This timely piece is by Martyn Janes, Lead Cyber Underwriter at rrelentless
With high-profile cyber attacks recently disrupting Jaguar Land Rover (JLR) and several UK airports, the spotlight has turned to the risks businesses face through vendor management. These cases highlight the importance of viewing vendor management through a security lens, rather than focusing solely on functionality or cost. The reality is that cyber resilience begins before an attack, and businesses must ensure they have backup plans in place when things go wrong. After all, you are only as strong as the weakest link in your supply chain.
What happened to JLR?
JLR extended a production shutdown due to a cyberattack that impacted its IT systems, initially halting production at several plants while investigations were ongoing. However, reports revealed that the incident arose from its supply chain management systems, which coordinate production planning.
The knock-on impact has been immense, with many of its third-party suppliers, who rely on JLR’s systems for scheduling, facing serious financial strain. Smaller players often bear the brunt of cyber attacks as they tend to have less resilience against disruption.
The JLR case highlights the ripple effect that cyberattacks have, especially on large manufacturers, where the impacts can cascade across entire industries. It’s not as simple as a single breach impacting the targeted organisation – it also impacts suppliers, partners, and customers.
Cyber risk is not limited to internal defences; it’s also about the third parties that businesses rely on every day. Let’s take a look at some of the considerations businesses need to make:
Third-party due diligence
Day-to-day, businesses rely on third-party vendors for critical operations, whether it’s cloud hosting or payment processing. But companies need to ask, how many of these vendors have prioritised their design with functionality alone in mind? Due diligence is not a nice to have; it’s paramount in ensuring cyber resilience. Organisations must ask:
● Are vendors embedding cybersecurity into their products?
● How reliant is the business on these third-party vendors?
● Do they trust that these services are secure and that contingencies are in place?
The JLR case underscores the importance of addressing these questions, as when its SAP software was exploited, businesses like JLR and beyond faced significant disruption. Without a backup plan, businesses are left scrambling.
Dependency and contingency
Organisations need to consider how much they trust their vendors’ security and understand what workarounds they have if critical third-party services go down in a cyber attack. Ensuring vendor contracts include robust Service Level Agreements and breach protocols is vital.
For instance, several European airports, including Heathrow, were affected by a cyberattack that disrupted check-in and baggage systems. BA was able to switch to another check-in system, while other airlines struggled. Essentially, what is the backup plan? Resilience isn’t just about recovery; it’s also about continuity.
Third-party relationships and system integration risks
Supplier impact is often overlooked. Businesses should ask: Are we too reliant on one contract? What strategy do we have if a key supplier fails? The fallout can spread quickly across supply chains, posing far-reaching challenges for businesses without robust contingency plans.
Moreover, integration between customer and supplier systems means vulnerabilities can cascade. If one part of the chain is exploited, the whole chain may be at risk. For example, following JLR’s cyberattack, there had been warnings that many small suppliers making parts for the company could collapse without financial support. As a result, an emergency £1.5bn was granted to protect livelihoods and the supply chain.
Appropriate insurance cover is vital
Recent losses once again highlight the need for appropriate cyber insurance. According to the BBC, JLR is losing at least £50 million per week in lost production. It also failed to complete a cyber insurance policy, which could leave it on track for around £200m in losses.
Meanwhile, M&S was crippled for months following a cyberattack that began in April 2025, resulting in losses of £300m due to downtime, with only £100m of insurance coverage in place.
Cyber insurance isn’t a silver bullet, but it’s a must-have in any business’s cyber arsenal to provide both indirect and direct financial protection. However, best practice extends beyond financial cover, with leading policies providing access to expert risk management support, empowering businesses to enhance their resilience against threats.
A proactive approach
Prevention is the best protection. What can set best practice apart from a standard policy is the integration of a proactive, preventative approach to risk. Industry-leading policies go beyond financial coverage alone to include comprehensive e-learning modules that educate staff, risk audit tools, legal advice, and pre-loss planning. This approach ensures that businesses are also equipped to respond effectively in the event of incidents. As cyber threats become increasingly sophisticated, it is more critical than ever to be proactive rather than reactive.
BIO: Martyn Janes is an experienced cyber insurance expert with a career spanning over a decade. Since beginning his journey at Towergate Underwriting in 2011, he has honed his expertise in technology, cyber, and life science underwriting through roles at Hiscox and CNA Hardy.
Now as Lead Cyber Underwriter at rrelentless, Martyn drives growth, shapes strategy, and delivers tailored cyber insurance solutions to protect businesses against evolving threats. Passionate about education and risk management, he frequently shares insights on cyber trends through podcasts, panels, and industry events, empowering brokers and businesses to navigate the complex cyber landscape.
Be the first to comment