Will executives’ pay cuts force clients to rethink cyber preparedness?

Qantas Airways has announced it will trim senior executives’ bonuses after a hack compromised millions of customer records – sending a clear signal: accountability for cyber failures would now extend to the boardroom. The move – a 15% reduction in short-term awards – shaved a quarter of a million dollars from chief executive Vanessa Hudson’s payout, even as her total remuneration climbed above A$6 million.

In Australia, the measure has been read both as a deterrent and as a necessary concession to shareholders alarmed by reputational harm. But the question facing global risk managers is whether financial penalties for individuals at the top genuinely sharpen corporate focus on prevention, or whether they serve merely as optics once the damage is done.

That debate is especially pertinent in Britain this week, where Jaguar Land Rover (JLR), owned by Tata Motors, has been forced to halt production across major sites in Solihull, Halewood and Wolverhampton after a cyber incident. The disruption has cascaded through dealerships, delayed vehicle handovers, and left suppliers in limbo. The carmaker stressed there is no evidence of customer data theft, but operational paralysis has been severe – staff are still at home and will probably remain there until Tuesday as IT teams scramble to assess damage. The latest claimant to carrying out the hack is someone who calls himself Rey from a group called Hellcat. “This is so easy” he posted on Telegram, claiming to have hacked the company twice in six months.

For insurers, the episode underscores two interlocking concerns. First, prolonged interruption at a global manufacturer can magnify into systemic loss, straining business interruption and contingent coverages. Secondly, as the claims experience with Marks & Spencer showed earlier this year, hacker collectives such as Scattered Spider and Hellcat thrive on exploiting human fallibility in help desks and identity checks. That reality is not easily solved with additional spending on technology – or with clawbacks from executive pay packets.

Yet the governance dimension cannot be ignored. Boards are increasingly judged on their oversight of cyber resilience. If an executive’s bonus is at risk, the incentive to interrogate patching cycles, vendor dependencies and crisis playbooks grows stronger. Especially, as may be the case in JLR, if the hacks just keep coming. For underwriters, this cultural shift is material: an engaged C-suite is more likely to fund “dull but essential” controls such as privileged-access management, call-back verification and network segmentation.

Still, there is unease in the market about whether remuneration penalties actually drive behavioural change. As one HK-based cyber security expert observed after the Qantas news, “The sums shaved off a bonus are rarely transformative compared with the quantum of losses – but they may at least make directors take their responsibilities personally.”

The JLR disruption comes at a delicate moment for the cyber market. Renewal discussions this autumn will feature hard questions on sub-limits, carve-outs and accumulation exposures, particularly where third-party platforms are implicated. Reinsurers are already modelling the knock-on effects of multi-site stoppages in auto manufacturing. The spectre of a prolonged outage feeding through supply chains is precisely the type of scenario feared in cyber catastrophe planning.

Whether financial discipline at the top changes outcomes is therefore a live question. What is clear is that insurers will not be satisfied with symbolic gestures. They want to see evidence of practical investment: tested run-books, hardened identity systems, and a culture that treats cyber risk as a board-level priority rather than an IT problem.

The Qantas penalty, and the turmoil at JLR, offer a sobering reminder. Cybersecurity is no longer a question of if but when. For both boards and underwriters, the calculus has shifted: prevention is cheaper than disruption – and now, in some cases, than the cost of the chief executive’s bonus.