The recent cyber attack at JLR not only demonstrates the debilitating nature of a severe cyber attack, but highlights the devastating impact this can have on an organisation’s supply chain.
We tend to think of the supply chain as being an in-bound risk area when it comes to cyber. Suppliers can be the weak link that threat actors exploit to gain access to an organisation’s systems. We have therefore seen an increasing focus on supply chain risk in legislation like NIS2 (see blog) and regulatory action like the ICO’s Advanced fine (see blog).
There has been little discussion to-date on the outbound risk a cyber-attack poses to that supply chain. The prolonged nature of the current JLR attack and its impact on BAU activities has, however, shone a spotlight on the issue. JLR’s halt in production is directly impacting its supply chain, particularly smaller suppliers - some of whom are (according to news reports) at risk of bankruptcy. This is problematic for both those suppliers and for JLR’s ability to re-start production. While the UK government has stepped in with support for JLR’s supply chain, this will not be the case for all organisations.
What can you do?
There are steps you can take now to help manage this type of supply chain risk. For example:
- Map and understand your supply chain – as supply chains become ever more complex, it can be difficult to fully understand who is supplying what in your supply chain, particularly when you go beyond your tier 1 suppliers.
- Assess your up and downstream dependencies and understand how disruption to your: (i) systems; and (ii) BAU activities (e.g. your production/operations/provision of services) will impact your suppliers or key customers. This will allow you to identify critical suppliers whose operations are vital to your BAU activities. If, during an incident, you need to consider turning off certain systems or operations you will then understand the impact of that decision on your supply chain as well as your own organisation. It should also help you understand how to retain customers and suppliers after an outage.
- Include cyber resilience in your procurement process (e.g. counterparty DD and contracts) but also consider including provisions around business continuity support, such as alternative sourcing or insurance cover.
- Plan how to engage with your supply chain during an incident – it will be important to keep certain key suppliers informed, and to ensure that you have an open dialogue with them regarding the impact the situation is having on their ability to supply to you now and in the future.
- Where possible, build redundancy and flexibility into your supply chain and avoid single points of failure. The operational resilience of your supply chain is not a cyber specific risk, and you should therefore ensure that your cyber response plans utilise the work the organisation will already be doing to help manage this risk.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-25-14-22-25-544-68d55021237364d136abe77f.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-19-13-21-46-149-68cd58ea5c59345ac45fb490.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-17-08-43-02-827-68ca7496e2196ba89bc73117.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-11-19-14-11-245-68c31f832b4d83f98422cb20.jpg)