Cyber attack costs Jaguar Land Rover dearly

A recent report from BBC News reveals that the recent cyber attack on Jaguar Land Rover is estimated to cost around £1.9bn, marking it as the most economically damaging cyber incident in UK history. This situation underscores the vulnerability of even the largest organisations to supply chain disruptions and emphasises how the repercussions can extend far beyond a single company, particularly affecting smaller firms that rely on these larger entities. With cyber incidents increasing, this case serves as a significant wake-up call for businesses of all sizes to reassess their contracts, contingency plans, and overall cyber resilience strategies.

Edward Kilner, Senior Solicitor in Harper James’ commercial team, highlights the importance of strong contractual protections to enhance digital resilience, stating “The recent wave of high-profile incidents – from the £1.9bn economic impact linked to the Jaguar Land Rover attack to the AWS outage that hit banks, retailers and public services – shows how fragile digital supply chains can be. When one major provider goes down, everyone connected to it feels the shock.” He adds that resilience is not solely about technology but also about contractual agreements.

Kilner elaborates on the ramifications of supply chain failures, emphasising that “When a critical supplier such as AWS or Collins Aerospace goes offline, or a payroll or logistics provider suffers a breach, the effects ripple fast. Production halts, payments are delayed, customers can’t get through, and there may even be legal implications.” He points out the implications under UK GDPR, where a loss of availability or integrity can still constitute a personal data breach, necessitating timely reporting to the Information Commissioner's Office when access to data is compromised, even if no data is stolen.

For small and mid-sized firms embedded in complex supply chains, this incident serves as a crucial reminder. Kilner advises that “Contracts need to assume that failure will happen. Too often, outages and cyber incidents are treated as someone else’s problem.” He urges businesses to set clear expectations within their supplier agreements about communication, alerts, and recovery management in the face of disruptions.

Moreover, Kilner stresses that “Resilience isn’t built by hope; it’s built into the paperwork.” He recommends that contracts define security standards, mandate evidence on request, and outline audit rights and disaster recovery plans. He calls for clarity regarding recovery times, restoration priorities, and communication strategies when unexpected events occur.

Financial considerations play a critical role as well, with Kilner noting that “service credits rarely touch real business interruption.” He suggests that businesses should pair these credits with tailored indemnities and meaningful liability caps that include higher “super-caps” for data protection and business interruption, along with firm flow-down duties to sub-processors.

Furthermore, he recommends planning for graceful failure by employing backup regions, testing exit routes, and establishing who will cover the costs during a crisis. Exploring redundancy or multi-provider options can also help to prevent single points of failure.

Finally, Kilner warns that “Regulators are already scrutinising the resilience of critical third parties, so businesses should expect the same scrutiny from clients and investors.” He concludes by reinforcing that strong contracts are fundamental to maintaining operational continuity, safeguarding data, and protecting reputation during inevitable outages.