The rise of “too interconnected to fail”

The 2008 financial crisis gave us ’too big to fail’ – the uncomfortable reality that some institutions are so central to the economy that their collapse cannot be permitted. Governments stepped in with unprecedented bailouts, with the UK alone injecting £137bn of public funds to prevent systemic collapse.

 

Now, a similar logic is emerging in cyber-security. The UK government’s intervention following the Jaguar Land Rover (JLR) cyber-attack marked a clear shift in how digital risk is viewed at a national level.

 

With sprawling supply chains encompassing hundreds of companies and a sizable chunk of the economy, many large organisations are now “too interconnected to fail.”

 

So, are cyber-security bailouts becoming an accepted mechanism for economic protection? And what expectations does this create for organisations operating at the centre of interconnected economies?

 

Jaguar Land Rover and the rise of “too interconnected to fail”

The significance of the Jaguar Land Rover incident lies less in the cyber-attack itself, but more in the vulnerability it exposed.

 

The real risk sat with the large network of suppliers and workers that depend on its continued operation. Once production stopped, upstream suppliers were forced to down tools, liquidity tightened, and the impact began to spread far beyond a single organisation.

 

Many suppliers were told they would fold if operations didn’t resume. With thousands affected, it’s thought the breach cost the UK economy around £1.9 billion.

 

This is what “too interconnected to fail” looks like in practice. Modern supply chains are optimised for efficiency, not resilience, and even short interruptions can ripple across multiple regions and industries.

 

In JLR’s case, the economy was exposed to a shock that the government could not ignore. The breach and its fallout are thought to be one of the reasons the UK economy unexpectedly contracted in October 2025.

 

Faced with the choice of intervening or allowing disruption to cascade through thousands of dependent businesses, intervention became the least damaging option.

 

Why disruption now outweighs extortion

Unfortunately, we know that incidents like JLR aren’t anomalies, but previews of what lies ahead.  

 

Threat actor motivations have changed, and it’s no longer primarily about extracting ransom payments or stealing data. The objective is disruption, especially among state-backed groups. When a single  cyber-incident can halt production, destabilise a regional economy, and force government intervention, it becomes a powerful strategic weapon.

 

The economics underline this shift, with the financial impact of a serious attack far outweighing the profits available. The UK government backed JLR with a loan guarantee of £1.5bn – far exceeding the known revenue of all ransomware groups globally in any given year. That imbalance makes disruption far more attractive than extortion.

 

A dangerous precedent?

Government intervention on this scale creates a difficult precedent. The Treasury does not have a bottomless pot of money, and stepping in once raises expectations that it will do so again. But the UK is home to many companies with similar sprawling dependencies – can they expect billion-pound bailouts as well?

 

The answer is clearly no. As cyber-incidents become more frequent and disruptive, bailouts are unsustainable. If the state absorbs the downstream impact every time a highly connected organisation is hit, cyber-risk is effectively socialised for a select few companies.

 

Incentives for resilience, meanwhile, become more uneven. This tension is already visible in the insurance market, where insurers are questioning whether systemic, billion-pound cyber-security events are even insurable.

 

If governments are forced to intervene again, it is unrealistic to expect those interventions to come without conditions. There will be greater scrutiny of incident reporting, clearer expectations for supply-chain accountability, and increased pressure on organisations to demonstrate that they understand and actively manage the systemic risks they carry.

 

Containment, not prevention, determines economic impact

As cyber-incidents become more economically significant, the way we prepare for and measure them must also change. Perfect breach prevention is unrealistic in such complex, highly connected environments. The critical question is what happens once an attacker is inside.

 

What prevents an incident from turning into a billion-pound crisis is not the initial breach, but how far an attacker can move. Containment determines whether disruption is limited to a single system or allowed to cascade across operations, suppliers, and regions. This is why measuring success purely by detection rates or time-to-detect misses the point.

 

Instead, the metrics that matter are: 

• Time to contain: How quickly was lateral movement stopped after detection?
• Blast radius: How many systems were affected before containment?
• Business impact: How long were operations disrupted, and what was the economic impact? 

Effective containment requires three foundational capabilities. First, network segmentation that limits lateral movement by design. Second, complete visibility into how systems, applications, and data flows interconnect – a security graph that maps dependencies and potential paths of lateral movement. And third, the ability to act on that visibility in real-time, using AI-powered analysis to detect anomalous behaviour and enforce segmentation policies before human intervention is even possible.

 

Boards increasingly understand that an attack that was contained is a success story. However, an attack that triggered government intervention is a systemic failure.

 

Resilience as economic infrastructure

The prospect of governmental bailouts should never be viewed as a safety net. When cyber-incidents threaten economic stability, intervention becomes unavoidable, but it is also evidence that resilience failed earlier in the chain.

 

Cyber-risk is business risk, and at scale, it becomes national risk. As attacks increasingly prioritise disruption over intrusion, organisations will be judged less on whether they were breached and more on the consequences. The ability to contain impact, protect critical operations, and prevent systemic fallout is what will determine whether future incidents demand government intervention or remain survivable without it.

 

In the era of “too interconnected to fail,” resilience is no longer optional: it’s the price of operating at the centre of the modern economy.

 

---

 

Raghu Nandakumara is VP of Industry Strategy at Illumio 

 

Main image courtesy of iStockPhoto.com and ArtemisDiana