C-suite at major airline get bonus cut because of cyberattack

When Qantas Airways acknowledged earlier this year that hackers had accessed the personal information of millions of customers, the Australian carrier responded by trimming senior executives’ short-term bonuses. The airline called the move “an important accountability step” – even as its chief executive still received more than six million Australian dollars in total compensation.

The decision, though modest in financial impact, has drawn attention across boardrooms and underwriting circles alike. For the insurance industry, the crucial question is whether such financial penalties can truly change how leaders approach cyber resilience – or whether they risk being seen as gestures after the fact.

That debate has been reignited in Britain, where Jaguar Land Rover has again been forced to suspend production in the wake of a cyber incident. The carmaker, owned by Tata Motors, shut down systems this week, halting assembly at its main plants and sending employees home. A hacker calling himself “Rey” posted screenshots on Telegram that appeared to show internal company data, claiming responsibility for what would be the second successful breach in six months.

For insurers, the operational shock at Jaguar Land Rover illustrates the scale of potential exposure. Production stoppages ripple beyond factory gates, affecting dealers, suppliers, logistics networks and ultimately sales. The implications for business interruption coverage are acute: proving causation, quantifying deferred revenues, and distinguishing them from permanent losses will shape any future claim.

The timing could hardly be worse. September typically marks a busy sales month in Britain, when new registration plates are released. Instead, dealers have faced delays, parts orders have stalled, and customers have been told handovers will be postponed.

The group linked to the latest breach is believed to overlap with so-called “Scattered Spider,” an English-speaking collective accused of disruptive attacks on retailers including Marks & Spencer, the Co-op and Harrods. Jake Moore, a global cybersecurity adviser at ESET, told the Financial Times that young hackers were “brazenly confident” about avoiding detection – a quality that “added extra salt in the wound” for victims.

Such confidence complicates the job of insurers. When a single intruder can force a global manufacturer offline, the potential for aggregation across portfolios rises sharply. Reinsurers have already warned that these are precisely the types of tail events cyber catastrophe models are meant to capture.

The juxtaposition is hard to ignore. At one end of the world, an airline trims executive bonuses after a hack; at the other, an automaker battles to restart operations after another. Both episodes raise the same uncomfortable issue: should leaders personally bear financial consequences when their companies are compromised?

Advocates of clawbacks argue that tying remuneration to cyber outcomes elevates prevention on the board agenda. Insurers, too, see some merit. Executives who know their compensation is at stake may be more willing to invest in the “unsexy but essential” measures: robust identity controls, patch management, and tested continuity plans.

Yet critics warn that pay cuts rarely change behaviour meaningfully. As one HK-based cyber security expert put it privately, “A quarter-million dollars from a multimillion-dollar package is not enough to shift the risk calculus.” What matters, insurers argue, is sustained investment in resilience – not symbolic penalties applied once attackers are already inside.

As cyber incidents proliferate, the insurance market faces a dilemma: how to reward insureds that can demonstrate board-level commitment while pricing appropriately for those that treat cybersecurity as a compliance checkbox. Programs with generous non-malicious failure or broad dependent business interruption cover are already facing stricter terms.

For Jaguar Land Rover, the immediate priority is restoring operations. But for insurers and risk managers, the longer-term question is sharper: will punishing executives for cyber failures push them to take prevention seriously, or will it remain a gesture after the losses are already booked?

What is clear is that the conversation is shifting. In the insurance market, accountability is no longer confined to IT departments. It now reaches directly into the boardroom – and into the pay packets of those at the top.