Jaguar Land Rover Cyberattack

Commons Urgent Question

The following Answer to an Urgent Question was given in the House of Commons on Tuesday 9 September.

“I fully recognise the anxiety and deep concern that employees at Jaguar Land Rover and across the supply chain will be feeling. The Government and the National Cyber Security Centre will do everything in our power to help resolve this as soon as possible. We are engaging with JLR on a daily basis to understand the challenges that the company and its suppliers are facing, and we are monitoring the situation closely. I have spoken to the company myself, and I will have a further meeting with the chief executive officer later this week. I understand that the company has also invited local MPs to a question and answer session this Friday.

The National Cyber Security Centre has been working with Jaguar Land Rover since last Wednesday to provide support in relation to the incident. I am sorry that there is a limit to what I can say on the specifics because I do not want to prejudice the ongoing investigations.

The cybersecurity of the UK, however, is a key priority for the Government—crucial to protecting the public, our way of life and the successful growing economy. We have been taking significant action to help protect businesses against cyberattacks. We are reducing cyber risk across the economy by making technology more secure by design. That includes the Product Security and Telecommunications Infrastructure Act 2022, introduced by the previous Government, which requires manufacturers to build security into the manufacture and operation of internet-connected devices; the software security code of practice, which sets out how vendors and developers should make their software more secure; and the AI cybersecurity code of practice, which sets out how AI developers should design and operate AI systems securely.

We are also providing businesses with the tools, advice and support to protect themselves from cyberthreats. That includes the cyber governance code of practice, which shows boards and directors how to effectively manage the digital risks to their organisations; the highly effective cyber essentials scheme to prevent common attacks, reducing the likelihood of a cyber insurance claim by 92%; and a wide range of free tools and support from the National Cyber Security Centre, including training for boards and staff, the “Check Your Cyber Security” tools to test IT systems for vulnerabilities, and the early warning system to get notified about cyberthreats to networks. I urge all businesses to take up these tools and improve their cyber defences.

It is not for me to announce future business of the House, but when parliamentary time allows the Government will introduce the cybersecurity and resilience Bill to raise cybersecurity standards in critical and essential services, such as energy, water and the NHS.”

My Lords, as the nature of the threat that we face is evolving and the lines between hostile actors are blurred, do the Government have any plans to centralise verification and procurement approval, so that the best available commercial solutions designed to be able to tackle, investigate, monitor and counter cyberthreats and, indeed, critical tools such as secure messaging, can be delivered to the various agencies that need them without the need for the usual lengthy processes?

My Lords, before I respond to the noble Lord’s question, I take this opportunity to thank my noble friend Lady Jones of Whitchurch for her sterling worth as a Minister in this House. I am sure that all noble Lords will thank her for her performance at this Dispatch Box and her support to all Members across the House. I am sure that we will hear many more of her contributions from the Back Benches.

The new Commercial Digital Centre of Excellence for the UK central Government will substantially improve service delivery, enhance user satisfaction and drive efficiency, leveraging new procurement regulations. The provision of cybersecurity services is a part of this vision. In addition, through the Crown Commercial Service’s Cyber Security Services 3 agreement, we provide an official streamlined route to market for National Cyber Security Centre-assured services. I also need to say that the Government are working tirelessly to improve the cyber resilience of government systems, basing our efforts around the Government’s cybersecurity strategy. We have made important steps in understanding and mitigating cyber risks. We are now implementing a more interventionist approach to public sector cyber resilience to address key risks and better support departments.

My Lords, some 40% of companies in the UK reported last year that they had faced some sort of cyberattack. High-profile attacks such as those on JLR, Marks & Spencer and the British Museum are just the tip of the iceberg. In the Commons, the Minister referred to legislation. Can the noble Lord confirm when the cyber Bill will appear? What methodology might the cyber Bill use to solve this? The Minister implied that this legislation would seek to cause businesses to try harder. The protagonists of this crime are not state-sponsored, but they are tolerated and supported by the regimes in which they exist and they are part of the asymmetric war that this country faces. Of course business has to defend itself, and the Minister has outlined what the Government are doing now, but it is quite clear that that is not enough. What will the Government do that is different from what they are doing now to defend ourselves from this ever- growing problem?

My Lords, the noble Lord made a couple of interesting points, which are crucial, and I will try to address them. Cybersecurity of the UK is a key priority for this Government. It is crucial to protect public services, the public, our way of life and a successful, growing economy. We have been taking significant action to help protect business from cyber- attacks.

We are also providing businesses with the tools, advice and support to protect themselves from cyberthreats, including the Cyber Governance Code of Practice, which shows boards and directors how to effectively manage the digital risk to their organisation. The highly effective cyber essentials scheme prevents common attacks and reduces the likelihood of a cyber insurance claim by 92%. Before I was invited to be a part of the Government, when I ran my businesses I ensured that they all had a cyber essentials certificate. That is the basic requirement that you need to have. At the same time, businesses need to protect themselves by having sufficient cybersecurity insurance. There are a wide range of tools and support from the National Cyber Security Centre including training for boards and staff and an early warning system to get notified about cyberthreats to networks.

When parliamentary time allows, this Government will introduce the cybersecurity and resilience Bill to raise cybersecurity standards in critical and essential services such as energy, water and the NHS.

My Lords, does the Minister have any information about how many companies are paying ransom demands? To what extent do the Government deal with insurance companies, advising them whether to pay ransoms or not pay them?

I thank the noble Baroness for that. I am sure that most noble Lords will appreciate that it would not be appropriate for me to comment on any ongoing incidents. However, the Computer Misuse Act continues to enable the prosecution of those who have undertaken unauthorised access to computer systems for a range of malicious reasons including crime and espionage. The Government are in the process of reviewing the Act and the Home Office will provide an update on further proposals once they are finalised. In recent years, the Government’s policy has focused on supporting the insurance industry, to strengthen and grow the commercial cyber insurance market. Pool Reassurance, or Pool Re, was created to ensure the effective functioning of the UK’s terrorism insurance market. The Government do not have any plans to extend Pool Re’s remit to include further cyber-related risks.

My Lords, the scale, sophistication and sources of cyberattacks are increasing exponentially. To that end, I ask again: when will the Government introduce the cybersecurity and resilience Bill? Will it be this autumn? When that Bill arrives, will it contain provisions for the wholesale reform of the Computer Misuse Act to enable our cyber professionals to do what they do best, which is protect this country and protect us as citizens?

My Lords, perhaps the noble Lord did not hear my last answer. Tackling cyberthreats and improving our national cyber defences is a priority for this Government. As I mentioned, when parliamentary time allows, the Government will introduce the cybersecurity and resilience Bill to raise cybersecurity standards in critical infrastructure and essential services such as water, energy and the NHS and, I am told, food security.

My Lords, on Monday the All-Party Parliamentary Group on Artificial Intelligence heard a striking presentation from the Polish Minister for defence and cybersecurity, who talked about the joined-up thinking his nation has developed on defence and commercial attacks of this kind. I ask the Minister what the Government are doing to join up thinking in defence and industry, in terms of cyber- attacks. In light of the Government’s promotion of artificial intelligence, do they consider that this increases the risk of cyberattacks of this kind? What steps are the Government taking to advocate responsible and cautious adoption of AI to mitigate this risk?

I thank the right reverend Prelate for that question. In 2024, the National Cyber Security Centre managed hundreds of incidents, 89 of which were nationally significant attacks. In 2025, the cybersecurity breaches survey shows that just less than half of businesses, about 43%, and around one-third of charities, about 30%, reported having experienced a cybersecurity breach or attack in the past 12 months. Cyberattacks do not happen just to big companies; they attack every company, all sizes and all types, and we have to be vigilant on that. The Government see the UK cybersecurity sector as a driving force in widening opportunities for our citizens. We have to ensure that this is protected. The Government have a plan and are working across departments putting a Bill together and we hope that parliamentary time will allow us to bring it forward.

My Lords, I express my appreciation of the work of the noble Baroness, Lady Jones, which the Minister mentioned, and I wish her well in her non-ministerial capacity. Given reports that the attack has been claimed by hacker groups linked to Scattered Spider, which I believe is also responsible for recent attacks on UK retailers, including Marks & Spencer, what enhanced intelligence-sharing mechanisms are the Government establishing between business sectors to prevent co-ordinated attacks by the same threat actors?

My Lords, I am sure that the noble Lord will appreciate that there is only so much I can say about what the Government are doing, but I assure him that the Government are speaking to businesses of all types through various business organisations. The National Cyber Security Centre is working with businesses. It has previously worked with M&S and the Co-op and is now working with JLR to provide support in relation to whatever incidents have happened, including the current incident. As I said, we cannot comment further on specifics at this stage, including with regard to potential perpetrators. The National Crime Agency has warned of a rise in teenage boys being drawn into online criminal communities and is co-ordinating responses to online harm networks across the United Kingdom.