Automotive Supply Chain Risks: Lessons from JLR and First Brands

Recent months have thrown automotive supply chain risks into the spotlight, with the Jaguar Land Rover (JLR) cyber attack and the collapse of First Brands Group providing stark reminders that supply disruptions can strike from multiple fronts and have wide-ranging consequences.

Both cases make it clear that disruption can stem from cyber, financial, operational and geopolitical events, with impacts quickly felt throughout the value chain.

We discuss five key areas of supply chain risk for automotive businesses, together with practical steps to help build resilience to major disruption.

JLR and First Brands: a brief reminder

In JLR's case, hackers exploited vulnerabilities through social engineering, halting production and passing heavy financial pressure onto suppliers, necessitating a £1.5bn loan guarantee from the UK government to prevent further damage – a level of support that should not be relied upon in future incidents.

For First Brands, opaque financing, mounting debt and allegations of fraud triggered a collapse that rippled across its supply chain.

Now Reading

Cyber security risks

Automotive supply chains tend to be complex, cross-border and contain numerous interdependencies. These create many target points for cyber attacks, not only against large manufacturers, but also smaller component suppliers and service providers throughout the chain, often regarded as the "weakest link". Recent incidents at JLR and others reconfirm that attackers are now adept at exploiting human factors, such as persuading helpdesk staff to reset credentials, bypassing technological controls and gaining access using credentials stolen via malware.

Key strategies to mitigate cyber security risks in supply chains:

Map your supply chain: Know who your direct and indirect suppliers are, what they provide, how they access your data and systems, and which are business-critical. This improves the effectiveness of cyber risk assessment, targeted due diligence and contract management, and helps identify priorities in the event of an incident.
Due diligence and regular monitoring: Assess supplier resilience, require regular completion of security questionnaires and evidence of independent certification (e.g., Cyber Essentials, ISO 27001), and check human factors such as staff training in cyber risk and incident response protocols. Due diligence should be an ongoing activity.
Contractual safeguards: Contracts with suppliers should include requirements for minimum security standards, incident and vulnerability reporting, audit rights and obligations to maintain robust disaster recovery and business continuity plans (BCPs). Control over subcontracting is vital to ensure requirements flow down through all tiers of the supply chain.
Designate cyber risk as a board-level priority issue: The JLR incident demonstrated that even the best-resourced organisations, and their supply networks, are not immune to cyber attacks. Governance structures should give regular and prominent attention to supply chain cyber risk and seek assurance that key suppliers treat it as a priority (rather than a low-level compliance matter).
Regulatory environment: The forthcoming UK Cyber Security and Resilience Bill will bring a wider range of service providers (including designated "critical suppliers") under direct oversight, expand notification obligations and increase penalties for non-compliance, which will raise the bar for compliance for many in the automotive ecosystem. See our briefing on the UK Cyber Security and Resilience Bill for an overview of the key changes presented by the Bill.

For a more in-depth exploration of the above, please see our briefing on cyber risks in supply chains.

Financial resilience and late payment risks

Supply chain insolvency is a constant risk in the automotive sector, heightened by sector-wide shocks such as those seen at JLR and First Brands, or caused by the impact of increased tariffs and trade restrictions. While much discussion focuses on the vulnerability of smaller suppliers, the reality is that financial distress at any point in the value chain can quickly cascade, threatening continuity at all levels.

Proactive steps for mitigating financial risk in the supply chain:

Contractual information rights: Where feasible, include a requirement in key customer or supplier contracts to provide regular financial information or certification of solvency. Clauses modelled on lender "information covenants" or periodic solvency certificates can provide early warning of distress but are often only achievable where bargaining power is strong.
Independent credit monitoring: Suppliers should routinely monitor payment trends of their key customers, which can be done using credit reference agency reports or by leveraging publicly available data (e.g. the UK government payment practices reporting regime requires large companies and LLPs to publish bi-annual public reports on their payment terms, average payment times and the percentage of invoices paid within 30, 60 or 61+ days). Extended payment terms and deteriorating payment practices may be signals of underlying distress.
Understanding limitations on contractual termination triggers: Even well-drafted termination rights for insolvency events are now heavily restricted in practice as a result of the UK Corporate Insolvency and Governance Act 2020 (CIGA). This makes early warning and active monitoring more critical than ever. See our briefing on terminating supply contracts for more information on contractual financial reporting requirements and the impact of CIGA.
Monitor late payment risks: Late payments to suppliers are estimated to cost the UK economy £11 billon per year, affecting over 1.5 million businesses, causing significant instability in supply chains across many sectors. Suppliers should ensure appropriate payment provisions are incorporated into contracts and take prompt action where payments are not made on time. The UK government is tightening rules on late payments, including proposing fines for serial offenders and stricter maximum payments terms. For more information, please see our briefing on the UK's proposed late payment reforms.

Tariffs, sanctions and other disruptive events

Recent geopolitical tensions and global events (such as Brexit, the COVID-19 pandemic, trade wars and armed conflicts) have shown that automotive supply chains are particularly exposed to disruption caused by unforeseen circumstances and political uncertainty. A recent high-profile example includes the US administration's imposition of tariffs and other trade restrictions targeting numerous countries and specific sectors, including the automotive sector, with tariffs often imposed at relatively short notice, leaving little time for supply chains to adapt.

Supply chain disruption can also be caused by events closer to home, for example the UK government's recent announcement that it plans to introduce a new "pay-per-mile" tax on electric vehicles, which some argue could have a chilling effect on automotive supply chains which are in the process of pivoting to EVs.

Additionally, the extensive supply chain disruption caused by Russia's invasion of Ukraine and other global conflicts continues to be felt as a result of the significant increase in sanctions and export controls being used to intentionally disrupt access to economic resources and physical goods (now extending beyond those goods which, historically, were usually targeted by trade controls, i.e. 'dual-use' items which have potential military functionality).

Such events have led to force majeure and compliance with laws clauses in international supply contracts coming under renewed scrutiny in recent years as parties seek relief from their contractual obligations where their performance is prevented or delayed due to circumstances they consider to be outside of their control, or perceived to be prevented by (often conflicting) legal obligations of various jurisdictions.

However, force majeure clauses do not always come to the rescue. As noted in our briefing on Brexit, force majeure and material adverse change clauses, the English courts typically interpret force majeure clauses narrowly, requiring specific language to be included to cover economic changes like tariffs.

Key points to consider:

Review key contracts: Work out who is responsible for paying tariffs and whether there are any mechanisms (such as force majeure) that could result in the parties' obligations being suspended. Force majeure clauses should cover not only "acts of God", but also industrial action, government intervention, trade restrictions and cyber incidents. The scope and procedural requirements (notice, mitigation and duration) require careful drafting and review in light of evolving threats. See this briefing for a further discussion on force majeure clauses.
Material Adverse Change (MAC) clauses: Consider supplementing force majeure clauses with carefully defined MAC clauses, particularly for international contracts where tariffs or political interventions might radically alter the commercial dynamics. MAC clauses are often used to trigger a renegotiation of a contract in defined circumstances, or to provide one or both parties with a right of termination if outside events result in the contract becoming uneconomical. See this briefing for a further discussion on MAC clauses.
Wider geo-economic context: Keep up-to-date on evolving conflicts, trade deals and the impact of bilateral agreements on tariff exposure and supply chain friction. These can materially affect commercial forecasting and risk allocation.
Screening: Carrying out proportionate screening of counterparties before entering into new (or renewing existing) contractual arrangements can help reduce the chance of unexpected risks arising in relation to sanctions and export controls, in addition to including anti-circumvention and enhanced termination measures to provide additional protection (where appropriate).

For more information on what the recent US tariff changes mean for international supply contracts, please see this briefing.

For more information on what to watch out for in international trade in the next 12-18 months, see our briefing on the UK's trade agreements in a changing world, and see also our UK Sanctions Update, which discusses the significant new enforcement powers granted to the UK Office of Financial Sanctions Implementation (OFSI) and notable recent sanctions cases.

Crisis planning

To help protect against supply chain disruption, businesses should undertake regular crisis planning, the core features of which include:

Supply chain mapping and scenario analysis: Document key suppliers, dependencies and alternative sources. Undertake "war games" or simulations for different disruption scenarios (e.g. cyber attacks, supplier failure, critical part shortages, strikes, border closures, trade conflicts, regulatory change, etc), including the financial impact on upstream and downstream partners.
Business continuity, recall and regulatory response: Ensure contracts mandate business continuity planning and explicit regulator notification duties (e.g. data protection, product safety, environmental, trade authorities). Maintain clear internal protocols for escalation, investigation and communication, including with suppliers, customers, insurers and authorities.
Post-incident learning: After any incident, conduct a review to capture lessons learnt and update policies, supplier requirements and response strategies accordingly.

ESG, human rights and supply chain transparency

Non-financial risks in supply chains, including those relating to modern slavery, human rights compliance and treatment of smaller suppliers, are now of strategic as well as reputational importance. The UK Modern Slavery Act and other existing and emergent regulations are increasingly driving an expectation on businesses with significant UK operations to map and report on supply chain risks, conduct meaningful engagement with stakeholders and to adopt a proactive and transparent approach to ESG challenges in their value networks. Current and/or proposed regulations in Germany, France, a number of Asian jurisdictions, and the forthcoming Corporate Sustainability Due Diligence Directive in the EU, will only accelerate this trend on the world stage.

Regulators, activists and consumers are demanding greater transparency and responsibility from brands, not only in their own operations but across their complex global supply chains. Automotive businesses have come under particular scrutiny in relation to compliance with their reporting obligations under the UK Modern Slavery Act, which studies have shown lag behind other sectors, with many of the highest-selling automotive businesses in the UK having failed to publish up-to-date modern slavery statements in recent years.

UK Home Office Guidance on Modern Slavery Act

In March 2025, the UK Home Office published updated guidance on compliance with the UK's Modern Slavery Act, with emphasis on:

Active, not box-ticking, risk assessment
Robust remediation processes for victims
Integration of supplier payment practices into ESG reporting
Enhanced use of contractual and operational leverage to drive compliance

See our briefing on the UK Home Office's updated guidance on supply chain transparency for more information.

Robust supply chain due diligence, aligned with international standards such as the UN Guiding Principles on Business and Human Rights and the OECD Guidelines for Multinational Enterprises, is essential. These standards form the backbone of many legal requirements and increasingly represent not only best practices but strict compliance obligations (which may need to be supported by embedding suitably robust ESG clauses into supplier contracts).

For information on how investors in particular can play their part in addressing modern slavery and human rights risks in supply chains, please see our briefing on an investor's role in cleaning up supply chains.

We also have a suite of resources designed to support businesses with their 2026 strategic planning in the ever-changing ESG landscape.

Enhanced regulation and competition enforcement

There have been a number of recent examples of trade control restrictions specifically targeting the automotive sector.

In the US, information and communications technology and services ("ICTS") regulations concerning Chinese EVs were introduced in January 2025 which prohibit automated driving system software and vehicle communication system hardware and software linked to China from entering the US market. These restrictions are determined by considerations including ownership, control, influence and the origin of the technology. Whilst the UK has not yet showed any clear intent to adopt a similar approach, the security of imported Chinese technology in the sector remains under intense scrutiny within government.
In response to US tariffs, in addition to wider restrictions focused on imports and exports, China introduced new restrictions in April and October 2025 on the export of rare earth metals (made up of 17 heavy metals). China currently controls over 60% of mining and 90% of processing and refining of rare earths globally. Although the October 2025 restrictions have been suspended until November 2026, rare earths are critical to supply chains for many industries, including for EV manufacturing and have featured on all of the EU's lists of 'critical raw materials' considered "indispensable for the EU economy".

More generally, in the UK we are seeing a redoubled focus on combatting financial crime, with new legislation and renewed enforcement intent set to pose a real challenge for complex global automotive supply chains (not least where opaque supply chain financing is being utilised, as seen in some of the allegations currently circling First Brands Group).

For example, in recent months we have seen the new 'Failure to Prevent Fraud' rules come into force (significantly extending the scope of corporate liability and with extra-territorial effect, as explained in this briefing), new guidance on the scope of corporate criminal liability (discussed in this briefing) and a new UK anti-corruption strategy (summarised in this briefing). The UK clearly wants to signal to global markets that it is a safe haven for business and investment, and it will expect the automotive sector – which has seen some high profile prosecutions in the past – to take particular heed.

Automotive supply chains are also within the sights of competition authorities, including the European Commission. Whilst competition regulators around the globe have been taking steps towards supporting wider governmental ESG goals and to seek to ensure that strict competition laws do not disincentivise genuine sustainability objectives (as discussed in our cross-jurisdictional snapshot on ESG initiatives and antitrust), recent action has also highlighted that such support will only go so far.

        
            Recent European Commission competition enforcement cases:
        
In the 2025 end-of-life vehicles (ELVs) case, 16 major car manufacturers were found by the Commission to have colluded over the course of 15 years to agree: (i) not to pay car dismantlers for processing ELVs; and (ii) not to promote how much of an ELV could be recycled, recovered and reused and how much recycled material is used in new cars. The Commission found that the manufacturers' goal was to prevent consumers from considering recycling information when choosing a car, which could lower the pressure on companies to go beyond minimum legal requirements. Fines were imposed under settlement agreements – a total of €458 million by the Commission as well as a total of £77.6 million by the UK Competition and Markets Authority in its parallel investigation.

Also in 2025, the Commission fined three car starter battery manufacturers and a trade association a total of €72 million for a 12-year price-fixing cartel to coordinate on raw material cost surcharges (lead prices) in negotiations with car and truck manufacturers.

This flurry of recent activity followed the 2021 AdBlue diesel emissions case, where the Commission found certain car manufacturers to have collaborated to standardise equipment for AdBlue, an emission-reducing technology, to facilitate quicker market roll-out. The behaviour objected to by the Commission was that these manufacturers had colluded to delay the introduction of advanced emission reduction technologies despite having the capacity to do so. Consequently, the Commission imposed significant fines (under settlement proceedings) of €875 million, asserting that the cooperation reduced green innovation.

Participants in automotive supply chains have also been very active in private enforcement, with recent trials and settlements of cartel damages claims, which have been brought in the English courts/tribunals on behalf of both individual claimants and claimant classes across a range of products and services from occupant safety systems to maritime car carrier services. Competition law has also been recently invoked in proceedings brought by an independent spare parts reseller to obtain an injunction against an OEM arising from allegations of refusal to supply.

Expected future scrutiny does not stop at competition law enforcement. In December 2025, the European Parliament and Council agreed the final text of a Commission proposal to harmonise and expand foreign investment screening (FDI) across EU member states. The latest list of sectors for which EU Member States will need to require pre-closing deal approval currently includes transport and also AI (with relevance to autonomous driving technology).

Conclusion

Automotive supply chain risks are multi-dimensional, extending far beyond day-to-day operational concerns. Whether triggered by a cyber incident, the financial collapse of an important supplier, regulatory change or geopolitical disturbance, the potential for disruption (and for subsequent contagion across the network) is significant.

Resilience rests on early identification, active management of risk exposures across contractual, technological, financial and operational dimensions, and sustained board-level attention. Proactive planning may not eliminate these risks, but it will provide the best chance of maintaining business continuity, protecting revenues and reputations, and ensuring long-term sustainability in an increasingly complex automotive sector.

How we can help

Travers Smith is a London-based full-service law firm that has been servicing international and domestic clients for over 200 years. Our cross-practice Automotive Sector Group acts for clients across the automotive ecosystem, including OEMs, auto parts manufacturers, EV manufacturers, EV charge point operators, auto marketplaces, logistics and distribution service providers, tech service providers, as well as some of the leading players in the world of motorsport.

In addition to advising on M&A disputes and competition work, we are also increasingly advising automotive clients on regulatory compliance matters (in particular given the ever-changing regulatory landscape both in the UK and in the EU) and a range of commercial contract matters (including supply, manufacturing, distribution, tech, strategic partnerships, EV charge point hosting arrangements and others).

Please get in touch if you would like to discuss this further.

Read Michael Ross Profile