The reason: a quarterly update that suddenly focuses on cyber
On January 5, 2026, Jaguar Land Rover (JLR) published its sales update on Q3 of fiscal year FY26 (the three months to December 31, 2025). The headline is unusually direct: volumes are “impacted by cyber incident”. JLR reports that wholesale volumes (deliveries to dealers) amounted to 59,200 vehicles, -43.3% year-on-year, and that retail sales (sales to end customers) were 79,600, -25.1% year-on-year. JLR explains that production was only back to normal levels by mid-November and that extra time was then needed to distribute cars worldwide.
For directors and CISOs, the value lies not only in the percentages, but in the mechanism behind it: a cyber incident quickly turned into a supply and availability problem. In the automotive industry, “not delivering” is often the same as “not selling”, because dealers receive less stock and customers switch or postpone their purchase. JLR also mentions two additional factors that depressed volumes: the phasing out of ‘legacy’ Jaguar models towards a new Jaguar launch and extra American import tariffs that affected exports to the US. So cyber was not the only element, but it was the factor that made the quarterly effect sharply visible.
What happened in 2025: “proactively shutting down our systems”
The cyber attack itself played out earlier: JLR reported on September 2, 2025, that the company had been hit by a cyber incident and that it had taken “immediate action” by proactively shutting down systems to limit the impact. JLR indicated that there was no evidence at that time that customer data had been stolen, but that retail and production activities were “severely disrupted”. That one sentence is important for supply chain risk management: sometimes the safest choice is a controlled stop, but that is also immediately an operational stop.
A week later, on September 10, 2025, an update followed: based on the ongoing investigation, JLR thought that some data had been affected and that it was informing relevant regulators. In other words, the incident not only had a continuity impact (production and sales), but also gained a compliance and reputation layer. For chain partners (dealers, logistics, financing/leasing, parts suppliers), that is the moment when questions arise such as: “What does this mean for our customer communication?”, “Do we also have to report?” and “Which processes come to a standstill because integrations or portals are not available?” Supply chain is directly related to governance here: you can only steer if you know which data and system links are essential.
The supply-chain impact in one model: CMC calls it “systemic”
The British Cyber Monitoring Centre (CMC) published an extensive analysis on October 22, 2025, and classified the incident as a Category 3 systemic event (on a five-point scale). CMC estimated a UK financial impact of £1.9 billion (bandwidth £1.6–£2.1 billion) and stated that the consequences affected more than 5,000 British organizations. CMC emphasizes that this is a model-based estimate based on publicly available data and assumptions, but the core message is crystal clear: at a large manufacturer, the “ripples” in the chain are so large that the incident has an economic system impact, even though, according to CMC, there was one primary victim organization.
What CMC specifically describes is precisely what directors often underestimate: standstill “at the customer” is rarely an isolated IT problem. CMC states that the attack affected JLR’s internal IT and led to a shutdown and a halt in global manufacturing operations, with effects on large UK plants. Suppliers faced canceled or delayed orders and uncertainty about future volumes; dealer systems were sometimes unavailable. CMC also points to the distinction between IT and OT (Operational Technology: the systems that control machines, production lines and industrial processes). If IT and OT meet, the restart can become much more complex. That is the supply-chain lesson: cyber resilience is not only “information security”, it is also production continuity.
Why falling sales figures are actually a chain indicator
In practice, sales figures at a manufacturer are often a late indicator of something that started weeks earlier in the chain. JLR itself says that the volumes only really fall back visibly in Q3 because production only normalized in mid-November and distribution took time. This shows how cyber incidents have a lag effect: the attack is “then”, the turnover and delivery shock is “later”. In supply chain language: you first get a disruption in planning and production, then in logistics and inventory positions at dealers, and only then in sales and margin.
This is recognizable for medium-sized organizations (also outside automotive). Think of a Dutch wholesaler that depends on a limited number of suppliers or a company that works with just-in-time deliveries: if one link preventively shuts down its systems, the chain does not stop neatly at that link. Orders cannot be confirmed, status updates disappear, forecasts become unreliable and customer service comes under pressure. What JLR’s figures make visible is that “not being able to produce” and “not being able to deliver” have the same commercial outcome: less turnover, less confidence, and often extra costs to accelerate later (express transport, extra shifts, temporary buffers).
The Reuters reporting underlines this from a market perspective: the production problems due to the cyber incident translated into that sharp decline in wholesale and retail volumes. The exact mix of causes (cyber, tariff pressure, model transition) does not even hurt supply chain risk management the most; the pain point is that one digital incident affects multiple strategic files at the same time: delivery, cash flow, brand experience, compliance and stakeholder management.
What this says about digital supply chains: dependencies that you don’t see on the invoice
Most directors know their tier-1 suppliers (the parties you buy directly from). But digital supply chains are full of tier-2 and tier-3 dependencies: platforms, identity solutions, network services, integration partners, industry IT, and sometimes external support parties that you only really need during an incident. JLR’s own communication shows how quickly you end up in “controlled restart” and “phased recovery”: that is rarely a button that you turn; it is a chain reaction of systems, authorizations, data flows and production processes that must become reliable again.
A second point is the human factor in the chain. CMC explicitly states that impact affects suppliers, with measures such as hours banks, wage adjustments and in some cases dismissal. So supply chain risk is not only “can we deliver?”, but also “do critical suppliers remain financially viable?” In the Netherlands you see the same mechanism with specialized SME suppliers: one large customer that temporarily stops can immediately cause a liquidity problem. The positive news is: precisely here you can steer as a customer and as a chain partner—with clear agreements about escalation, with scenarios for temporary order patterns, and with financial and operational ‘bridges’ that you arrange in advance instead of during the crisis.
Administrative lessons: from “cyber” to “continuity” in four steps
The core lesson from JLR is that a cyber attack can be a business-critical disruption, even without (demonstrably) data being stolen. JLR stated on September 2, 2025, that there was no evidence of stolen customer data, but there was severe disruption of retail and production. That is an important conversation for directors: your risk model should not only revolve around data leaks, but also around “digital standstill”.
Four practical steps that you as a director/CISO can use together (without drowning in IT detail):
- Make your “stop list” explicit: which systems MUST remain running in order to be able to sell, plan, produce or deliver?
- Practice a controlled shutdown: if you ever shut down systems to prevent worse, who decides that, and how do you restart in a controlled manner?
- Contract chain response: record with critical suppliers how quickly they report incidents, what information you receive, and how joint continuity works.
- Measure chain impact in money and days: define in advance what 1 day of downtime means in turnover, fines, customer confidence and extra logistical costs.
This is not a plea for “more technology”, but for administrative clarity. Anyone who arranges this in advance can return to normal more quickly and communicates more credibly to customers, financiers and regulators.
A positive conclusion: cyber resilience as a competitive advantage in the chain
The easiest thing is to dismiss this kind of news as “something from the automotive industry”. But the lesson is broader: modern chains are digitally intertwined. JLR’s quarterly update shows how an incident from August/September 2025 affects measurably lower sales volumes in the quarter to December 31, 2025. Once you see that timeline, you will look differently at your own supply chain: where is our digital single point of failure, and which chain partner can unintentionally shut us down?
The good news: supply chain risk management is not powerless here. You can choose transparency in dependencies, for minimal links where possible, for recoverability (backups, alternative processes), and especially for joint agreements with suppliers and service providers. Organizations that have this in order have less surprise, less improvisation and faster recovery in times of crisis. And that ultimately translates into something that directors do steer on: delivery reliability, customer confidence and predictable cash flow—even if things go digitally wrong.
