Cyber attacks: Could brokers be in the firing line?

The cyber-attack on Jaguar Land Rover (JLR) in August has been widely reported on in the media. 

As at the time of writing, some six weeks after the initial hacking of the IT system, it was reported that JLR has only just begun to restart production on a limited basis. 

The media has reported on estimated losses in the region of £50m a week, and there has been talk of government-backed furlough schemes to support affected business and employees. 

JLR is of course only the latest company to suffer a cyber-attack. It has not been long since Marks & Spencer also fell victim to a cyber-attack in April 2025, causing widespread disruption to its operations.  

As commentary on these events continues, the insurance industry has taken the opportunity to remind us that cyber cover shouldn’t be seen as a dispensable extra. The cyber-attacks mentioned above being case in point. 

It has been reported that JLR did not have insurance cover and consequently will bear all the financial impact. 

Of course, cyber events can disrupt organisations of all sizes, across all industries, causing reputational damage, operational downtime, financial loss and legal action. In this article, we explain how cyber cover is designed to minimise and mitigate these risks.

Cyber cover

Cyber cover, cyber insurance, or cyber security policies are designed to protect businesses from financial losses due to cyber-attacks, data breaches and other technology-related incidents. 

Most insurers will tailor the produce to suit your industry and the losses it will cover, and there may be other support or services available as part of the package, such as incident response assistance and management. 

Standard policies often do not cover cyber specific risks, so it is an important consideration for any business, particularly in view of the increasing threat and sophistication of cyber-attacks.  

If there is no cyber cover: Could this be a third-party fault?

If a business finds itself the victim of targeted ransomware and hacking, phishing, malware, email compromise, fraud, or data breaches (to name but a few) and it doesn’t have cyber cover, the consequences could be fatal to the business itself.  

In those circumstances, the business may start looking to see where it can pin some responsibility for the lack of cover or, alternatively, cover that does not meet its needs. A placing broker might find itself in the firing line. Historically, professional negligence claims against insurance brokers were uncommon, but there has been an upturn in claims against brokers. In addition, the courts have expanded the duty of care owed by insurance brokers to their clients.  

A business may look to its insurance broker to ascertain whether it failed to assess the business demands and needs, obtain adequate cover, or provide sufficient advice on any terms and conditions of cover in place. Brokers have a duty of care to arrange suitable insurance cover and protect the interests of their clients. 

If a broker has failed to arrange proper insurance, the business has lost the chance to have been insured against a specific event. This could leave the broker exposed to a claim in negligence for breaching its duty of care to arrange suitable insurance cover.  

Norman Hay v Marsh case study

The recent case of Norman Hay PLC v Marsh Ltd [2025] EWCA Civ 58 is an example of a case where a broker has been placed in the firing line. 

The case concerns a broker’s alleged failure to obtain worldwide non-owner auto cover, resulting in claimed losses exceeding $5.5m when an employee was involved in a fatal car accident in America. 

The broker, Marsh, made an application to strike out the claim at an early stage, arguing that Norman Hay could not establish it would have been legally liable - a prerequisite for indemnity under a liability policy. 

However, the High Court refused to strike out the claim and the Court of Appeal upheld the High Court’s refusal. The High Court’s decision made it clear that policyholders deprived of coverage by broker negligence are entitled to recover the value of the lost chance of indemnity, not just losses that would have been indemnified as a matter of strict legal liability. 

Nonetheless, the courts will take a realistic, commercial approach to assessing the likelihood of insurer indemnity. 

It is clear, however, that the case has significant implications for brokers, who, as part and parcel of robust risk management, must be meticulous in identifying and arranging coverage for all relevant risks.  

Conclusion 

For businesses and brokers, the recently reported cyber-attacks are certainly a cautionary tale. It is clearly incumbent to ensure that the right cover is in place for your business. 

Of course, in an evolving landscape where cyber-attacks are launched daily then businesses, insurers and brokers are dealing with an evolving beast. Nonetheless, there is clear potential for claims in negligence if cover is missing, inadequate, or has not been properly advised upon. Consider this your “malware warning.”