Month: December 2021

The Top 5 Supply Chain News Stories You Need to Know

The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

OCC Issues New Disclosure Requirements for Cyber Breaches

 

Starting May 1, 2022, financial institutions will have to report major cyber security incidents to federal officials within 36 hours. The final rule establishes two primary requirements:

1. Banks must now notify Federal Regulators of any cyber incidents no later than 36 hours after the they determine that a cyber incident has occurred.
2. The final rule requires Banks to notify customers as soon as possible when a bank service provider experiences a cyber incident that has materially disrupted or degraded (or is reasonably likely to materially disrupt or degrade) covered services for four or more hours.

Interos Insight: This ruling, called the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” comes on the back of the TSA updating requirements for pipeline, rail, and air transport companies. Although the NDAA for FY 2022 failed to include mandatory reporting requirements for all critical infrastructure companies, bipartisan support for cyber security incident reporting will likely result in future legislation, as a stand-alone bill or possibly, as part of another legislative package. It’s clear that the government is looking to supply chain risk professionals in all industries to rigorously evaluate the cyber risk in their supply chain – and that the issue is only going to be taken more seriously over time.

CISA SBOM-A-RAMA

The Cybersecurity and Infrastructure Security Agency created a new Software Bill of Materials (SBOM) web page and hosted a two-day “SBOM-a-rama” focused on related education, technical issues and pulling together “the broader security and software community.” The SBOM concept “has emerged as a key building block in software security and software supply chain risk management.” Allan Friedman, who led the transparency initiative at the Commerce Department, is now at CISA to fully realize the SBOM’s potential. He said, “to operationalize SBOM means to make sure that we can integrate this into daily operation, into existing tools, and the final status of hooking it into the existing vulnerability and cyber security ecosystem.” Having already led the NTIA in its July issuance of “minimum elements of a software bill of materials,” (a step toward creating a potential federal benchmark and market standard) we can look to Mr. Friedman and the Agency as a source of information, guidance and an opportunity to partner.

Interos Insight: While a bill of materials has always been a regular part of supply chain management, this was not always the case for software. In fact, the idea really only got mainstream attention in May 2021, when the Biden administration issued an executive order citing SBOMs as a necessary measure to improve U.S. cyber security. The order requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains. The EO applies only to vendors that do business with the U.S. government; however, considering the increase in supply chain attacks, providing a compliant SBOM is likely to become a requirement for most businesses, particularly in regulated industries where a software supply chain failure could result in major consequences.

If you don’t already create SBOMs for your software, there’s never been a better time to start. Not only does knowing what entities are in your software supply chain help secure against vulnerabilities, but it also uncovers hidden licensing risks used in third party software or code. Interos can help partners establish automated mapping, enabling customers to invest in the right, trusted technology and catalogue the use of open source and third-party software to deliver a complete and accurate SBOM.

 

Dyson Dumps Malaysian Supplier ATA Over Labour Concerns

 

High-tech home appliance maker Dyson told Reuters it had cut ties with supplier ATA IMS following an audit of the Malaysian company’s labor practices and allegations by a whistleblower, sending ATA shares plunging.

ATA, which is already being investigated by the United States over forced labor allegations, confirmed Dyson has terminated its contracts and that it has been in talks with the customer over the audit findings. It had previously denied allegations of labor abuse.

Interos Insight: ESG risks as well as violations of other country-specific restricted lists are not always easy to determine. Companies sometimes look to obfuscate their practices and procuring from such organizations can leave you at risk to penalties, loss of business, and reputational damage. Interos’ database and ML algorithms helps to inform clients before they engage with an industry leading relationship map that continues to update relationships in your supply chain so you can focus on your business’ success.

New Plans to Boost Cyber Security of UK’s Digital Supply Chains

 

Several reports were released as part of the UK Government’s effort to protect the UK’s digital infrastructure and improve the cyber resilience of organization’s supply chains across the economy and society. These plans include new procurement rules to ensure the public sector buys services from firms with good cyber security. The plans also call for improved advice and guidance campaigns to help businesses manage security risks.

The move follows a consultation by the Department for Digital, Culture, Media, and Sport (DCMS) to enhance the security of digital supply chains and third-party IT services, which are used by firms for things such as data processing and running software.

The reports show that the majority of CEOs and directors of Britain’s top companies (91%, up from 84% in 2020) see cyber threats as a high or very high risk to their business, but nearly a third of leading firms are not acting on supply chain cyber security, with only 69% saying their organization actively manages supply chain cyber risks.

Interos Insight: The British Government is ahead of many NATO peers in enforcing cyber security measures. While there are already procedures to encourage firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect sensitive data, stricter legislation is almost assuredly soon to arrive. The poll also showed that 82% of respondents agreed legislation could be an effective solution. Although regulatory requirements differ across countries and industries, the trend toward greater disclosure and transparency is clear, and is generally bipartisan. Supply chain risk practitioners and industry leaders can use Interos’ AI driven software to assist in getting ahead of the curve and ensuring they are constantly in compliance and continually monitoring their supply chain with updated analytics.

 

China Set to Create New State-Owned Rare-Earths Giant

 

China has merged several rare-earth assets to create a mammoth state-owned rare-earths company to maintain its dominance in the global supply chain of the strategic metals as tensions deepen with the U.S. The new firm will be called China Rare-earth Group and will be based in resource-rich Jiangxi province in southern China. The combined group is designed to further strengthen Beijing’s pricing power and avoid infighting among Chinese firms, and to use that clout to undercut Western efforts to dominate critical technologies.

Interos Insight: China has long dominated the rare-earth industry. It is estimated that the country will soon account for approximately 70% of total global production of medium and heavy rare-earths and 40% of the total global rare-earth market. The nation also has an overwhelming monopoly on processing these minerals. Medium and heavy rare-earths such as dysprosium and terbium, are considered essential for the production of high-performance magnets, which are used in motors and other components of electric vehicles. The US has taken some steps to encourage more rare-earth production in Australia (the US Defense Department signed a technology investment agreement with Australia’s Lynas Rare Earths company which the Pentagon called “the largest rare-earth element mining and processing company outside of China”).

President Biden has also issued an executive order naming rare-earth minerals as one of four key areas in need of more robust policy options to reduce supply chain risks. Companies with any component in their supply chain that requires rare-earth materials will want to monitor developments here closely since the Chinese government’s restructuring gives them a clear and solid control over much of the supply chain – from production to exports. Additionally, since the previously “private” Chinese mining companies are now “civil-military” fusion contributors to the Chinese defense industrial base, it would not be impossible to imagine them and other companies in China’s critical mineral ecosystem winding up on Section 1260H of the NDAA2021.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

The Top 5 Supply Chain News Stories You Need to Know The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

What We’re Reading

House Homeland Committee Scrutinizes Cyber Security Directives on Transportation Sector  – Industrial Cyber Pandemic Preparedness Story summary: A House Joint Subcommittee on Homeland Security met in late October to consider industry-wide cyber security directives for the transportation sector. Subcommittee Chairman Rep. Bennie Thompson (D-Miss.) called on the Transportation Security Administration to work in close collaboration with the Cybersecurity and Infrastructure Security Agency to craft requirements to achieve security industry-wide benefits. If successful, Thompson argued these potential requirements could position the transportation sectors as a model for mandating cybersecurity measures. Interos Insight: Private entities own and operate more than 86% of the critical infrastructure in the United States. As the US government looks to build requirements for reporting and regulations for industry, transportation leaders are again reminded that cyber security is a national security concern. Transportation companies need visibility into their own companies, but also those in their extended supply chains to avoid potential devastating ripple effects.

 

 

Biden Signs Legislation to Tighten U.S. Restrictions on Huawei, ZTE

Story summary: President Joe Biden signed The Secure Equipment Act earlier this month that prevents technology companies believed to be security threats like Huawei and ZTE from receiving new equipment licenses from US regulators. The new law is the latest federal effort to crack down on Chinese telecom and tech companies that may pose a cybersecurity threat.

Interos Insight: While the 2019 National Defense Authorization Act (NDAA) banned these companies from selling to Federal agencies, their products are still available for consumers, enterprises, and were – sometimes unknowingly – in the supply chain of other buyers. While the law’s current “Covered Equipment and Services” list only names five foreign companies, Interos’ mapping has identified more than 900 foreign companies that could be of concern with more likely still to be discovered. Interos’ methodology team goes through an ongoing rigorous, manual and automated process to make sure that all related entities are discovered and tracked. With such strong bipartisan support, it is clear that compliance will be required and enforced. Companies with any related parts in their supply chain are encouraged to ensure they have the analytical tools necessary for discovery.

Commerce Adds NSO Group to Entity List for Malicious Cyber Activities

Story summary: The US Commerce Department’s Bureau of Industry and Security (BIS) has added four foreign companies to its Entity List, essentially blacklisting them from trade with US companies. The decision comes as these companies – two from Israel, and one each from Russia and Singapore – were deemed to act in a way that went against the national security or foreign policy interests of the United States. NSO Group and Candiru, the two companies from Israel, reported supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.

Interos Insight: The move is a little surprising as the two Israeli firms operate in an Allied country. Following this announcement, Isaac Benbenisti, a telecommunications executive who joined NSO in August and was recently named to succeed NSO founder and CEO Shalev Hulio, abruptly resigned. These additions to prohibited and restricted entities lists (which are increasingly frequent and unpredictable) illustrate just how quickly the notion of who is safe or unsafe to do business with can change. It also highlights the importance of investing in real-time monitoring solutions that can discover hidden connections to these entities, who often act through seemingly legitimate middlemen that conceal nefarious state and non-state-backed activity.

U.S. Chipmaker Micron Unveils $150bn Global Expansion Plan

Story summary: Micron Technology said it will invest $150 billion in chip manufacturing and research and development over the next decade as governments around the world vie to bring vital semiconductor production on shore.

Interos Insight: As the semiconductor shortage goes on, companies like Micron are evaluating their business model, including the physical locations where their products are made. Countries like the United States have begun creating location-based tax incentives, an about-face after ignoring on-shoring semiconductor production for decades due the high cost. However, Micron notes they expect that production costs in the United States will be 35% to 45% higher than elsewhere. While geographic location is important, Interos’ data connections suggest that most, if not all, semiconductor supply chains are connected to each other. This indicates that although capacity is expanding within industry, it will take more than one company’s investment in capacity to solve the supply and demand problem.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

The notion of “too big to fail” gained prominence during the 2008 financial crisis, shifting entrenched perspectives toward landmark corporations. Since then, a very much still-ongoing pandemic has upended the global economy (and the supply chain it depends on) to an even greater degree. Massive technological and geopolitical shifts, coupled with shifting consumer behavior and attitudes, are further prompting renewed introspection as firms rethink resilience and the future of supply chain management in a post-pandemic global economy. Based on recent trends, corporations are again assessing their size, with events like the recent GE spin-off announcement becoming a growing – and potentially defining – feature of the shifting landscape toward greater resilience.

The End of the Conglomerate Era?

As alluded to above, within weeks corporate titans Toshiba, GE, and Johnson & Johnson all announced intentions to spin-off parts of their enterprise. Earlier this year, Dell Technologies made a similar calculation with the spin-off of VMWare, while Siemens and Honeywell also similarly pared down over the last year. In each case, creating a more efficient business model, optimizing the more profitable product lines, and streamlining business operations have been the driving factors behind the conglomerate breakups.

These recent breakups have been dubbed “the end to the era of the conglomerate.” However, they may also be a sign of greater confidence in the global economy. While spin-offs declined during the pandemic, these recent breakups might be an indicator of greater confidence in an economic recovery. Over the last decade, many conglomerates built specialized business lines that were quite distinct from other parts of the company — for example, the healthcare operations that will form the basis of the GE spin-off. The pandemic has accelerated these distinctions across business lines, while also amplifying differences in financial performance. The timing may be right for many corporations to build upon economic growth and seek spin-offs to optimize market and investment value as well as growth driven by innovation.

Moreover, the massive economic shocks during 2020 also revealed the fragility and insecurity of hyperspecialized global supply chains. While much attention has been on the efficiencies gained within business lines, discussions of potential negative outcomes for the future of supply chain efficiencies and of resilience in general are remarkably absent in talk about the impact of corporate break-ups. However, a quick analysis of these companies’ supply chains illustrates that these decisions have global implications and ripple throughout large, medium, and small businesses alike.

The Global Impact of the GE Spin-off and Other Break-Ups

A quick assessment of the supply chains of recent conglomerate break-ups illustrates the global impacts of these spin-offs. They are not contained to one single country or industry, but rather ripple across the globe and across sectors. Across Toshiba, GE, and Johnson & Johnson, thousands of tier 1 suppliers are impacted. When extending out to the second and third tiers of those respective supply chains, the numbers jump into the hundreds of thousands of businesses that may be affected. This does not necessarily imply a negative effect, but rather uncertainty that may be introduced into the future of supply chains that continue to feel extended shocks as the global economy realigns and rebounds.

While a third of these companies’ tier 1 suppliers are located in the United States, countries across the globe – including China, the United Kingdom, Brazil, Australia, Egypt, and India – may also be impacted by breakups like the GE spin-off. In addition, the software, machinery, and semiconductor industries are the most prominent in the first tier of these companies, but the impact is much more expansive. From media to IT services to life sciences, companies across the globe and across industries may experience a jolt as these major conglomerates realign their business units and corporate structures.

The Future of Supply Chain Ripple Effects in the New Normal

Is it truly the end of the conglomerate era or simply a sign of growing confidence in a transformed global economy? It could reflect a little of both, as new innovations, emerging technologies, shifting consumer demands, and a transition from “just in time” to “just in case” production alter strategic plans and the future of supply chains. As corporations continue to assess the best path toward resilience in a time of global disruptions, moves like the GE spin-off likely will continue to emerge as a profitable and efficient part of this calculus.

Over the course of the pandemic, major corporations that lacked visibility into their supply chains learned the hard way of the downstream concentration and geographic risks at far corners of their supply chain. With corporate spin-offs, firms that lack upstream visibility similarly may be surprised to learn that a distant spin-off may impact them. While spin-offs may be a path toward stability for those conglomerates, it could introduce uncertainty for their partners across their immediate and extended future supply chains.

The latest breakups are yet another indicator of the new normal, a time of uncertainty corresponding with dramatic shifts in the global economy, emerging technologies, and geopolitical upheavals. Will the need for renewed “focus” that is driving many of the spin-offs also include a new focus on resilience across supply chains? Is this part of a broader “end of the era of the conglomerate,” and if so, will certain sectors be more impacted than others?

At Interos, we will continuously monitor how these breakups propagate across supply chains, including the downstream effects on suppliers across a range of industries, and how they may impact risk across the supply chain ecosystem as companies continue to grapple with improving resilience in the new normal.

To learn more about Interos, visit Interos.ai. 

Bringing Together Three Industry Disruptors for the Supply Chain Risk Management Market

At Interos, a leading firm in the supply chain risk management market, our business centers on the ability to provide customers with deep visibility into their complex global supply chains and the web of supplier partners that comprise them. From there, customers can determine how best to approach enterprise risk management and business continuity.

We provide a technology-based, real-time diagnostic of our customers’ supply chains, alerting them to potential issues and providing the intelligence to make agile course corrections when necessary.

Two important concepts lie at the heart of our business model: trust and transparency. Companies and organizations today have never been in more need of trusted partners and relationships built on full transparency.

Indeed, trust and transparency are fast becoming the new currencies for business and for all business partnerships — and the supply chain risk management market is no exception. That’s because the enterprise risk management and business continuity challenges organizations face today are so demanding and complex that no one can afford to go it alone.

We believe in the power of partnerships and the interdependencies and synergies that make “the whole greater than the sum of its parts.”

And that’s why I’m thrilled that earlier today, Interos announced new strategic partnerships with Accenture Ventures’ Project Spotlight program and Coupa Ventures, the world’s leading technology platform for managing business transactions across procurement, payments, and supply chain.

These two agenda-setting companies have joined our $100 million Series-C funding round as we continue to grow our Operational Resilience Cloud, which combines the power of our proprietary AI algorithm with the world’s largest repository of supplier-relationship data. As we develop these technologies, we increasingly empower businesses to handle enterprise risk management and business continuity. This includes monitoring supplier compliance for labor, financial, and environmental regulations, pending natural disaster issues, trade disputes, and potential geopolitical conflicts, among others.

Accenture and Coupa join an already-robust group of investors and partners at Interos, including Kleiner Perkins, Venrock, and NightDragon, who led our Series C funding round. They also join a host of other industry partners that provide the resources and capabilities that have enabled us to become first-to-market in the burgeoning operational resilience industry.

The Power of Partnership 

Like all businesses, the strength of Interos comes from our partnerships and the increased combined value we can bring customers in the supply chain risk management market. It’s truly a case of “1+1+1=5”.

With Accenture onboarded as a partner, it provides us with extraordinary strategic counsel capabilities across the supply chain and operational resilience landscapes. At the same time, its customers now gain access to a real-time feed of supply chain risk and operational resilience information trusted by Accenture.

Coupa brings world-class transaction management capabilities which will help businesses further improve enterprise risk management and business continuity.

Both partners will also be integral in supporting new innovations. We will work closely with them to identify and bring to market new products and solutions that will further help our customers gain operational resilience and a stronger footing for continued growth.

I could not be more excited about this latest development. We’re bringing together partners who share similar cultures and values, bring to bear complementary capabilities, and are passionate about the power of global supply chain innovations in saving businesses and the planet in our rapidly approaching post-pandemic world.

These types of partnerships don’t happen overnight. It takes hard work, substantial due diligence, extended negotiations, clear, consistent, and authentic communication, and a candid assessment of each other’s strengths and weaknesses.

And, of course, it requires a healthy dose of self-awareness. All market-leading organizations understand when to buy, build, and partner. For instance, you can be the strongest product creator in your market and just not be equipped to handle the services side of things or vice-versa.

The Road Ahead for Enterprise Risk Management and Business Continuity

Our customers require the best tools possible as they confront the challenges of enterprise risk management and business continuity. As we continue to bring to market the world’s strongest supply-chain visibility and diagnostic platforms, we will continue to work with incredible partners that share our commitment of providing the highest levels of trust and transparency across all business relationships.

Accenture and Coupa fit that bill for us, and we do the same for them.

That’s the true power of partnership. And we can’t wait to get started providing even more value to our customers in the supply chain risk management market. 

Big things ahead. Stay tuned.

To learn more, visit interos.ai.