.png)
By Krishnadevan V
Krishnadevan is Consulting Editor at BasisPoint Insight. He has worked in the equity markets, and been a journalist at ET, AFX News, Reuters TV and Cogencis.
September 25, 2025 at 9:30 AM IST
Two British giants targeted by the same cyber hackers have vastly different outcomes. While Marks & Spencer prepares to recover over £100 million through comprehensive cyber insurance coverage after facing Scattered Spider attackers, Tata Motors’ subsidiary Jaguar Land Rover stares at a £2 billion abyss with no safety net. The difference? M&S completed their cyber protection policies negotiations. JLR did not.
This tale of corporate risk management gone catastrophically wrong exposes the gap between boardroom ignorance about cybersecurity and the brutal reality of operational risk exposure when digital defences fail.
The September 1 cyber-attack forced JLR to shut down its systems and UK factories, creating mounting losses and supply chain havoc for roughly 200,000 workers. This has sparked emergency meetings between UK government officials and struggling suppliers who fear production may not resume for several months.
The numbers tell a story of cybersecurity catastrophe that would make any CFO's blood run cold. Since September 2, JLR has haemorrhaged £50 million weekly while 33,000 employees sit idle at home. Production lines that typically churn out 1,000 luxury automotive vehicles daily stand silent, creating a supply chain disruption affecting 200,000 jobs across the UK's automotive manufacturing ecosystem.
Government ministers now contemplate unprecedented intervention, such as purchasing car components from struggling suppliers. When business continuity planning failures force government bailouts, you know the enterprise risk assessment went spectacularly wrong.
The attack coincided with the UK's “New Plate Day,” intensifying financial losses as dealers couldn't register or deliver vehicles during one of the year's biggest sales periods.
The Scattered Spider collective's campaign against British businesses reveals how sophisticated social engineering tactics by predominantly teenage hackers can cripple multinational corporations. This group, operating through voice phishing and help desk manipulation, has successfully targeted M&S, Harrods, and now JLR, demonstrating alarming consistency in breaching enterprise defences.
Their exploitation of SAP vulnerabilities and use of TOR networks for data exfiltration shows technical maturity belying their youthful demographics. Tor is a free network for enabling anonymous communication built on free and open-source software run by volunteer-operated relays worldwide, and makes it more difficult to trace a user's activity.
When teenagers can paralyse luxury automotive giants through simple help desk impersonation, the traditional cybersecurity assumptions about threat actor sophistication crumble completely.
Costly Cost Saving
When hackers struck, the Tata Motors subsidiary was negotiating a cyber liability insurance policy through broker Lockton. Whether JLR “declined” coverage or negotiations remained “ongoing” depends on who's telling the tale, the bottom line is there is no cyber insurance claims for billions in losses.
But here's where the plot thickens into pure corporate catastrophe. The Financial Times reports a person close to insurance broker Lockton disputed Tata Motors' claim that insurance discussions were ongoing, saying that the Tata Motors-owned company had declined cyber-specific cover.
If true, this transforms JLR's predicament from procurement procrastination into deliberate decision-making disaster.
Active refusal of cyber insurance coverage against teenage threat actors with proven corporate disruption capabilities represents shortsightedness so spectacular it defies financial logic. This wasn't about timing or technicalities. It was about board-level decision-making that prioritised immediate cost savings over catastrophic risk protection from attackers already terrorising British businesses.
Meanwhile, M&S, which the same Scattered Spider attackers also hit, reportedly doubled their cyber coverage last year and expects to recover substantial losses.
JLR's cyber risk management failure creates cascading chaos far beyond its factory gates. JLR contributes 70% of Tata Motors’ revenue, bring a UK catastrophe to its Indian parents’ doorstep.
The supply chain cyber vulnerabilities prove even more devastating. One smaller supplier laid off 40 workers, or half its workforce, while others warn of imminent collapse without government support. S&P Global's UK manufacturing survey shows the attack's economic impact assessment across the country’s automotive industry production, highlighting how vendor risk management failures multiply through interconnected ecosystems.
In today's interconnected economy, going without comprehensive cyber coverage isn't being cost-conscious; it is corporate suicide. When teenage hackers using basic social engineering can paralyse automotive manufacturing giants, boardrooms can no longer afford to treat cyber insurance as optional.
If JLR indeed declined cyber coverage, as media reports suggest, this would transform from procurement oversight into a deliberate decision-making disaster. Conscious rejection of cyber protection against proven threat represents fiduciary negligence that should trigger shareholder litigation. JLR's catastrophe should serve as a signal for Indian companies that cyber insurance coverage gaps aren't accounting line items.
They are a clear and present danger.
More From BasisPoint
