Supply Beacon Vol. 5 – Russian Invasion of Ukraine Spurs Supply Chain and Cyber Concerns

February 25, 2022

Guidance: As the invasion of Ukraine continues to unfold, global supply chains are in a highly fluid state – we will be updating this blog with additional insights as more details of sanctions/counter-sanctions related to specific industries, countries and/or commodities are imposed.  Please look to our blog posts and customer communications for guidance on how to use the Interos Operational Resilience Platform to track the ripple effects on your supply chains.

Coordinated sanctions on Russia will impact both financial and physical supply chains

Summary: Following the Russian invasion of Ukraine on Thursday, the UK and US governments announced more significant and sweeping sanctions against major Russian banks, and defense equipment manufacturers. They also announced restrictions on the export of key technologies and other products. This sanctions package is far greater in scope and coordination than any predecessor, and is meant to cut off capital flows and access to technology critical to Russia’s modernization and advancement of its military and aerospace/weapons industries.

The response was organized with solidarity among allies, and the EU, Australia, New Zealand, Canada, Taiwan and Japan followed with their own sanctions on Friday. Canada cancelled all export permits in addition to naming 62 individuals and entities. Taiwan has not yet detailed all the tools it plans to employ, but the country’s inclusion is of critical importance since it is a global leader in the production of semiconductors – which many of the aforementioned countries have now banned exporting to Russia.

Additionally, the UK government banned Aeroflot from landing in the UK, suspended all flights to Moscow,  and will stop exports of high-tech items and oil refinery equipment. The EU is meeting late Friday to seek approval to freeze the assets of President Putin himself and of Sergey Lavrov, his foreign minister. The German government took the bold decision to put the Nord Stream 2 gas pipeline, which connects Russia with Germany, on hold.

The EU has thus far opted not to ban Russia from the Swift high-security network that facilitates payments among 11,000 financial institutions in 200 countries which would greatly impair their ability to pay for energy. However the restrictions leveraged on financial institutions are the most comprehensive in history to be enacted on an economy the size of Russia’s. The range of measures includes freezing the assets of certain Russian oligarchs, their families, and financial institutions, while also banning exports to Russian military organizations.

The sanctions against Russian banks will immediately disrupt Russia’s economy. The technology and industry restrictions could cripple many of the country’s leading companies, since they will choke off Russia’s imports of technological goods critical to operating as a modern economy.

The new restricted lists include a Russia-wide denial of exports of sensitive technology, focusing on the Russian defense, aviation and maritime sectors. In addition to robust restrictions on the Russian defense sector, the U.S. is imposing Russia-wide restrictions on sensitive U.S. technologies produced in foreign countries using U.S.-created software, technology or equipment. This novel use of the FDPR (Foreign Direct Product Rule) includes Russia-wide restrictions on semiconductors, telecommunications, encryption security, lasers, sensors, navigation, avionics and maritime technologies.

President Biden said the U.S. was “building a coalition of partners representing more than half of the global economy” that would limit Russia’s ability to do business in dollars as well as euros, pounds and yen.

In total, the sanctions will ban about $1 trillion in Russian financial assets from flowing through U.S. and allied financial markets.

Interos insight: Looking just at the newly U.S.-sanctioned Russian financial institutions, an analysis of Interos’ global relationship data found over 920 distinct related entities in our platform. The majority of the entities directly affected are in the U.S. (8%), followed by the UK and Ukraine (6% each). The industries directly affected by these sanctions are primarily oil and gas (20%), followed by banks (18%) and other firms operating in global capital markets (6%). The second tier of this supply chain of these 47 organization results in over 91,000 entities that could be affected, with more entities in the second tier located in other counties as Germany (over 7000).

This is a rapidly changing situation and, over the coming days, weeks and even months, we should expect the details of sanctions and export controls to be further refined and, if Putin continues his invasion, even harsher controls to be put in place. We will continue to analyze the complex ripple effects that these new restrictions will have globally, across industries’ supply chains. Additionally, our Resilience platform will be updating relevant policies and restricted lists/entities on an ongoing basis to reflect additional risks in customer supply chains.


Russian escalation raises concerns about state-sponsored cyber attacks on Western companies

Summary: Russia’s invasion of Ukraine, and the imposition of sanctions by the U.S. and European nations in response, have raised concerns about a large scale cyber attack against Western companies – and several Ukrainian government websites have already been taken offline.  A spate of ransomware and other attacks against U.S. and European firms in sectors ranging from logistics (Expeditors International) and mobile communications (Vodafone Portugal) to fuel distribution (Marquard & Bahls) were reported in February, causing severe disruption to services and supply chains.

While these attacks have generally been blamed on cyber criminals rather than nation-state actors, the Cybersecurity & Infrastructure Security Agency (CISA) recently posted a “shields up” warning to U.S. organizations, urging them to take steps to protect critical assets against possible Russian government attacks. Similarly, the UK’s National Cyber Security Centre has advised British companies to ensure their cyber defense measures are up to date.

Interos insight: Aside from energy and other critical infrastructure, companies in the aerospace and defense (A&D) industry are an obvious target for state-sponsored attacks, whether for denial of service or intellectual property theft. As well as their strategic importance to national security, they are vulnerable because of high levels of concentration risk in the sector as a result of the specialized products A&D firms rely on.

Concentration is a well-understood, but vitally important and often ignored risk in supply chain security. It refers to a cluster or a shared supplier within a supply chain. A cyber attack against Western companies could have disastrous effects.

If a shared prime A&D supplier were disrupted by a Russian cyber attack, it could have a strong ripple effect across the entire sector – much as the shutdown of Taiwanese chip makers during Covid-19 caused U.S. automotive production lines to grind to a halt.

To gauge the extent of concentration risk in A&D, Interos took the 2021 top 100 list of defense contractors published by the industry publication Defense News and used our global relationship data graph of more than 350 million entities to map their extended supply chains.

Of the 83 companies whose relationships we could map with a high degree of confidence, we found 1,755 common suppliers – that is to say, those that were used by at least two contractors. This included six of the top 20 suppliers to the industry, one of whom had 27 separate connections. And the list doesn’t only include component and material suppliers, but also banks and financial institutions. Indeed, 29 of the 83 A&D companies use the same bank, according to our data.

Most of the top 100 shared suppliers had solid cyber and financial risk scores, based on the Interos i-Score model. However, as we moved further down the list some issues started to appear. Suppliers based outside of Western Europe and the U.S./Canada may not be responding as one might hope to a “shields up” alert.

While criminal hackers pose a real threat to companies with inadequate cyber security measures, those that are state-sponsored – whether by Russia or other malevolent forces – can draw on vast resources and are therefore likely to be more successful in disrupting critical supply chains.


Uyghur Forced Labor Prevention Act set to have a significant effect on supply chains

 

Summary: In last month’s Beacon, we discussed the newly enacted U.S. Uyghur Forced Labor Prevention Act (UFLPA), which was signed into law on December 23, 2021, as part of the U.S. pushback against Beijing’s treatment of the Uyghurs and other persecuted minorities in China’s Xinjiang Uyghur Autonomous Region (the XUAR).

The effects on some supply chains would be significant since Xinjiang is one of the world’s largest producers of cotton and polysilicon, which is used to manufacture solar panels. The Act mandates that cotton, tomatoes, and polysilicon must be among the high-priority sectors in addition to building upon U.S. Customs and Border Protection’s existing “withhold release order” against all cotton and tomato products produced in the XUAR.

The Act requires the FLETF (Forced Labor Enforcement Task Force) to issue guidance on “due diligence, effective supply chain tracing, and supply chain management measures” aimed at avoiding the importation of goods produced with forced labor in the XUAR within 180 days of the UFLPA’s enactment on June 21, 2022.

Companies with supply chain exposure to the XUAR should expect compliance with the UFLPA to require significant supply chain diligence and documentation obligations. These requirements are likely to be strict given the already high bar on diligence established by the FLETF (and CBP established through continued partnerships with NGOs and other stakeholders focused on ending forced labor from global supply chains).

Interos insight: We identified over 2,000 companies that are directly connected to organizations using Uyghur labor and over 115,000 connected indirectly at the second tier of the supply chain.

Clients can use Interos’ to immediately illuminate companies in their existing supply chain that violate this law and easily screen for problematic organizations as they evaluate potential alternative suppliers of affected products and raw materials.


German Supply Chain Act will impact hundreds of non-German companies

Summary: Germany’s new Supply Chain Due Diligence Act comes into force on January 1, 2023. From that date, companies with at least 3,000 employees that have a headquarters or statutory seat in Germany, or those that have a branch in Germany employing at least 3,000 employees, will be required to take action to comply with the legislation.

The law requires both German-based companies (regardless of their legal structure) and foreign companies doing business in Germany to establish due diligence procedures to ensure compliance with specified core human rights and some environmental protections in their supply chains. Significantly, companies must not only conduct ongoing audits of their own business operations, but also those of their direct (tier-1) and, to some extent, indirect (tier-2 and beyond) suppliers.

And it’s not just the biggest companies that will be affected by the legislation. From January 1, 2024, the Act’s provisions will be extended to firms with 1,000 employees based in or doing business in, Germany.

Although other European Union member countries are not yet in agreement on the terms of such legislation, it is likely the E.U. will follow with similar laws in due course.

Interos insight: In its first year of implementation, the law will apply to over 600 German companies and hundreds of foreign firms. The number will grow to over 3,000 companies in the second year.

Interos’ proprietary ESG risk score dynamically assesses an organization’s risks as well as its place in a customer’s supply chain. When assessing suppliers to Germany, for example, we found that about 37% had potentially problematic ESG scores.

Some of the attributes that make up Interos’ country-level ESG score include:

  • Environment risk: CO2 emissions, biodiversity and protected areas, climate change performance index, and net zero commitments
  • Social risk: Global Slavery Index, gender gap, mineral risk score, and digital access index
  • Governance risk: Human rights, freedom index, counterfeit goods risk, political terror score

Supply chain implications of China’s zero-tolerance approach to Covid-19 infections

Summary: China’s zero-COVID policy may increase pressure on the global economy by prolonging supply chain disruptions and intensifying the impact of inflation. Supply chain bottlenecks were expected to “materially ease in the early months of this year,” with downward pressure on producer and input prices and shorter lead times, according to Katrina Ell, a senior economist for Asia-Pacific at Moody’s Analytics. “But given China’s zero-Covid policy and how they tend to shut down important ports and factories — that really increases disruption.”

The US Federal Reserve and the International Monetary Fund have both issued similar warnings. The IMF also revised up its near-term projection for inflation “in response to the anticipated slower resolution of supply issues”.

 

(note: lower index means longer lead time)

Interos insight: What was once the “perfect storm” – a confluence of circumstances leading to a rare event – has become the norm. The pandemic has exacerbated supply chain issues, and disruptions have lasted much longer than expected. Inventories in many industries would have reverted towards more typical levels by now, but policy decisions such as China’s zero-COVID rules have caused additional production delays as major cities or regions are shut down practically overnight.

Inflation, a byproduct of many other interdependent factors, makes the pain and real costs for supply chains much worse. Although no human or artificial intelligence system will be able to bring every unknown risk to the forefront, Interos’ supply chain mapping platform can help customers quickly identify where exogenous, unexpected policy decisions might negatively impact their ability to deliver products to customers in accordance with predictable pricing and timescales.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money