley Act, for example. The UK government already banned ransomware payments by public sector companies and critical infrastructure providers in response to the string of attacks in 2025. The JLR breach underscores a hard truth: in the EU, cyber incidents at large manufacturers instantly escalate to public risk. Under NIS2 and DORA, resilience isn’t optional. All companies, even automakers, must align cross-border playbooks, enforce 24-hour incident reporting, audit third-party segmentation, and prove restore-time SLAs across both operational and financial systems. So, what should you do in the wake of this incident?

  • Stop relying on outdated approaches to risk management. Static control checklists, siloed risk assessments, and one-off vendor snapshots (e.g., security ratings) significantly oversimplify risk exposure and leave organizations vulnerable to critical disruptions. In the JLR-TCS case, all three risk types collided: the breach originated in the ecosystem (TCS), cascaded into enterprise disruption (JLR operations), and triggered external (systemic) consequences (government intervention). This wasn’t just a cyber incident, it’s a convergence event. Conventional risk governance (i.e. three lines of defense) obfuscates accountability among complex supplier relationships. Instead, level up your third-party risk programs by using continuous risk management to gain a complete risk picture and prevent critical loss scenarios.
  • Involve your suppliers in your next crisis simulation…and use this scenario. Regardless of whether your IT environment is in-house or outsourced, use the JLR incident and run both a technical tabletop and an executive crisis simulation with your cybersecurity incident response provider and outside counsel on ransomware events. Include key suppliers in the tabletop to understand the downstream impact. Also include crisis communications experts to craft and deliver messages to your supply chain, government entities, and media outlets.
  • Assess the role of cyber insurance as a part of your risk management program. Self-insuring is an option, but requires proper internal resources. You can also combine self-insurance for smaller risks with cyber insurance for major incidents. Consider your third-party partners: large companies often require smaller ones to have coverage, but small businesses should ask bigger partners to do the same. If they lack coverage, assess the risks, add controls where possible, and consider updating contracts to address these gaps.
  • Develop and implement a microsegmentation strategy. Microsegmentation allows organizations to prevent breaches by reducing attack surface, but it also limits the blast radius of attacks it doesn’t prevent. Avoid letting perfect be the enemy of good enough. Some segmentation is better than no segmentation. Take an iterative approach to policy development and deployment that enables incremental moves to more granular policies when dealing with mission critical systems in manufacturing.
  • Remind employees…and contractors…of social engineering warning signs. JLR is just one of so many successful social engineering attempts and human element breaches we’ve seen. And, given the trend toward targeted, multi-pronged campaigns using voice, text, email, and even deepfake audio and video, it’s important that your entire workforce knows how executives, HR, IT, Corporate Services and all other functions will and will not interact with them. Communicate regularly as to how everyone should expect to be contacted and reward them for pausing and asking questions in the face of telltale signs of social engineering: authority, novelty, and urgency.

To discuss our recommendations further, reach out to schedule a Guidance Session. Better yet, come see us in person at the Forrester Security & Risk Summit, Nov. 5 – 7, in Austin for sessions on current and emerging threats, incident materiality assessment, insider incident response, securing agentic AI, and more.