September 25 / 2025 / Reading Time: 4 minutes

Why JLR's £3.5bn Cyber Loss Should Change How You Budget Security

Back to All Insights

By Mark Stamford, OSec CEO

 

Reported today (read about it here), Jaguar Land Rover (JLR) may have to cover the full cost of recent cyber attacks due to a lack of insurance cover. Before we get too far, no, this is not about trying to convince you to buy more cyber insurance. At the same time, this is also not about convincing you to buy more cyber security products and services (if anything you may be wondering why you should buy any at this point).

This is about a different way to think about cyber security spend. Perhaps it's time to consider what an organization can’t do after a situation like this.

What’s the opportunity cost?

How cybersecurity spend happens now?

Most cyber security spending tends to be the results of one or more of the following analysis:

  • How much do we need to spend to do the minimum to meet compliance requirements?
  • How much should we spend to cover some initiatives we have around cyber?
  • How much do we need to spend to respond to an incident? (Usually the worst option as it means the highest cost)

And finally,

  • How much do we spend, given that we don’t want to spend anything?

The first option is what drives much of today’s cybersecurity decision making. “We need to meet this regulation, or this standard - ok - what do we need to do?” This option usually leads to either a minimal cost, or spending - which tends to miss the forest for the trees. Compliance requirements, don’t actually know your business, they have some ideas on what you do, but your organization is unique and there are likely to be large areas of risk that are not addressed by your compliance spend.

The second option is more proactive. Organizations will come up with security initiatives they believe will help the business be more secure, allocate budget to them, and then proceed with execution (it seems that about 50% of the time these get reduced due to budget changes, but at least the thought is in the right place).

The third is always the most costly. Incident response is an extremely lucrative area - your house is on fire? You want some water? Ok, but it’s going to cost you. Costs quickly escalate and usually lead to large increases in budget. I have seen CISO’s sign multi-million dollar contracts for a tool because they had no choice during an incident. There then follows a continuing spend (usually including a new CISO) and for a while security is first and foremost. Naturally over time this subsides and return to options 1 and 2.

Option four may actually be the most prevalent. This is not a bad thing, the return on cyber security spend (the mythical “ROI”) is mostly theoretical and rarely is accurate - how can you tell how much something saves you, if its job is to prevent bad things from happening? Since you don’t know how many bad things could have happened. Besides the fact that EVERYONE KEEPS HAVING SECURITY BREACHES

Also the main goal of a commercial organization is to make money, so spending any of it on something that may have no value, or a value that can’t be measured, is a questionable decision. And questionable decisions are often career limiting.

A better way?

All of these options have been utilized for so long that at this point it seems like there is no alternative. However, what if instead of positioning cybersecurity as this endless cost for little return, or as measured against some vague notion of what could happen, we actually focused on what a lack of spend will cost the business - what is the opportunity cost of not spending on cyber? 

Placed squarely in terms of what the business now cannot do. JLR reportedly is facing a revenue hit of £3.5bn ($4.7bn), which is won’t be able to recover because it didn’t have cyber insurance when this happened.  In 2024 total revenue was £29bn, ($39bn) which means this incident has cost them 12% of total revenue.

What could they have done with that revenue? According to this analysis  JLR retail volumes have been up for 2024 and into 2025 in a fairly competitive market. So marketing initiatives now have less to spend, R&D has less to spend, hiring less, sales less, and so on. How much will that impact revenue in 2025? 2026?and beyond. This is the real cost of getting cybersecurity wrong.

What does this mean in the real world? Lets start with a simple example. You run a coffee shop which you budget $1,000/month to run. Without a £50 someone steals your $3,000 coffee machine. Now you can’t operate for 3 months.

Moving to cyber, you budget $100k/month to run your business, without $10k in security spend, an attack costs you $300k. Now you can execute plans for 3 months.

For a simple decision tool to start with:

Our planned spending$ _____
If Breached:
- Minimum likely cost (3x)$ _____
- Maximum likely cost (10x)$ _____
This equals:

[   ] Our entire annual budget

[   ] Multiple years of growth spending

[   ] All discretionary spending for ___ years

Therefore, spending $_____ on security protects our ability to do business as planned.

Obviously these are simply examples and reality is more complex. But start with assuming a data breach will cost 5-10x the affected departments budget, ransomware will be 3-5x monthly operating costs, email compromise 2-4x quarterly discretionary spending, and a website hack 2-3x your annual marketing budget.

How much should this spend be? Start with 5-10% of what your investing in growth to ensure you can actually execute it. This ties your security spend to directly protecting your business investments, not just an arbitrary percentage of IT budget, a knee jerk reaction, or some other non business focused decision.

The question is then what do you spend that budget on? Which is a story for another time, but putting all your eggs in the detection basket is clearly not the right idea…

Share This Insight: