Asahi and Jaguar Land Rover both said cyber was a top risk in their annual reports

Asahi and Jaguar Land Rover both said cyber was a top risk in their annual reports. Then hackers shut down their factories. Turns out writing it down doesn't count.

Asahi identified cyber risk. Hackers took down all 30 domestic factories last week. Orders suspended. Shipments stopped. Half their revenue, gone. No timeline for recovery.

Jaguar Land Rover flagged cybersecurity as a principal risk. Then hackers shut down their factories for a month. The UK government had to guarantee a £1.5 billion loan to keep them solvent.

No cars built.

Production lines dark.

Both companies identified the risk and put it in the annual report.

Then never asked what that actually meant.

When the CFO brings up supply chain risk, boards dig in. What's our exposure? What's the mitigation plan? What are the second-order effects?

When IT mentions cyber risk, it goes in the disclosure.

Next agenda item.

Nobody asked: "What happens to our ability to manufacture cars if we get hit? What happens to our ability to brew beer for the thirsty people of the world?"

They didn't understand the risk well enough to know those were the questions.

Security got staffed like facilities management, something to outsource and minimize.

Risk disclosures became boilerplate, reviewed by legal once a year.

Now Asahi can't brew and JLR can't build cars. That's not an IT outage. That's an existential crisis.

Disclosures don't protect your production lines.

They don't protect your revenue.

They definitely don't protect the thirsty people who now can't get their much needed beer.

It doesn't matter if you make beer or classy, intermittently reliable SUVs. If your production lines run on code, you're a tech company whether you like it or not.

Risk disclosures aren't a strategy.

They're cover for boards who acknowledged a risk they never understood.

Disclosures are easy.

Security is hard.

These companies found out which one actually matters.