Earlier this year, Qantas Airways revealed that hackers had accessed the personal data of millions of its customers. In response, the airline decided to reduce the short-term bonuses of some senior executives. While the company called this a key step toward accountability, its CEO still received a total pay package exceeding six million Australian dollars.
This move has sparked discussions in both boardrooms and the insurance industry. Insurers are questioning whether cutting executives’ pay after a cyber incident really changes how leaders manage cyber risks or if it’s just a symbolic gesture once the damage is done.
The topic has gained fresh attention in the UK, where Jaguar Land Rover was forced to halt production following another cyberattack. The carmaker, owned by Tata Motors, shut down its main plants this week and sent workers home. A hacker using the name “Rey” posted screenshots on Telegram showing internal company information and claimed responsibility. This marks the second successful breach at Jaguar Land Rover in six months.
For insurers, the Jaguar Land Rover shutdown highlights the far-reaching effects of these attacks. When production stops, it doesn’t just affect the factory—it disrupts dealers, suppliers, delivery networks, and ultimately sales. This creates tough questions for business interruption insurance, such as proving the cause of losses and measuring how much revenue was delayed versus permanently lost.
The timing couldn’t have been worse. September usually brings high sales in Britain because new car registration plates are issued, but now dealers face delays, parts orders are stuck, and customers have been told their vehicle handovers will be postponed.
The group behind the recent attack is thought to be linked to “Scattered Spider,” a known hacker collective targeting UK retailers like Marks & Spencer, the Co-op, and Harrods. Jake Moore, a cybersecurity adviser at ESET, shared with the Financial Times that these young hackers are boldly confident in avoiding capture, making the situation even tougher for victims.
This growing confidence from hackers makes the insurance business more complicated. If one intruder can bring a major manufacturer offline, the risk of widespread losses across insurance portfolios rises sharply. Reinsurers have warned that such events are exactly what cyber catastrophe models are meant to predict.
These incidents raise a difficult question: should company leaders face financial penalties when cyberattacks succeed on their watch? Some argue that linking executive pay to cyber performance puts prevention higher on the corporate agenda. Insurers agree that if executives know their pay depends on it, they might invest more in essentials like strong identity checks, patching vulnerabilities, and testing response plans.
On the other hand, critics say such pay cuts rarely change behavior in a meaningful way. One cybersecurity expert based in Hong Kong suggested that losing a few hundred thousand dollars out of a multi-million-dollar paycheck isn’t enough to alter how leaders weigh risk. Instead, sustained investment in defense is what matters most, rather than penalties after a breach has occurred.
As cyberattacks become more common, insurers face a challenge: how to reward companies that show real commitment at the highest levels and how to price coverage fairly for those treating cybersecurity as just a box to check. Insurance policies with broad coverage for accidental failures or widespread business interruption are now being tightened up.
For Jaguar Land Rover, the focus remains on getting production back up and running. But insurers and risk managers are thinking about the bigger picture: will punishing executives after the fact motivate better prevention, or will it continue to be an empty gesture once damage is done?
What’s clear is that the conversation about cyber risk is changing. Accountability now stretches beyond IT teams and reaches directly to the boardroom—and into the paychecks of top executives.