On Message: JLR’s Cyber Breach is a £1.9bn Lesson in Boardroom Readiness

EVERY October since 2004 has been deemed by governments around the world Cybersecurity Awareness Month.  

You hardly need to raise awareness this year, though, after the landmark breach at Jaguar Land Rover. The five-week total shutdown affected not only JLR, but its entire supply chain – costing an estimated £1.9bn. Monthly UK car production fell by 27.9% as a result. The UK made the lowest total of cars since 1952, including during Covid – it was that bad.  

JLR is returning to normal, but the fallout will continue to be felt well into next year. An episode such as this is frequently described as a ‘wake-up call’. In this instance, use of the description is no exaggeration. It really is.  

Thousands of workers laid-off, questions in parliament, a taxpayer-funded bailout and a company that was not insured but thought its security was adequate, and suppliers and service providers who were unprotected, caught unawares and engulfed in the maelstrom. Theirs is a globalised, inter-linked business, dependent on tight, sensitive lines. When they broke, the whole pyramid teetered. 

If they weren’t before, companies, all companies, need to be fully alert to the dangers. Operationally, they can recover and the financial harm can be repaired. But comms-wise, the brand reputational risk could last far longer and ultimately be more damaging. You need a comms plan that works, you must know what to do, everyone must be familiar with what is required of them, it must be instantly usable and you need it now. 

As JLR graphically illustrates, cyber resilience is not simply a technical matter, to be left to the IT department. It’s a boardroom, strategic priority requiring buy-in right across the organisation. Board members and management must be cyber-alert, they have to be cyber-literate, accessing and familiarising themselves with the latest advice and expertise.  

Preparedness Is Power, Generic Plans Fail, and One Message Doesn’t Fit All 

You need a 72-hour incident response plan that is repeatedly and thoroughly stress-tested. Stakeholders, police, lawyers, media, regulators, bankers, markets -  all require briefing. Who says what and when is critical. That means running company-wide exercises and rehearsals so everybody knows what they have to do, and they are fully aware of their roles and leadership responsibilities. No if’s and but’s, no pauses and hesitation. Yes, it may never happen and this is hoping it does not, but JLR and countless others everywhere, many of them also involving equally smart, well-run, tech-savvy businesses, shows it might and what may result.  

Treat the likelihood of a breach as a question of when, not if. Allocate the same senior management status and take the identical approach as you would to any existential threat. Complacency is the enemy here - forewarned really is forearmed.  

Think outside the purely defensive mindset that tends to focus on prevention; commit to readiness. As JLR and recent attacks involving retailers highlight, the scope for harm is far wider than loss of data. That’s one thing and it’s serious enough, but they had to deal with prolonged disruption of their whole business.  

Having a generic, off-the-shelf comms solution will not suffice. Each company is different, so is each cyber-penetration. Holding statements have a short shelf-life. There are too many questions, too many consequences, known and unknown, to be addressed.  

Every audience is unique and must be carefully handled. Likewise, stakeholder relationships. It may be possible to treat them as a group but there may be a case for treating them individually. Some might be technical, and well-versed in technical language; others may not. How you speak to them, while all the time, remaining within the boundaries of compliance, is vital. Practise, practise, practise. Imagine all scenarios and work out how best to tackle them. 

Remember, one slip, one unguarded comment, could be costly. Only say what you know to be true – nothing else will suffice. Speculation is your enemy. Anything you say will come back to haunt you and you will be held accountable. Don’t offer hostages to fortune. Journalists will be seeking answers, so will customers, partners, staff, shareholders. External and internal comms, legal and regulatory requirements – they must all function in tandem, as one. That means combining and working closely together.  

If all this sounds terrifying, that’s because it is – but it need not be. Taking precautions, being cyber-alert, cyber-ready, provides the blueprint and the confidence to confront and mitigate the crisis. It’s a nightmare but you can and will get through it. 

Resilience Through Readiness  

It’s about ensuring effective board leadership so members receive proper cybersecurity training; devising a comms strategy that addresses interlocking risks; clearly understanding the legal and regulatory obligations; understanding data exposure and tightening security; how to manage stakeholders in the following days, weeks, months; readying for different scenarios and having templates to hand; and implementing an effective command structure. It’s about securing resilience through readiness. It means getting it right.  

Sodali & Co and its specialist team will help. They are well-versed in dealing with cyber comms. They know what scores and what will backfire. They advise on how to prepare and get ahead, to be ready and armed.