JLR Attack Reveals Auto Industry Cybersecurity Risks
On Aug. 31, 2025, Jaguar Land Rover Automotive PLC (JLR), a subsidiary of Tata Motors Ltd., suffered a major ransomware attack that halted production across global manufacturing operations. The disruption has lasted weeks and cost hundreds of millions of dollars in lost output. It has also impacted suppliers, delayed deliveries and highlighted systemic weaknesses in the automotive supply chain. Reports that JLR lacked cyber insurance and would have to shoulder the full cost of the attack, leading to a UK government loan guarantee of USD 2 billion, underscores the substantial financial materiality of cyberattacks on automobile manufacturers.1
Prepared on paper, vulnerable in practice
Ahead of the incident, JLR and Tata had disclosed several practices in managing cybersecurity risks, including holding ISO 27001 (Tata Motor) and UNECE R155 (JLR) certifications as well as having invested in employee awareness programs, including trainings, phishing simulations and awareness campaigns, suggesting that both companies were attentive to cyber risk.2
Still, the incident has exposed gaps in cybersecurity risk management, particularly tied to operational resilience. Not having proactive and reactive measures to address data breaches may have weakened incident response timing; JLR’s protracted recovery opens the possibility that continuity plans were not sufficiently exercised against ransomware scenarios. Similarly, more rigorous and independent stress-testing of information security systems, particularly for manufacturing networks, might have reduced disruption and shortened downtime.
Lessons learned
The JLR incident highlights that keeping pace with cybersecurity risk is increasingly becoming a necessity rather than an option for automobile manufacturers; as manufacturing processes and, increasingly, cars themselves become software-driven, the automobile industry must strive to strengthen operational risk management to protect both production continuity and long-term competitiveness.
Data as of Sept. 29, 2025. Note: the table shows select datapoints for MSCI Privacy and Data Security taken from MSCI ESG Metrics, as Privacy and Data Security is currently not a weighted key-issue for the automobiles industry in MSCI ESG Ratings. Green represents best in class, red represents worst in class and yellow represents all other risk-management practices pertaining to the assessed datapoint. The peer set for the study comprised 34 companies that were constituents of the MSCI ACWI Index and classified under the GICS sub-industry “Automobile Manufacturers” that derive the majority of their revenues from passenger-car manufacturing. The Global Industry Classification Standard (GICS) is the global industry classification standard jointly developed by MSCI and S&P Dow Jones Indices. Source: MSCI ESG Research
Subscribe todayto have insights delivered to your inbox.
Cyber Catastrophe Bonds… Wait, What?
The stakes on data protection and privacy are only getting higher. Hacks, breaches and data leaks are becoming bugbears of the modern corporate world.
Auto Industry: Emissions vs. Economics
Investors looking to identify leaders and laggards in the auto industry may need to look beyond pure CO2 reductions or even company-declared EV targets and focus more on how companies are managing the tradeoff between emissions and economics.
ESG Ratings
Measure a company’s resilience to financially relevant, industry-specific sustainability risks.
1 Kana Inagaki, Rachel Millard, David Sheppard and Jim Pickard, “’Moral hazard’ warning after £1.5bn government loan guarantee for JLR,” Financial Times, Sept. 28, 2025.
2 Integrated reports for Tata Motors Limited (FY 24/25) and Jaguar Land Rover Automotive PLC (FY 24/25).
The content of this page is for informational purposes only and is intended for institutional professionals with the analytical resources and tools necessary to interpret any performance information. Nothing herein is intended to recommend any product, tool or service. For all references to laws, rules or regulations, please note that the information is provided “as is” and does not constitute legal advice or any binding interpretation. Any approach to comply with regulatory or policy initiatives should be discussed with your own legal counsel and/or the relevant competent authority, as needed.