In a recent interview, Joanna Grant (pictured), managing partner at Fenchurch Law, laid out why high-profile failures at organisations such as Jaguar Land Rover and Marks & Spencer are more than headline-making glitches - they point to deeper issues of governance, supply-chain vulnerability and insurance mismatch. Grant brings a policyholder-side view to the evolving cyber-risk and insurance landscape.
Fenchurch Law has seen a rising number of cyber and technology-related claims. Grant, who leads the firm's UK operations and sits at the helm of its construction & property risks team, said cyber now stands alongside climate change as a key frontier for insurance disputes.
"Cyber is a particularly interesting example of where it's important that the policyholders have the cover they need and that it responds as everybody would want it to in the event of an insured event," she said. "There are a lot of lessons, particularly from cyber, as to what policyholders need to be doing to protect themselves so that when that cyberattack hits or there's a system outage, they're as prepared as they can be to respond accordingly."
The Jaguar Land Rover and M&S cyber incidents have sparked debate in both insurance and legal circles. According to Grant, they reveal that many major organisations are simply not ready, and in very different ways.
"Jaguar Land Rover was interesting because they didn't have insurance in place and that seems, to many, to be surprising," said Grant. "One would have expected an organisation of that size and sophistication to have its ducks in a row." She notes the cyberattack that affected the car manufacturer may not have resulted from a conscious decision to self-insure, but rather a missed step in risk management.
M&S, by contrast, had cover in place, but Grant believes the event exposed a different vulnerability. "The losses were far in excess of the policy limits," she said. "Boards have been tending to underestimate both how long it can take to get things up and running again, and also what the scale of the losses can be."
These cases, she said, are a wake-up call for directors and risk managers alike. Cyber insurance is no longer a niche cover. It must be matched to operational risk and reviewed regularly to keep pace with emerging threats.
As cyberattacks become more complex, the impact on supply chains is now front and centre. Grant points out that half of all cyber incidents now stem from third-party vulnerabilities.
"There is a tendency perhaps, or has been historically a tendency, for companies to focus on their own cyber defences," she said. "But if either one of its suppliers is taken out … you're going to be sitting there with a product that you can't move and for which you don't have another buyer."
The fallout from the Jaguar Land Rover incident included major disruption to its manufacturing network, driven in part by supply-side vulnerabilities. Grant warns that the fragility of third-party systems must now be treated as a core risk and planned for accordingly, both operationally and in terms of insurance.
Despite years of awareness-raising, many companies still fail to understand what their cyber policies actually cover. System outages, indirect losses and supply-chain failures remain grey areas in many wordings.
"We saw this 100% with COVID-19 in the business interruption claims," Grant said. "Companies understandably thought, well, I've got my business interruption insurance, and now my business has been interrupted, so why isn't my policy responding?"
The same logic failure persists in cyber. Grant notes that while basic malware coverage is now better understood, confusion often surrounds non-malicious outages and the degree to which business continuity failures are covered.
Another key risk area is directors' and officers' (D&O) exposure. Grant warns that if boards are not taking proactive steps, they could be exposed to claims alleging insufficient preparedness.
"There is an expectation of how boards will be performing and are going to be required to be able to demonstrate their performance," she said. "They will be expecting them to have taken the appropriate steps to have the right cover in place."
She cites a Willis report which outlines the four Rs boards often misjudge: revenue downtime, reputation, resilience (the actual testing of controls) and regulation (evidence of compliance). In each case, regulators and insurers alike are looking for more than statements of intent.
Grant suggests that as threats become more sophisticated and recovery times lengthen, the industry must move beyond a "pay-when-bad-thing-happens" model. Cyber insurance, she argues, must become part of the board's active governance agenda, not a passive technical purchase.
"This is no longer something for your IT department," she said. "For any company, this is front and centre to understanding the risk that the company faces … it's a matter for the board of every company."
That shift presents both a challenge and an opportunity for brokers. It means going beyond traditional placement advice and supporting clients in understanding what readiness actually looks like. That includes tested response plans, clear documentation protocols, D&O alignment, realistic recovery timelines and loss expectations.
The next major cyber claim won't just test the fine print of the policy, it may test the credibility of the board's entire risk strategy.
