Jaguar Land Rover’s £2 billion cyber shock is a wake-up call for boards obsessed with AI adoption

The Tata-owned firm had been negotiating an insurance policy but had not secured it when the breach occurred. If the disruption ultimately costs £2 billion, as estimated, it will surpass JLR’s profit after tax for 2025. As JLR generates nearly 70% of Tata Motors’ consolidated revenue, the news took little time to reach the Indian stock market.

Cyberattacks are common across industries. What is striking about this case is that one of the world’s top automakers, with global reach and deep resources, got so severely destabilized. If this is the vulnerability of a global brand, Indian companies with leaner buffers may be at greater risk.

Too many Indian boards still view cyber threats as operational details, delegated to the CIO or relegated to compliance reports. Yet, it is an enterprise-level threat that could close factories, compromise financial systems, disrupt customer access and trigger regulatory penalties.

In its most extreme form, it can drive a solvent company into insolvency. For company directors, cyber oversight is a part of their fiduciary duty, and neglecting it is the equivalent of ignoring any other foreseeable risk.

India has seen many similar episodes. Major firms in our pharma, IT services and automobile sectors have endured ransomware attacks that froze operations for weeks and inflicted losses running into hundreds of crores. These incidents did not always dominate the news, but their scale and cost are well understood within industry circles.

Regulatory expectations are also evolving rapidly. The Reserve Bank of India has mandated cyber frameworks and incident reporting for its regulated entities. The Securities and Exchange Board of India has tightened disclosure rules for market infrastructure institutions. The Digital Personal Data Protection Act gives the data regulator the power to impose huge penalties for data exposure. Cyber resilience is being treated as an essential element of systemic stability.

Investors are moving in parallel. Proxy advisory firms are yet to start highlighting boards that visibly lack cyber-safety oversight. Rating agencies and global funds now assess cyber preparedness as part of governance quality, but not as rigorously as they check other risks. Companies that fail to meet resilience expectations could face valuation discounts, investor activism and potentially even shareholder litigation.

The responsibility of boards is clear. They must establish formal frameworks for cyber governance. Without these, directors expose themselves on three fronts. They fail in their fiduciary duty by ignoring foreseeable risks. They undermine enterprise resilience by leaving operations vulnerable to paralysis and liquidity stress. And they weaken market credibility, since investors and regulators now expect the assurance that cyber risks have been taken care of.

Boards must also treat insurance as a strategic necessity. No responsible director would leave factories, fleets or critical physical assets without cover. Yet, many still leave their digital backbone under-insured, despite its key role in a modern business. Insurance cannot prevent an attack, but it can stop one from turning into an existential crisis. Insurers examine governance maturity, vendor oversight, incident response and recovery planning.

Directors must demand sharper answers from the business’s management. Do we know the exclusions in our policies? Do we know what layers remain uninsured? Have we tested whether a claim would actually be honoured? Do we have estimates of the maximum probable loss if systems shut down for weeks?

A broader policy debate is unavoidable. Should cyber insurance be mandatory above a certain scale for listed entities? For banks and other such institutions, the answer is obvious, given their custodianship of public trust and deposits. But the JLR case shows that systemic risk exists across sectors. Large listed corporations employ vast workforces, anchor supply chains and shape investor sentiment. Uninsured breaches could destabilize markets.

India should therefore consider a phased mandate that requires listed companies to disclose their cyber frameworks, with minimum insurance coverage norms subject to regulatory scrutiny. Such vulnerabilities cannot be ignored in a market where millions of retail investors place their savings in listed companies with the expectation of sound governance. Leaving these investors exposed to unchecked cyber risks is no different from failing to safeguard public monies held by banks.

This will raise costs. But the cost of neglect is far greater. One uninsured breach can erase hard-won brand equity, invite regulatory penalties, fracture consumer trust and spark investor flight. Boards will be judged on whether they had the foresight to build cyber resilience. It is a test of governance, leadership and accountability.

Right now, Indian boardrooms seem captivated by a race to show artificial intelligence (AI) adoption as a marker of ambition and driver of value creation. Yet, while entities chase AI, their more urgent task is to secure their digital backbone. A company that cannot survive a breach cannot credibly claim to be future-ready on technology.

The author is a corporate advisor and independent director on boards.