The recent cyber attack on Jaguar Land Rover (JLR) has highlighted the debilitating nature of severe cyber incidents for companies and their profound impact on supply chains. Traditionally, supply chain risk has been viewed as an inbound issue, with suppliers often perceived as potential weak links. However, the JLR incident highlights the less-discussed outbound risks that cyber attacks pose to supply chains and the companies operational network, necessitating a re-evaluation of risk management strategies from a legal and contractual standpoint.
The Nature of Cyber Attacks and Supply Chain Vulnerability
Severe cyber attacks can cripple an organisation’s operations, leading to production halts and can result in significant financial losses. In the context of supply chains, such disruptions can have cascading effects, impacting not only the primary organisation but also its network of suppliers and partners. Whilst larger organisations may have systems in place to mitigate the damage of disruption, it is often seen that smaller organisations within the network are less likely to be able to deal with disruption and sadly, at worst, this can result in bankruptcies. The JLR cyber attack serves as a stark reminder of these vulnerabilities, as the production halt has had a ripple effect on smaller suppliers.
Regulatory Focus on Supply Chain Risk
In recent years, there has been an increasing legislative focus on supply chain risk. The Network and Information Systems Directive (implemented in the UK through the Network and Information Systems Regulations (2018)) exemplifies this trend, aiming to enhance the security of network and information systems across the EU. Additionally, regulatory actions, such as the Information Commissioner’s Office (ICO) fines for security failings, highlight the growing scrutiny on organisations’ cyber resilience. These regulatory measures underscore the need for organisations to adopt robust risk management strategies that encompass both inbound and outbound supply chain risks.
Outbound Risks and the JLR Case
The JLR cyber attack illustrates the outbound risks that cyber incidents pose to supply chains. The impact of a cyber attack on an organisation’s ability to fulfil its obligations to its supply chain partners is equally important to consider. Disruption resulting from a cyber-attack may result in the affecting party breaching the terms of contract’s that it has entered with its supply chain partners, which could in turn result in claims for damages or termination of the underlying contracts.
Organisations must also be mindful of their Data Protection compliance requirements and related risks. Organisations handling personal data have an obligation to comply with UK GDPR. In the event that an organisation experiences a cyber-attack, the obligation to report the breach of personal data to the ICO may apply under underlying contracts also. It is crucial therefore that companies ensure that their underlying contracts and data protection systems are up to date and readily accessible.
Mitigating Supply Chain Risks: Legal and Contractual Strategies
To manage supply chain risks effectively, organisations should adopt a multi-faceted approach. Some key steps to take in this regard might well include:
- Mapping Supply Chains: Understanding the full extent of supply chain networks and identifying critical dependencies is essential for risk assessment and management. This is particularly important with regard to maintaining relationships with your supply network once the cyber incident has been resolved.
- Assessing Dependencies: Evaluating the reliance on specific suppliers can help organisations identify potential vulnerabilities and develop contingency plans.
- Including Cyber Resilience in Procurement: Contractual provisions in all underlying supply chain contracts should mandate cyber resilience standards for suppliers, ensuring that they adhere to best practices in cybersecurity. In addition, understanding any contractual obligations your organisation has committed to (security, notifications, any risks of breach where you are subject to a cyber attack).
- Planning Engagement During Incidents: Establishing clear communication protocols and engagement plans with key suppliers in the event that there are cyber incidents.
- Building a Cyber Incident Response Plan (IRP): Ensuring that the organisation has a formal, documented strategy on how to detect, respond to and recover from cyber incidents.
- Building Redundancy and Flexibility: Developing redundancy in supply chains and fostering flexibility can avoid single points of failure enhance resilience against cyber attacks and other disruptions.
The JLR cyber attack serves as a critical reminder of the complex nature of supply chain risks in the digital age. By adopting comprehensive legal, contractual and data protection strategies, organisations can mitigate these risks and safeguard business operations including, most importantly, their revenue streams.
For further information, please contact Joanna Bouloux or Thomas Molony.