Security Assessment for a Tier 2 Automotive Supplier

Business challenge

An automotive supplier was told by a Tier 1 customer to evidence cyber maturity within 90 days or risk being dropped from the supplier list.

Operational risk

A Tier 1 automotive customer had issued a 90-day ultimatum to evidence cyber maturity or be removed from the approved supplier list. The internal IT team had never operated to a formal framework.

Potential impact

Loss of the Tier 1 relationship would have cost roughly 40 percent of annual revenue and triggered a redundancy programme inside six months. Adjacent customers were likely to follow the same playbook within the year.

Approach

We mapped the IT and OT environment, ran a risk assessment aligned to the customer's framework, fixed the most critical gaps, and prepared the response pack.

Actions taken

• Mapped the converged IT and OT environment, including legacy machine controllers that had no documented owner
• Ran a risk assessment aligned to the customer's specific framework rather than a generic methodology
• Closed eleven critical findings inside the 90 day window, with a phased plan for the remaining medium-risk items
• Prepared and rehearsed the customer-facing response pack with the leadership team

Outcome achieved

The supplier was retained on the approved list and used the same assessment to win a second customer on similar terms.

Lessons learned

• Supply chain pressure is now the single largest driver of cybersecurity investment in UK manufacturing
• Speaking the customer's framework, not yours, halves the friction in evidencing maturity
• OT and IT can no longer be governed separately: the assessment scope has to cover both