Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
As cyber threats intensify, policymakers face a growing dilemma: how to protect critical industries without rewarding negligence. The UK government’s decision last week to offer the stricken carmaker Jaguar Land Rover a £1.5bn credit guarantee will not serve as a blueprint. It is a small offering with limited risk for taxpayers. Still, when politicians decide to extend emergency support to the private sector, they should ensure it is value for money. Any lifeline ought to help avert broader economic fallout, address the cause of the crisis, and guard against creating moral hazard. In JLR’s case, these criteria appear as yet to be largely unmet.
After gaining government backing — and securing a separate £2bn funding facility from commercial banks — the Tata Motors-owned company announced last week that it would resume UK production. The carmaker shut down its operations last month following a cyber attack in late August. The automaker’s reckless lack of cyber insurance cover meant it had to burn through cash piles for several weeks and withhold payments to a sprawling domestic supply chain comprising around 200,000 workers.
For suppliers, any initial relief from the news of credit support for the company has been shortlived. There remains a lack of clarity on when some parts makers will actually be paid by JLR. On Thursday, the Confederation of British Metalforming called for further urgent support for downstream suppliers, fearing irreversible damage to the UK auto supply chain.
The failure to limit the fallout from the cyber attack is all the more egregious given that it was a mess of JLR’s own making. For years companies have been warned about the increasing sophistication of hackers, and the importance of having adequate risk controls and insurance. A spate of high-profile cyber incidents in the UK earlier this year, including breaches at Marks and Spencer and the Co-op, should have served as a warning. However, despite having had discussions with an insurance broker on whether to buy a policy, the automaker had not done so when the attack on it was launched.
There are broader questions as to why JLR, backed by the wealthy Tata conglomerate, even required government support. A company of its stature should have adequate buffers in place to deal with temporary shocks to its operations, especially in the absence of proper insurance. Indeed, the high-profile loan guarantee risks setting a dangerous precedent, signalling to other large firms that they too can forgo insurance or security investments and rely on state intervention. It could also embolden attackers.
Business secretary Peter Kyle probably saw little alternative but to offer the company a lifeline amid the political pressure. The execution has been shoddy, however. The government must now work to ensure in future that the public is not in thrall to large companies with poor cyber security.
It can start by publicly clarifying its terms with JLR. If not already stipulated, the government should be clear that it expects the company quickly to honour contracts with suppliers. It also makes sense to press the carmaker, and other systemically important companies, to take out insurance and improve their cyber risk management. To address broader complaints about the high cost and complexity of cyber insurance policies, the government could push for simplification and help the insurance market mature by backing reinsurance schemes — a preferable backstop to loan guarantees.
Cyber attacks are an ever-present danger. Governments should not be underwriting lax cyber security standards, particularly not from large companies that should have the resources to bear the cost of the clean-up. If they do, they must at least ensure those businesses are held accountable for their errors, to serve as a cautionary tale to others.