By Professor David Bailey
29th September 2025

UK Government's Loan Guarantee to JLR: the ‘Moral Hazard’ argument is overblown

Is there really a risk of ‘moral hazard’ after the government announced a loan guarantee to help JLR get £1.5bn a commercial bank loan quickly so as to get cash into the supply chain?

The question is that if a firm knows the government will step in to mitigate losses, might it act less prudently?  In this case, the question is effectively over whether JLR, already badly hit by a major cyber-attack that halted production, or indeed other firms, would reduce incentives to invest in cyber resilience because taxpayers are effectively sharing some of the downside risk.

In reality, the structure of the guarantee, the nature of cyber risk, and the reputational, legal, and operational realities facing JLR (and other firms) all mean that the guarantee isn’t likely to create moral hazard regarding cyber security.  In fact, rather than weakening incentives, the guarantee can coexist with strong market and internal pressures on JLR and other firms to continue strengthening cyber defences.

Firstly, it should be noted that the loan guarantee is directed at the banks. By guaranteeing up to 80% of the loan, the UK Export Finance (UKEF) scheme reduces the lender’s risk and lowers JLR’s borrowing costs. But the guarantee doesn’t indemnify JLR against the consequences of a cyber incident. If another cyber-attack forces a shutdown, JLR still bears the full operational, financial, and reputational fallout including lost production, missed sales, higher costs, and damage to customer trust.

In other words, the guarantee changes the financing environment but NOT the commercial incentives. JLR still directly suffers (potentially big time) from cyber lapses, so it has every reason to prevent them. The guarantee does not ‘socialise’ operational losses; it only comes into play if JLR ultimately defaults on debt obligations.

Also, even in the extreme (and unlikely) case of loan default, JLR and its shareholder Tata Motors remain exposed. The guarantee covers only 80% of the loan; the remaining 20% of losses fall on commercial banks, and before that, JLR’s own balance sheet is at risk. The company must still service the debt in full, pay interest, and bear the cost of any disruption. If cash flows falter, it faces restructuring, possible loss of assets, or damage to its credit rating.

That residual exposure is critical. JLR simply can’t walk away from the consequences of poor cyber risk management, and so it is difficult to envisage how the guarantee might make executives careless. Instead, they remain under pressure to ensure resilience, both to avoid direct costs and to retain access to future financing.

Moral hazard theories assume that actors take greater risks when shielded from downside consequences. But in cyber security, the consequences aren’t limited to financial solvency. A high-profile breach erodes brand value, deters customers, and invites government scrutiny. For a luxury carmaker like Jaguar Land Rover, brand reputation is arguably its most valuable asset. Another major disruption would inflict reputational harm far in excess of the costs covered by any loan guarantee.

Moreover, the regulatory landscape is being tightened up. The EU’s NIS2 Directive is a cybersecurity regulation, and while not directly applicable to the UK, any UK organisations with significant EU-facing operations or supply chains will have to comply with its requirements. The UK is developing its own legislation, the long-awaited Cyber Security and Resilience Bill, which will update existing laws to align with NIS2, including stricter security, incident reporting, and supply chain security obligations for covered entities.  These will likely impose legal duties on firms to maintain adequate cyber defences. Failure to invest adequately can bring fines, lawsuits, and executive accountability. These risks are personal, organisational, and ongoing. And they can’t be insured away by a loan guarantee.

Unlike bailouts or grants, loan guarantees are contingent liabilities. The UK government isn’t handing JLR a cheque; it is offering reassurance to lenders. The guarantee only crystallises into public expenditure if JLR defaults and lenders can’t recover funds. This conditionality means that the company gains no direct financial reward from cutting corners on cyber security. Indeed, if cyber negligence makes default more likely, it increases the chance of reputational fallout, tighter financing conditions, and intrusive government oversight.

In addition, I expect that the guarantee will come with covenants, reporting requirements, and oversight mechanisms. The government has an interest in ensuring the borrower’s resilience, especially if the triggering event for support is a cyber-attack. I expect the UKEF and/or HM Treasury to monitor JLR’s operational risk management more closely as part of the guarantee’s conditions as Liam Byrne MP suggested on BBC’s Broadcasting House last Sunday, thereby strengthening cyber governance, not undermining it.

Another reason why moral hazard is limited in this context is that cyber risk isn’t really like financial risk. A bank protected by deposit insurance might rationally take more lending risks because losses are absorbed by the insurer. But JLR can’t transfer the reputational, operational, and legal harms of a cyber-attack to the government. Those harms are intrinsic to the business and can’t be neutralised by a guarantee on a financial loan from a commercial bank.

The guarantee just mitigates one narrow channel of exposure, debt refinancing costs, but leaves untouched the much bigger and harder-to-bear consequences of inadequate cyber defences. Hence, the nature of cyber risk itself limits moral hazard.

Boards at other firms will look at the damage inflicted at JLR, M&S, and the Coop and shudder. Will they really think there’s no need to worry as the government will help them out? This whole affair remains a wake-up call to British business to get serious about cyber security. The loan guarantee doesn’t change that.

Professor David Bailey is Professor of Business Economics at the Birmingham Business School.