JLR cyberattack holds lessons for CFOs on preparedness and response

The September cyberattack on Jaguar Land Rover (JLR) is just the latest reminder of how severe and widespread damages from a cyber incident can get. (As if last year’s CrowdStrike outage wasn’t enough.) JLR CFO Richard Molyneux told reporters the incident was “like nothing else I’ve experienced.”

Disruptive and costly data breaches like JLR’s show that cybersecurity is an issue that goes beyond the IT department, according to Felicia Gallagher, a fractional CFO and the founder and CEO of ThreeStone Solutions. She told CFO Brew that “it’s really a financial resilience issue, because you have to protect the revenue, you have to protect the cash flow, and keep operations under pressure.”

Gallagher drew this conclusion from direct experience. She was working in finance at a national food and beverage distributor that sustained a ransomware attack in May 2018 that sidelined operations for a day and a half.

What happened across the pond: JLR’s breach was bad enough that the company halted operations until early October. The British carmaker said the incident cost it $258 million and was a primary culprit behind the $736 million loss in its most recent quarter.

But the impacts weren’t limited to JLR’s financial statements. The Cyber Monitoring Centre estimated the incident “caused a UK financial impact of £1.9 billion and affected over 5,000 UK” companies. JLR shutting down its assembly lines impacted the companies, “many of them small and financially fragile,” that supply the automaker with parts, the WSJ reported.

The JLR incident, together with sluggish growth in exports to the US, caused weaker than anticipated UK headline GDP growth in Q3, the Bank of England recently noted.

The JLR cyberattack and other incidents, like last year’s ransomware attacks on third-party vendors Change Healthcare and CDK Global, demonstrate the ripple effects an outage at one company can have on others, including customers, vendors, and suppliers, according to Mario Paez, national cyber risk leader at Marsh McLennan Agency.

“When I hear of these events, it’s not necessarily a surprise, and those are conversations that we have with clients every day, around increasing awareness around that interconnectedness,” Paez told us.

Lessons for those at home: Gallagher said that, when thinking about cybersecurity risks, many leaders focus on response and recovery. Her ransomware experience taught her something else: “The goal is really readiness.” In other words, an organization should know how it will keep things running during an incident.

At the time, her company had about 160,000 customers and was performing about 30,000 deliveries each week. The consequences of an outage, even for just a few hours, could be “severe” for the business itself and its customers, impacting operations, revenue, and cash flow, according to Gallagher.

The ransomware attack came from some malware embedded in the company’s systems. Once the attack commenced, “everything stopped at once,” Gallagher said. “Literally every function—billing, dispatch, even deliveries—everything shut down for a day and a half.” The impact was $10.5 million in delayed cash and roughly $250,000 in net unrecoverable costs, she said.

After the incident, the company moved from physical servers to a cloud-based server, went from weekly to daily backups, and tightened up its user access controls. It also started performing outage simulations twice a year, when it would temporarily shut down its systems and switch to manual processes, Gallagher said.

“That [ransomware incident] really shifted our mindset” to one where “we’ve got to make sure that if something like this happens again, because it’s probably inevitable, how are we going to make sure that we’re ready?”

Organizations that are worried about outages to a vendor or supplier can mitigate that risk through third-party business interruption insurance, Paez said. He added that not all organizations, especially smaller ones, are aware that’s an option.

“Our discussion with clients has been around availability of coverage and customizing that coverage to know which critical vendors they need to be conscious and aware of that could cause an outage, and do [they] have readily available and large enough coverage limits to respond?” he said.

CFO at the center: The CFO has a key role to play in cyber preparedness and response, according to Gallagher. She described herself as the “engine” of a vehicle and the IT team as the fuel during her organization’s incident.

“I was leading the efforts from a risk management perspective, getting everyone together, keeping everyone calm and coming up with a game plan, project-managing everything, and giving everyone action items,” she said, “and then working with IT to see where they were every step of the way so that I could provide updates to our parent company at the time.”