Summary
- Autins reported direct disruption costs linked to a cyberattack on its largest customer.
- The disclosure turns an upstream customer incident into a visible supplier financial reporting issue.
- The case shows why cyber resilience has to include revenue concentration, production dependency, and customer-side disruption.
Autins Group has put a financial marker on the supply chain consequences of a cyberattack, telling investors that disruption at its largest customer created direct costs during its latest financial year.
The UK and European manufacturer, which makes acoustic and thermal insulation materials including its proprietary Neptune melt-blown material, reported its final results for the year to 31 March 2026 on 29 June. The results show the company returned to net profit for the first time since 2017, but they also identify £534,000 in costs due to the direct impact of disruption caused by the cyberattack on the group’s largest customer.
The disclosure separates the amount between cost of sales and administrative expenses, with £149,000 charged to cost of sales and £385,000 charged to administrative expenses. Autins had previously linked lower revenue to the cyberattack on its largest UK customer and delayed tooling sales. Earlier market reporting identified that customer as Jaguar Land Rover, whose 2025 cyber incident halted production for several weeks and affected suppliers across the automotive sector.
Autins is not presenting a speculative breach narrative. It is a supplier telling the market that a customer cyber incident had a measurable financial effect on its own accounts. Evidence of that kind is valuable because it moves cyber risk from abstract likelihood into downstream operating cost, production exposure, and financial reporting consequence.
The automotive sector is especially exposed to this type of dependency. Production schedules, logistics, just in time supply arrangements, tooling, customer forecasts, and contract terms can all turn a single disruption into wider supplier pressure. Smaller suppliers may have limited capacity to absorb demand volatility, particularly when one large customer accounts for a material share of revenue.
Cyber resilience therefore extends beyond the security posture of a company’s own network. It includes concentration risk, customer dependency, supplier dependency, and the operational consequences of a trading partner’s outage. Autins’ results show that the affected organisation does not have to be directly breached to carry financial impact.
The case also belongs inside finance, procurement, and operations planning. A supplier needs to understand what happens if its largest customer stops production, delays orders, changes delivery schedules, freezes systems, or cannot process documentation. Those scenarios sit close to cash flow, inventory, working capital, contractual remedies, and insurance.
Cyber risk reporting is still often dominated by vulnerability exposure, phishing rates, patch status, or incident counts. Supply chain cyber impact requires different measures, including revenue dependency, substitute customer capacity, receivables exposure, production flexibility, critical customer digital dependencies, and the financial tolerance for interruption.
The UK policy context gives the disclosure added weight. Government and regulators are moving towards stronger resilience expectations across managed services, digital infrastructure, and suppliers. Autins’ filing provides a concrete example of cyber risk leaving the incident response room and entering annual results, strategy, and supplier resilience.





