The UK’s cyber watchdog has warned that the government’s £1.5 billion bailout of Jaguar Land Rover (JLR) risks setting a troubling precedent for how Britain handles major cyber crises.
Speaking at an event marking the Cyber Monitoring Centre’s (CMC) first operational year, Ciaran Martin, chair of the CMC’s technical committee and a distinguished fellow at RUSI, said the government’s response to the JLR cyberattack could create longer-term problems if repeated without a clear framework.
“I think the loan guarantee is an unfortunate precedent because the government intervened in a case-specific way… without clear criteria,” Martin said. “Otherwise you’ll just end up with a series of ad hoc precedents that will leave nobody any the wiser.”
The warning comes as the country’s Ministry of Defence on Friday confirmed that the British Army will retire its Land Rover fleet after more than 70 years of service, as it looks to replace thousands of vehicles with a modern successor.
It follows a year in which the CMC has tried to put hard numbers on the financial impact of major cyber incidents on the UK economy, including the JLR attack, which it estimates cost up to £1.9 billion. Separate attacks on retailers Marks & Spencer and the Co-op were pegged at a combined £355 million.
But beyond the headline figures, the discussion highlighted a deeper problem: the widening gap between the economic damage from cyberattacks and what the insurance market can realistically absorb.
Tracy Poole, chief communications officer at Pool Re, said the cyber insurance “protection gap” could be as high as 90 percent, meaning most losses from large-scale incidents are effectively uninsured. While insurance can cover individual companies, she warned it falls short when the damage spills into supply chains and local economies.
“They can insure a company, but they can’t insure a community and the impact on the wider community,” she said.
That mismatch helps explain why governments end up stepping in when things go wrong, but Martin warned that doing it without clear rules risks sending the wrong signal. Cybersecurity, he said, is driven by how companies assess risk, and if they think the state will ride to the rescue, they may be less inclined to invest in resilience.
“It would be better to have a framework… rather than a response to events,” he said, suggesting options could include mandatory insurance, tax incentives, or some form of government-backed safety net.
Alongside the policy debate, the CMC used the event to show how its work is evolving. The organization said it is working with the Office for National Statistics to introduce post-incident business polling after widespread cyber events, and is preparing a white paper examining the UK’s exposure to cloud-related risks.
It also confirmed plans to expand beyond the UK. “We’re in the process of establishing a US cyber monitoring center,” said CMC head of operations Ruth Goodwin. The effort will start with appointing a technical committee and setting up a US legal entity closely linked to the UK operation, with live incident categorizations potentially landing in 2027.
The move reflects growing demand for clearer, standardized ways of measuring cyber damage, something that remains patchy across the industry. Martin acknowledged that while disruptive ransomware attacks are relatively straightforward to cost, the financial impact of data breaches is far harder to pin down.
That uncertainty, combined with the scale of recent incidents, suggests the UK is only just getting to grips with the true economic fallout of cyberattacks. If the JLR case is anything to go by, the question of who ultimately foots the bill is still very much up for debate. ®
Click Here For The Original Source.
