Cybervize – Cybersecurity Beratung
All articles

Jaguar Land Rover Cyberattack: Lessons for CISO and C-Level

Alexander Busse·September 24, 2025
Jaguar Land Rover Cyberattack: Lessons for CISO and C-Level

A Wake-Up Call for C-Level and CISO: What the Jaguar Land Rover Cyberattack Teaches Us

The recent cyberattack on Jaguar Land Rover (JLR) has exposed far-reaching consequences that extend well beyond immediate operational disruption. Production came to a halt, facilities were shut down, and the announced closure until October 1, 2025 has not only operational but also massive financial implications. However, one detail is particularly alarming and should make many organizations sit up and take notice: reports indicate that JLR did not have a finalized cyber insurance policy in place at the time of the attack to mitigate the resulting damage.

This incident is not an isolated case but symptomatic of a growing challenge in modern enterprise risk management. The question is no longer if a cyberattack will occur, but when. And when it happens, the quality of your preparation determines whether you remain insurable, whether your policy will pay out, and how quickly you can restore operations.

Why Cyber Insurance Fails: The Three Critical Gaps

Cyber insurance is no longer a given. Insurers are continuously tightening their requirements, and many organizations fail to meet the demanded minimum standards or cannot demonstrate compliance. The JLR case exemplifies three central weaknesses:

1. Gaps in Core Controls

Insurers today require evidence of implemented and effective technical and organizational measures. These include:

  • Network Segmentation: Inadequate separation of critical production systems and IT infrastructure enables attackers to move laterally through the network. Without documented segmentation, many insurers reject applications or drastically increase premiums.
  • Multi-Factor Authentication (MFA) and Privileged Access Management (PAM): Missing or inadequately implemented MFA for administrative access is a knockout criterion. PAM solutions must not only be present but consistently enforced and logged.
  • 24/7 Response Capacity: Organizations without around-the-clock Security Operations Center (SOC) or comparable incident response capabilities are considered high-risk. Response time to an attack determines the extent of damage.

2. No Verifiable Evidence

Technical measures alone are insufficient. Insurers increasingly demand documented evidence of the effectiveness of your security measures:

  • Recovery Tests: When was the last time you performed a complete disaster recovery? Without a documented restore report showing that your backups work and the timeframe within which you can restore systems, credibility is lacking.
  • Tabletop Exercises: Regular crisis simulations with documented protocols prove that your organization can act effectively in an emergency. Missing documentation means from the insurer's perspective: not tested, not effective.
  • Measurable KPIs: Weak or missing Key Performance Indicators for cybersecurity signal insufficient maturity. Metrics such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and patch compliance rates are now standard.

3. Incorrect or Insufficient Coverage

Even when a policy exists, coverage may prove inadequate in the event of a claim:

  • Sublimits for Ransomware and Business Interruption (BI): Many policies contain low sublimits for the most expensive damage categories. A multi-day production shutdown can cause costs in the millions that exceed the insured limit.
  • Long Waiting Periods: The deductible period before BI coverage kicks in is often 8 to 12 hours. In complex attacks, recovery can take days or weeks, yet the first critical hours are not covered.
  • High Deductibles: Six-figure deductibles are not uncommon and must be factored into risk management planning.

What to Do Now: The 4-Point Action Plan

The lessons from the JLR incident are clear. Organizations must systematically improve their cyber resilience and insurability. Here is a pragmatic action plan:

1. Close and Document Controls

Network Segmentation: Implement strict separation between OT (Operational Technology), IT, and critical business systems. Document your segmentation strategy with network diagrams and firewall rules.

Offline Backups with Restore Reports: Create immutable, offline or air-gapped backups of critical systems. Conduct quarterly recovery tests and document results with timestamps and success metrics.

24/7 Monitoring with SLAs: Establish a SOC with defined Service Level Agreements. If internal resources are lacking, use Managed Detection and Response (MDR) services. Document escalation paths and response times.

2. Test and Document Recovery Plans

Recovery Exercises: Conduct complete disaster recovery tests at least twice annually. Simulate various attack scenarios (ransomware, data loss, system failure) and document every step.

Define Restart Sequences: Not all systems are equally critical. Define clear priorities for restoration. Which systems must come online first for production to resume? Document dependencies and timeframes.

Lessons Learned: After each exercise, findings must be systematically captured and integrated into processes. This documentation is highly valuable to insurers.

3. Secure Supply Chains

The JLR attack also demonstrates: Supply Chain Security is critical. An attack on a critical supplier can paralyze your production just as much as a direct attack.

Minimum Standards in Contracts: Define binding cybersecurity requirements for critical suppliers. Demand evidence of certifications (ISO 27001, NIS2 compliance), penetration tests, and incident response capabilities.

Evidence from Critical Suppliers: Request regular audits and self-disclosures. Integrate supplier risks into your risk management and communication with your insurer.

Alternative Suppliers: Develop redundancies for critical components and services. Single points of failure in the supply chain are unacceptable.

4. Renegotiate Policy with Solid Evidence

Once you have implemented and documented the above measures, you are in a strong negotiating position:

Increase BI Limits: Realistically calculate the costs of a multi-day production shutdown (lost revenue, contractual penalties, reputational damage). Negotiate appropriate coverage amounts.

Reduce Waiting Periods: With proven rapid response capabilities, you can negotiate shorter deductible periods.

Review Exclusions: Read the fine print. Many policies exclude acts of war, state-sponsored hackers, or specific attack vectors. Clarify gray areas with your insurer.

Optimize Premiums: Organizations with mature security controls and evidence receive better terms. Your documentation is negotiating leverage.

Conclusion: Don't Wait for the Emergency

The Jaguar Land Rover case is a stark wake-up call. Cyber resilience is no longer optional but business-critical. Organizations that not only implement their security measures but also document and regularly test them protect themselves not only against attacks but also against the risk of being left without insurance coverage in the event of a claim.

The question every CISO and C-level executive must ask is: How quickly can we resume production tomorrow if an attack occurs today? If you cannot answer this question with facts, timeframes, and documented processes, it is high time to act.

Review your cyber insurance, your controls, and your recovery plans today. The next attack is certain to come. The only question is: Are you ready?

Back to all articles