Supply Beacon Vol. 5 – Russian Invasion of Ukraine Spurs Supply Chain and Cyber Concerns

Guidance: As the invasion of Ukraine continues to unfold, global supply chains are in a highly fluid state – we will be updating this blog with additional insights as more details of sanctions/counter-sanctions related to specific industries, countries and/or commodities are imposed.  Please look to our blog posts and customer communications for guidance on how to use the Interos Operational Resilience Platform to track the ripple effects on your supply chains.

Coordinated sanctions on Russia will impact both financial and physical supply chains

Summary: Following the Russian invasion of Ukraine on Thursday, the UK and US governments announced more significant and sweeping sanctions against major Russian banks, and defense equipment manufacturers. They also announced restrictions on the export of key technologies and other products. This sanctions package is far greater in scope and coordination than any predecessor, and is meant to cut off capital flows and access to technology critical to Russia’s modernization and advancement of its military and aerospace/weapons industries.

The response was organized with solidarity among allies, and the EU, Australia, New Zealand, Canada, Taiwan and Japan followed with their own sanctions on Friday. Canada cancelled all export permits in addition to naming 62 individuals and entities. Taiwan has not yet detailed all the tools it plans to employ, but the country’s inclusion is of critical importance since it is a global leader in the production of semiconductors – which many of the aforementioned countries have now banned exporting to Russia.

Additionally, the UK government banned Aeroflot from landing in the UK, suspended all flights to Moscow,  and will stop exports of high-tech items and oil refinery equipment. The EU is meeting late Friday to seek approval to freeze the assets of President Putin himself and of Sergey Lavrov, his foreign minister. The German government took the bold decision to put the Nord Stream 2 gas pipeline, which connects Russia with Germany, on hold.

The EU has thus far opted not to ban Russia from the Swift high-security network that facilitates payments among 11,000 financial institutions in 200 countries which would greatly impair their ability to pay for energy. However the restrictions leveraged on financial institutions are the most comprehensive in history to be enacted on an economy the size of Russia’s. The range of measures includes freezing the assets of certain Russian oligarchs, their families, and financial institutions, while also banning exports to Russian military organizations.

The sanctions against Russian banks will immediately disrupt Russia’s economy. The technology and industry restrictions could cripple many of the country’s leading companies, since they will choke off Russia’s imports of technological goods critical to operating as a modern economy.

The new restricted lists include a Russia-wide denial of exports of sensitive technology, focusing on the Russian defense, aviation and maritime sectors. In addition to robust restrictions on the Russian defense sector, the U.S. is imposing Russia-wide restrictions on sensitive U.S. technologies produced in foreign countries using U.S.-created software, technology or equipment. This novel use of the FDPR (Foreign Direct Product Rule) includes Russia-wide restrictions on semiconductors, telecommunications, encryption security, lasers, sensors, navigation, avionics and maritime technologies.

President Biden said the U.S. was “building a coalition of partners representing more than half of the global economy” that would limit Russia’s ability to do business in dollars as well as euros, pounds and yen.

In total, the sanctions will ban about $1 trillion in Russian financial assets from flowing through U.S. and allied financial markets.

Interos insight: Looking just at the newly U.S.-sanctioned Russian financial institutions, an analysis of Interos’ global relationship data found over 920 distinct related entities in our platform. The majority of the entities directly affected are in the U.S. (8%), followed by the UK and Ukraine (6% each). The industries directly affected by these sanctions are primarily oil and gas (20%), followed by banks (18%) and other firms operating in global capital markets (6%). The second tier of this supply chain of these 47 organization results in over 91,000 entities that could be affected, with more entities in the second tier located in other counties as Germany (over 7000).

This is a rapidly changing situation and, over the coming days, weeks and even months, we should expect the details of sanctions and export controls to be further refined and, if Putin continues his invasion, even harsher controls to be put in place. We will continue to analyze the complex ripple effects that these new restrictions will have globally, across industries’ supply chains. Additionally, our Resilience platform will be updating relevant policies and restricted lists/entities on an ongoing basis to reflect additional risks in customer supply chains.


Russian escalation raises concerns about state-sponsored cyber attacks on Western companies

Summary: Russia’s invasion of Ukraine, and the imposition of sanctions by the U.S. and European nations in response, have raised concerns about a large scale cyber attack against Western companies – and several Ukrainian government websites have already been taken offline.  A spate of ransomware and other attacks against U.S. and European firms in sectors ranging from logistics (Expeditors International) and mobile communications (Vodafone Portugal) to fuel distribution (Marquard & Bahls) were reported in February, causing severe disruption to services and supply chains.

While these attacks have generally been blamed on cyber criminals rather than nation-state actors, the Cybersecurity & Infrastructure Security Agency (CISA) recently posted a “shields up” warning to U.S. organizations, urging them to take steps to protect critical assets against possible Russian government attacks. Similarly, the UK’s National Cyber Security Centre has advised British companies to ensure their cyber defense measures are up to date.

Interos insight: Aside from energy and other critical infrastructure, companies in the aerospace and defense (A&D) industry are an obvious target for state-sponsored attacks, whether for denial of service or intellectual property theft. As well as their strategic importance to national security, they are vulnerable because of high levels of concentration risk in the sector as a result of the specialized products A&D firms rely on.

Concentration is a well-understood, but vitally important and often ignored risk in supply chain security. It refers to a cluster or a shared supplier within a supply chain. A cyber attack against Western companies could have disastrous effects.

If a shared prime A&D supplier were disrupted by a Russian cyber attack, it could have a strong ripple effect across the entire sector – much as the shutdown of Taiwanese chip makers during Covid-19 caused U.S. automotive production lines to grind to a halt.

To gauge the extent of concentration risk in A&D, Interos took the 2021 top 100 list of defense contractors published by the industry publication Defense News and used our global relationship data graph of more than 350 million entities to map their extended supply chains.

Of the 83 companies whose relationships we could map with a high degree of confidence, we found 1,755 common suppliers – that is to say, those that were used by at least two contractors. This included six of the top 20 suppliers to the industry, one of whom had 27 separate connections. And the list doesn’t only include component and material suppliers, but also banks and financial institutions. Indeed, 29 of the 83 A&D companies use the same bank, according to our data.

Most of the top 100 shared suppliers had solid cyber and financial risk scores, based on the Interos i-Score model. However, as we moved further down the list some issues started to appear. Suppliers based outside of Western Europe and the U.S./Canada may not be responding as one might hope to a “shields up” alert.

While criminal hackers pose a real threat to companies with inadequate cyber security measures, those that are state-sponsored – whether by Russia or other malevolent forces – can draw on vast resources and are therefore likely to be more successful in disrupting critical supply chains.


Uyghur Forced Labor Prevention Act set to have a significant effect on supply chains

 

Summary: In last month’s Beacon, we discussed the newly enacted U.S. Uyghur Forced Labor Prevention Act (UFLPA), which was signed into law on December 23, 2021, as part of the U.S. pushback against Beijing’s treatment of the Uyghurs and other persecuted minorities in China’s Xinjiang Uyghur Autonomous Region (the XUAR).

The effects on some supply chains would be significant since Xinjiang is one of the world’s largest producers of cotton and polysilicon, which is used to manufacture solar panels. The Act mandates that cotton, tomatoes, and polysilicon must be among the high-priority sectors in addition to building upon U.S. Customs and Border Protection’s existing “withhold release order” against all cotton and tomato products produced in the XUAR.

The Act requires the FLETF (Forced Labor Enforcement Task Force) to issue guidance on “due diligence, effective supply chain tracing, and supply chain management measures” aimed at avoiding the importation of goods produced with forced labor in the XUAR within 180 days of the UFLPA’s enactment on June 21, 2022.

Companies with supply chain exposure to the XUAR should expect compliance with the UFLPA to require significant supply chain diligence and documentation obligations. These requirements are likely to be strict given the already high bar on diligence established by the FLETF (and CBP established through continued partnerships with NGOs and other stakeholders focused on ending forced labor from global supply chains).

Interos insight: We identified over 2,000 companies that are directly connected to organizations using Uyghur labor and over 115,000 connected indirectly at the second tier of the supply chain.

Clients can use Interos’ to immediately illuminate companies in their existing supply chain that violate this law and easily screen for problematic organizations as they evaluate potential alternative suppliers of affected products and raw materials.


German Supply Chain Act will impact hundreds of non-German companies

Summary: Germany’s new Supply Chain Due Diligence Act comes into force on January 1, 2023. From that date, companies with at least 3,000 employees that have a headquarters or statutory seat in Germany, or those that have a branch in Germany employing at least 3,000 employees, will be required to take action to comply with the legislation.

The law requires both German-based companies (regardless of their legal structure) and foreign companies doing business in Germany to establish due diligence procedures to ensure compliance with specified core human rights and some environmental protections in their supply chains. Significantly, companies must not only conduct ongoing audits of their own business operations, but also those of their direct (tier-1) and, to some extent, indirect (tier-2 and beyond) suppliers.

And it’s not just the biggest companies that will be affected by the legislation. From January 1, 2024, the Act’s provisions will be extended to firms with 1,000 employees based in or doing business in, Germany.

Although other European Union member countries are not yet in agreement on the terms of such legislation, it is likely the E.U. will follow with similar laws in due course.

Interos insight: In its first year of implementation, the law will apply to over 600 German companies and hundreds of foreign firms. The number will grow to over 3,000 companies in the second year.

Interos’ proprietary ESG risk score dynamically assesses an organization’s risks as well as its place in a customer’s supply chain. When assessing suppliers to Germany, for example, we found that about 37% had potentially problematic ESG scores.

Some of the attributes that make up Interos’ country-level ESG score include:

  • Environment risk: CO2 emissions, biodiversity and protected areas, climate change performance index, and net zero commitments
  • Social risk: Global Slavery Index, gender gap, mineral risk score, and digital access index
  • Governance risk: Human rights, freedom index, counterfeit goods risk, political terror score

Supply chain implications of China’s zero-tolerance approach to Covid-19 infections

Summary: China’s zero-COVID policy may increase pressure on the global economy by prolonging supply chain disruptions and intensifying the impact of inflation. Supply chain bottlenecks were expected to “materially ease in the early months of this year,” with downward pressure on producer and input prices and shorter lead times, according to Katrina Ell, a senior economist for Asia-Pacific at Moody’s Analytics. “But given China’s zero-Covid policy and how they tend to shut down important ports and factories — that really increases disruption.”

The US Federal Reserve and the International Monetary Fund have both issued similar warnings. The IMF also revised up its near-term projection for inflation “in response to the anticipated slower resolution of supply issues”.

 

(note: lower index means longer lead time)

Interos insight: What was once the “perfect storm” – a confluence of circumstances leading to a rare event – has become the norm. The pandemic has exacerbated supply chain issues, and disruptions have lasted much longer than expected. Inventories in many industries would have reverted towards more typical levels by now, but policy decisions such as China’s zero-COVID rules have caused additional production delays as major cities or regions are shut down practically overnight.

Inflation, a byproduct of many other interdependent factors, makes the pain and real costs for supply chains much worse. Although no human or artificial intelligence system will be able to bring every unknown risk to the forefront, Interos’ supply chain mapping platform can help customers quickly identify where exogenous, unexpected policy decisions might negatively impact their ability to deliver products to customers in accordance with predictable pricing and timescales.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

Supply Chain Disruption from the Russian Invasion of Ukraine

*The statistics in the blog below have been updated following a deeper analysis of the supply chain. We are continuing to monitor the highly volatile situation in Ukraine and will update this piece accordingly as new information becomes available. 

A Russian invasion of Ukraine has the potential to cause extensive and debilitating supply chain disruption across the globe. This may result in rising input costs to a heightened threat of cyber attacks.

Russia, Ukraine Key to Global Economy

Today thousands of U.S. and European companies do business with suppliers in Russia and Ukraine. Many of them could be at risk during a prolonged military conflict. Analysis of global relationship data on the Interos platform reveals critical findings:

  • More than 2,100 U.S.-based firms and 1,200 European firms have at least one direct (tier-1) supplier in Russia.
  • More than 450 firms in the U.S. and 200 in Europe have tier-1 suppliers in Ukraine.
  • Software and IT services account for 13% of supplier relationships between U.S. and Russian/Ukrainian companies. Consumer services represent another 7%.  Trading and distribution services account for about 6%, while industrial machinery counts for about 4%. Oil, gas, steel, and metal products account for other everyday items purchased from the two countries.

The proportion of U.S. and European supply chains that include tier-1 Russian or Ukrainian suppliers is relatively low. This increases substantially when incorporating indirect relationships with suppliers at tier-2 and tier-3.

  • More than 190,000 firms in the U.S. and 109,000 firms in Europe have Russian or Ukrainian suppliers at tier-3.
  • More than 15,100 firms in the U.S. and 8,200 European firms have tier-2 suppliers based in Ukraine.

Supply chain and information security leaders in U.S. and European organizations should review their dependence on Russian and Ukrainian suppliers at multiple tiers. This is a key first step in assessing risk exposure in the region and ensuring operational resilience.

Supply Chain Disruption: 4 Major Risks

The many connections between US, European, Russian, and Ukrainian businesses highlight the potential for supply chain disruption.

In the event of a Russian invasion of Ukraine, four major areas could spark supply chain disruption:

Commodity price increases

Energy, raw material, and agricultural markets all face uncertainty as tensions escalate. Russia provides over a third of the European Union’s natural gas, and threats to this supply could force up prices when companies and consumers are already facing higher energy bills. Natural gas supply pressures likely would spike volatility in other energy markets too. By one estimate, an invasion could send oil prices spiraling to $150 a barrel, lowering global GDP growth by close to 1% and doubling inflation. Even lower estimates of $100 a barrel would cause input costs and consumer prices to soar.

Food inflation is another risk that may cause supply chain disruption. Ukraine is on track to being the world’s third-largest exporter of corn, and Russia is the world’s top wheat exporter. Ukraine is also a top exporter of barley and rye. Rising food prices would only be exacerbated with additional price shocks, especially if Russian loyalists seize core agricultural areas in Ukraine.

A conflict could continue to squeeze metal markets. Russia controls roughly 10% of global copper reserves and is also a significant producer of nickel and platinum. Nickel has been trading at an 11-year high, and further price increases for aluminum are likely with any disruption in supply caused by the conflict.

Firm-level export controls and sanctions

U.S. and European export controls could exacerbate commodity cost pressures. The use of such controls to restrict certain companies or products from supply chains has soared over the last few years. While many have been aimed at Chinese companies, a growing number of Russian firms have been earmarked for export controls for “acting contrary to the national security or foreign policy interests of the United States.”

Not surprisingly, U.S. companies and business groups are urging the government to be cautious in how it applies any new rules. Prominent Russian companies already on a U.S. restrictions list include Rosneft and subsidiaries, and Gazprom. Extending export controls and sanctions to Gazprom’s subsidiaries, other energy producers and key mining and steel market firms could further impact supply availability and input costs.

U.S. and E.U. export controls would also likely target the Russian financial sector, including state-owned banks, as a deterrence tactic. U.S. officials have noted that any sanctions would be aimed at the Russian financial sector for a “high impact, quick action response.”

Cyber security collateral damage and supply chain turmoil

Entities linked to malicious cyber activity may also face further repercussions from the U.S. and its partners. Ukraine is certainly no stranger to Russian cyber aggression. Russia has twice disrupted the Ukrainian electric grid, first in December 2015, leaving hundreds of thousands of Ukrainians in the cold, and again the following year. But destructive attacks on the country’s infrastructure could also spark significant collateral damage in global supply chains.

In 2017, the NotPetya attack on Ukrainian tax reporting software spread across the world in a matter of hours. The attack disrupted ports, shut down manufacturing plants, and hindered the work of government agencies. The Federal Reserve Bank of New York estimated that victims of the attack, including Maersk, Merck, and FedEx, lost a combined $7.3 billion.

This figure could pale compared to the global supply chain impact of a Russia-Ukraine military conflict, which would inevitably include a cyber element. Whether Russia would target its cyberwar playbook at U.S. or E.U. targets in retaliation for any support to Ukraine remains hotly debated. But the Cybersecurity Infrastructure and Security Agency (CISA) has been urging U.S. organizations to prepare for potential Russian cyberattacks, including data-wiping malware, illustrating how the private sector risks becoming collateral damage from geopolitical hostilities.

Geopolitical instability

Cyberwarfare would be unlikely to remain within Ukraine’s borders. Thus the destabilizing effect of a Russian invasion could have wider geopolitical ramifications. In Europe, a refugee crisis could emerge, with three to five million refugees seeking safety from the conflict. In Africa and Asia, rising food prices could fuel popular uprisings. Of the 14 countries that rely on Ukraine for more than 10% of their wheat imports, the majority already faces food insecurity and political instability.

China is watching closely to see how the world responds if Russia invades Ukraine. The superpower has its own aspirations of seizing territory and extending its sphere of influence. Taiwan’s defense minister has remarked that tensions over Taiwan are the worst in 40 years. A Russian invasion could further embolden China to enlist military tactics against Taiwan. In addition to far-reaching geopolitical implications, this would have a significant impact on electronics and other global supply chains.

How to Stop Supply Chain Disruption

Many of these risks may not materialize and represent a worst-case scenario. But executives should think carefully about the potential impact of a Russia-Ukraine military conflict. These leaders need to ensure appropriate contingency plans for their most critical supply chains and riskiest suppliers in the region.

Risk mitigation strategies include:

  • evaluating required levels of inventory and labor in the short to medium term;
  • discussing business continuity plans with key suppliers; and
  • preparing to switch to, or qualify, alternative sources for essential products and services.

With the right technology to enable proper analysis, planning, and execution, it is possible to mitigate significant risk, ensure operational resilience, and avoid supply chain disruption. For more information about the Interos platform and how it can help with this process, visit interos.ai

The Importance of Third-Party Risk Management

The SolarWinds supply chain breach remains one of the most striking examples of top third-party risks being realized in recent history, exposing the information of some of the world’s most prominent companies and numerous high-profile government agencies.

It was not just the approximately 18,000 organizations, though, that were directly exposed, but countless business partners, service providers, suppliers, customers, and prospects that found themselves victims as well. In total, the breach cost victims an average of $12 million. 

While already well known, the SolarWinds attack further exposed the fragility of a global economy that thrives on third-party relationships. These relationships help organizations improve performance and backfill talent and supply shortages, especially during the pandemic, but also broaden the attack surface for threat actors. 

In a new study, “Third-Party Risk: A Turbulent Outlook,” Interos and the Cyber Risk Alliance surveyed more than 300 technology leaders to better understand how well organizations understand and manage top third-party risks. 

Top Third-Party Risks for A Highly Connected World [H2]

The survey highlighted the depth of third-party relationships and the need for improved risk management. On average, the majority of respondents (76%) contract with up to 25 different vendors, business partners, brokers, contractors, distributors, agents, and resellers. For large enterprises (companies with more than 10,000 employees), an astonishing 15% relied on more than 250 third-party providers. 

Virtually all organizations (95%) indicated partnerships with IT software, platform, or service providers. This is not to say that these partnerships are bad – they enable today’s lightning-fast global delivery system. 

Other key takeaways from the survey: 

  • 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges. The most-likely consequences were the theft of sensitive data or a business outage. 
  • While 52% of those who experienced third-party related attacks indicated they lost less than $100,000 in damages, another 45% incurred higher costs, with a few paying $1 million or more. 
  • Victims impacted by the SolarWinds supply chain attack suffered everything from day-long shutdowns to crucial data leakages. 
  • Perhaps because of real or perceived threats from SolarWinds and similar top third-party risks, 70% of respondents ranked cyber the No. 1 or No. 2 risk among their third-party/supply chain partners. 
  • Supply chain visibility is more essential than prior to the pandemic. Almost everyone wanted increased visibility, with 72% believing that tracking components, sub-assemblies, and final products was very or critically important. 
  • More than three out of four (76%) IT leaders and influencers rated managing third-party risk as a high or critical priority at their organizations — for most respondents (74%) this priority has increased in importance since 2020, when the pandemic created major micro and macro business disruptions, including supply and workforce shortages. 
  • Nearly half of all respondents (45%) said they implement the guidelines within the NIST Cybersecurity Framework in their third-party vendor assessments. 

A Need for Visibility into Third-Party Risk Management [H2]

The survey found that the vast majority of respondents (72%) called supply chain visibility important, but only a small fraction actually had adequate insight into their suppliers. 

In reporting their highest level of supply chain visibility, 41% had visibility only on their most critical third–party direct dependencies, while 26% could see the full map of interdependencies across all tiers in their supply chains. 

The Covid-19 pandemic was regularly shared as a reason for lowered visibility. When asked about specific challenges in managing third-party risk, the top answer was a lack of qualified staff to implement a management solution (30%) and the ability to accurately assess and manage a large number of partners (26%). 

To better manage top third-party risks, Interos advises companies to prioritize risk management and follow industry standards and guidelines such as the NIST Cybersecurity Framework. They should also adopt multiple methods to vet third-party providers, and continually reassess third parties for risk, among other solutions highlighted in the report. For more information about how Interos platform can help to assess and address these risks, visit interos.ai