Supply Beacon Vol. 4 – Meta users targeted, bill of materials and microchips

The Top 5 Supply Chain News Stories You Need to Know
The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

Facebook says 50,000 users were targeted by cyber mercenary firms in 2021

Private surveillance and hacking groups have used Facebook and Instagram to target at least 50,000 people in over 100 countries, according to a published investigation by Meta, Facebook’s parent company.

The existence of private companies that use sophisticated digital tools to expose secrets from people’s work and private lives—sometimes in legal-but-ethicallydubious ways—is no secret. What this new study shows is that the surveillance-for-hire industry that was previously thought to focus on spying on a handful of companies and services actually includes a much more expansive spider-web of connections. Meta’s investigation outlines private-sector mass surveillance on a scale never before shown.

The perpetrators, so-called “cyber mercenaries” who operate at the behest of governments and private entities, were shown to target Journalists, human rights advocates, activists, dissidents, clergy, politicians, and their families – sometimes resulting in torture or worse.  

The ultimate goal of the work Meta’s study is to prompt a broader discussion about the surveillance-for-hire industry. They recommend strengthening transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and increasing accountability through new legislation and export control laws. 

Interos Insight  

The Meta investigation revealed seven surveillance businesses worldwide that employ illicit surveillance. These firms’ customers were numerous and diverse, both commercial and governmental. Companies mentioned here are at risk of getting banned or put on ESG or cyber-related restricted lists. A recent example is Israel’s NSO Group, creator of Pegasus spyware, which the US Commerce Department put on its Entity list — a move that sent the company spiraling towards bankruptcy.  

Spyware and the privatization of cyber weapons are serious threats to national and personal security. Clients must be aware of related companies in any part of their supply chain that might compromise their business, negatively affect their clients-or wind up on a restricted list like NSO. Interos provides this transparency to companies and their clients via an AI-powered platform that alerts users to threats like these as soon as they are discovered. 

We have taken this research a step further: An active internal Interos study has captured data on dozens of countries purchasing surveillance technology from private entities. Some countries are repeat offenders, purchasing this type of software many times over. Interos integrates government surveillance policies and accountability into its cyber risk model and continues to track those governments and companies exploiting the hacking-for-hire market and putting corporate data at risk. To account for the rapid pace of change in the cyber-warfare space, our cyber model is not static and evolves with the changing risk landscape to provide even more comprehensive data to help our customers assess the true risk in their supply chain.  

Nation-state cyber capabilities are increasingly abiding by the “pay-to-play” model: any government — even those with limited resources — can purchase these surveillance and hacking tools from private firms. The software companies conceal who their clients are, making it harder for defenders to find the actual source.  

An Interos map (below) reveals the global proliferation of surveillance software sold to governments and private entities: 

Why your organization needs a software bill of materials 

Summary: The recent Log4j vulnerability exposed systemic problems in how businesses build and monitor their use of open-source software. The Log4j vulnerability was almost immediately weaponized and exploited by criminal gangs who used this exploit to plant crypto-hijacking and other malware. Organizations rushed to find all instances of the exposure in linked libraries, but most had no clear overview of where such instances existed in their systems. Google’s research showed that more than 8% of all packages on Maven Central have a vulnerable version of Log4j in their dependencies.  

CISA has created a dedicated Log4J webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organizational leaders should also review NCSC’s blog post, “Log4j vulnerability: what should boards be asking?” for information on Log4Shell’s possible impact on their organization as well as response recommendations.  

Interos Insight: The first line of defense is a good software and dependency inventory  

In last month’s Supply Beacon, we referenced CISA’s SBOM (Supply Chain Bill of Materials) educational webpage and their work relating to Executive Order 14028. This EO requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains.  

Over the past month, Log4J has emerged as one of the most severe cyber threats to date. The silver lining of this unfortunate vulnerability is that it is likely to hasten SBOM adoption. It is a concrete example illustrating the need to be fully informed of your cyber exposure across your entire enterprise. Never before has it been more important to map and monitor your whole supply chain. Interos can help partners establish automated mapping, arming them with the visibility to invest in the right, trusted technology while cataloging the use of open source and third-party software to deliver a complete and accurate SBOM with visibility into the supply chain to the nth degree.  

Chip Makers Contend for Talent as Industry Faces Labor Shortage 

Summary: In yet another challenge for the semiconductor industry, the world’s largest chipmakers are fighting for workers to staff the billion-dollar-plus facilities they are building to address the ongoing chip shortage.  

A dwindling supply of qualified workers has worried semiconductor executives for years. That fear has manifested to a far greater degree than anticipated due to the global labor shortage, a pandemic-fueled demand for all things digital, and a race among governments to bolster their local chip-manufacturing capabilities.  

Interos Insight: The US alone expects a shortage of up to 300,000 semiconductor workers by 2025. In recent Interos’ research, we cited the shortage of skilled laborers as a significant issue in the semiconductor supply chain, possibly disrupting the desired outcome of legislative efforts and related investments in production facilities.

The two primary areas expected to face shortages are technicians to run the plants and researchers to design the newest chips. The semiconductor firms are implementing new recruiting plans, and US chip manufacturers are lobbying for more foreign work visas to fill the gap. With semiconductor chips a geopolitical flashpoint for the 21st century, making silicon work appealing is a matter of national security. Leading Taiwanese universities are launching semiconductor-specific courses together with TMSC, and 12 Chinese universities have already created chip-focused colleges to fill the void. With semiconductor chips a geopolitical flashpoint for the 21st century, making silicon work appealing is a matter of national security. Even with growing demand, employment in semiconductors in the United States has remained a problem for the past decade and will likely require substantive policy changes to combat.  

 

Source https://www.bls.gov/data/#employment   

U.S. chipmaker Magnachip, China’s Wise Road end $1.4 bln merger deal 

Summary: Chinese private equity firm Wise Road Capital Ltd. and US chipmaker Magnachip Semiconductor Corp. abandoned their $1.4 billion merger agreement struck in 2021. The Committee on Foreign Investment in the United States (CFIUS) had suspended the transaction during the summer, pending its review of the deal due to national security risks. According to the parties’ announcement, they couldn’t obtain CFIUS’s approval despite months of costly attempts. With an uncertain future, Magnachip could not make concrete strategic plans, affecting its equity valuation. It has hired JPM Morgan as an advisor as it attempts to find another buyer a year later.  

Interos Insight: Over the past few years, cross-border transactions involving any technology or sector deemed critical and a risk to US national security has experienced a significant surge in CFIUS investigations. US protection over semiconductor assets is unspectacular; what was notable and unexpected is CFIUS’ involvement in a transaction between two non-US companies. CFIUS’s jurisdiction is triggered by a takeover of (or certain types of investments in) a “US business.” Other than Magnachip’s Delaware parent company, which essentially serves as a holding company, the business has no US entities and no US employees. Its research, development, and functional operations are all located and conducted outside the country. While some may think that CFIUS’ jurisdiction over any particular deal is limited, the Committee is obligated to act whenever anything seen as critical to the US defense, intelligence and national security community is involved. In this case, it was the supply chain for semiconductors. After the enactment of the Foreign Investment Risk Review Modernization Act (FIRRMA), Treasury and other Departments have dedicated considerable resources to expanding and developing CFIUS’ authority to identify concerning transactions.   

Under CFIUS’s expanded regime, some transactions (including takeovers of companies with technology subject to US export controls) must be reported. Parties should not overlook the possibility that regulators could intervene after definitive agreements are signed and sometimes even after closing had been consummated for years. However, even in those cases where the mandatory filing triggers are not present, a voluntary filing is still warranted. Interos’ supply chain maps help customers identify the ownership, the extended relationships as well as the financial and regulatory risk of companies to which your organization is connected, enabling businesses to identify potential FIRRMA concerns before they manifest.    

Biden signs bill banning goods from China’s Xinjiang over forced labor 

Summary: US President Joe Biden signed into law legislation that bans imports from China’s Xinjiang and imposes sanctions on individuals responsible for forced labor in the region. 

The Uyghur Forced Labor Prevention Act is part of the US pushback against Beijing’s treatment of the China’s Uyghur Muslim minority, which Washington has labeled genocide. The bill passed late December after lawmakers reached a compromise between House and Senate versions.   

Key to the legislation is a “rebuttable presumption” that assumes all goods from Xinjiang, where Beijing has established detention camps for Uyghurs and other Muslim groups, are made with forced labor. It bars imports unless proven otherwise.  

The Uyghur Forced Labor Prevention Act cements the Administration’s sights on three products in particular: cotton, of which Xinjiang is one of the world’s largest producers; tomatoes; and polysilicon, a material used to produce solar panels.  

Interos Insight:  

The Act is the latest in intensifying US penalties against China for alleged abuse of ethnic and religious minorities. Earlier in the year, US Customs and Border Protection (CBP) within DHS started to detain cotton products and tomato products produced in China’s Xinjiang Uyghur Autonomous Region  

Country or, in this case, region-specific restricted lists are growing by the day. Just the week before Biden signed the Act, the US government put investment and export restrictions on dozens more Chinese companies, including top drone maker DJI, accusing them of complicity in the oppression of China’s Uyghur minority and helping the Chinese military. Human rights risk, are almost impossible to track throughout your extended supply chain with manual methods like surveys or spreadsheets, a challenge that will only grow as these restricted lists continue to expand. Interos’ mapping provides insight into every restricted list, with a scoring system that not only ensures compliance but helps you assess potential exposure and avoid reputational or operational harm so you can source with confidence

And a Follow-up: 

Minmetals confirms China rare earths merger, creating new giant 

Summary: Since we last discussed the matter in last month’s Beacon, final details of China’s newly formed massive and global force in the Rare Earths space were confirmed. The consolidation gives China the ability to control pricing, increase efficiency, and secure its strategically crafted dominance and competitiveness. Three of China’s Big Six rare earth groups will team up in a merger to create the world’s 2nd-biggest producer, a state-owned enterprise. 

The group would have significant pricing power for some rare earth elements such as dysprosium and terbium, which are essential for producing high-performance magnets. 

Interos Insight: This consolidation comes at a critical time as Washington grapples with US and Allied dependence on Chinese rare earths. In response, a February executive order identified critical minerals as one of four key areas in need of a complete review and improved policy options to address related risks to the supply chain. Considering the importance of rare earths to national security, it would not be a stretch to imagine a related US State Dept Strategy for our Allied partners or potential inclusion of the Chinese critical mineral companies on section 1260H of the National Defense Authorization Act for Fiscal Year 2021, since they are “military-civil fusion” operators in the Chinese Industrial base.”  

A bipartisan piece of legislation (Restoring Essential Energy and Security Holdings Onshore for Rare Earths Act) has already been introduced in the US Senate. It would force defense contractors to stop buying rare earths from China by 2026. It would track and disclose the country of origin of certain rare earth metals used in systems delivered to the military. Companies with any component in their supply chain that requires rare-earth materials will want to keep abreast of related policy and legislative developments 

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

Supply Chain Sustainability Info Gap Exposed in New Survey

Companies today want to improve the sustainability performance of their supply chain – but they often lack the data and visibility into their partners to truly meet their goals, according to new research from Interos and Procurement Leaders.

The report – “Supplier Sustainability: From Intent to Impact” – revealed that 37% of responding businesses struggle to obtain the data to measure supplier sustainability accurately.

Businesses have long relied on the suppliers to self-attest to their sustainability and ethics status. This information is often inaccurate and submitted through a cumbersome manual process on an annual basis. Given the rapidly changing pace of , it’s no longer adequate but is still the method 74% of businesses rely on, according to our study.

This lack of trustworthy information leads to real-world problems: 41% of organizations reported that ESG-related risk factors had caused detrimental impacts to their business in the past two years.

Get Ahead of the ESG Sea-Change

To make meaningful change, companies first need accurate information on the companies they work with directly and indirectly. This is where Interos comes in. Our cloud-based, artificial intelligence platform monitors more than 80,000 data streams to provide visibility into your suppliers’ risk posture as it changes, not 9 months after-the-fact.

Per Procurement Leaders: “The path forward is clear: companies looking to get ahead in public opinion and compliance will benefit from adopting automated solutions that leverage machine learning and AI.” “Automated solutions are the only type that can scale to match the size and speed of the global economy and represent the best path forward to defeating ESG risk in the supply chain.”

While many companies have a good understanding of the partners the directly interact with (their Tier-1 suppliers, also known as first parties), they often lack any visibility beyond that point. Procurement Leaders found that while 79% of procurement teams regularly engage with Tier-1 suppliers, that number quickly drops to 35% for Tier-2 suppliers and just 9% for Tier-3 and beyond.

This lack of visibility can cause tremendous peril, as we seen over the past two years of intense disruption which has lain bare the fragility of the global supply chain. For instance, a shutdown at a lower-tier supplier – like a factory shutting down due to a Covid outbreak – can cause ripple effects all the way up the chain to the consumer.

The Cost of Inaction on Supply Chain Sustainability

The Interos Annual Global Supply Chain Report found that supply chain disruptions cost large companies, on average, $184 million a year. Combatting that costly disruption can have many benefits in addition to the potential for significant cost savings. Improving supply chain visibility can also help reduce reputational risk, enhance regulatory compliance while increasing rates of innovation and attracting more talent. It also shows customers you operate an ethical company that cares about its community and the environment.

As our survey showed, businesses rated eradicating slave labor and using fair business practices as their most important sustainability goals:

ESG a ‘Board-Level’ Priority

The potential opportunities and challenges of today’s supply chain make it an issue the entire C-suite and board should know and understand. Thankfully, business leaders are beginning to understand this dynamic and see the supply chain as something more significant than just the domain of a chief procurement officer or a logistics team.

On average, corporate boards are meeting to discuss supply chain risk 22 times each year. In addition, 50% of supply chain leaders report that the issue of supply chain risk will be their organization’s top business priority in two years. Just a few years ago, supply chain risk was barely on the corporate leadership agenda, consigned to the remits of procurement and security leaders. It is now top-of-mind for the most senior executives, and companies looking to protect their reputation and bottom-line will need to take action on ESG risk.

For more information on reducing your supply chain risk and to download the full sustainability report, please click here.

Log4j Highlights the Need for an Operational Resilience Model

The US Cybersecurity and Infrastructure Security Agency has given the Apache Log4j vulnerability its highest threat score. The exploit has exposed hundreds of millions of devices worldwide to a security breach. 

While cybersecurity leaders work with the Apache Foundation to close this vulnerability, members of the global economy must understand how this potentially affects their supply chain. Interos data reveal that this vulnerability alone could impact more than 135,000 suppliers in our customers supply chains, and cause ripple effects across industries and geographies. 

The Log4j vulnerability certainly stands out for its pervasiveness and potential to disrupt the economy.   

Large cyberattacks, system vulnerabilities and network outages have become a standard part of life in today’s super-connected world. That’s not to minimize their impact but to underscore the persistent threat to businesses. A cyberattack that takes even a single supplier offline can cause delays throughout your entire supply chain and in verticals with high concentration risk.  

All businesses need to understand their cyber risks and the cyber risk of suppliers they rely on to create and deliver their final product. At Interos, our goal is to help our customers know all of those risks to make educated decisions to ensure the resilience of their supply chains. 

A Different Approach to Understanding Cyber Risk 

Interos provides its customers with a global map of suppliers and supply chain risks, including consideration of cybersecurity vulnerabilities. Along with understanding the cyber pressure put on suppliers based on their industry and location, we also assess their financial strength. 

A company with a poor cyber or financial history may not respond adequately to this breach. For example, the patches and upgrades the cybersecurity community has created to block this vulnerability provide little value if a company fails to institute them. Some companies may lack the cyber know-how or the financial resources to accomplish these demands, putting them at increased risk for disruption. 

Interos provides real-time information on the cybersecurity resilience of suppliers. It is just one of many metrics our artificial intelligence platform leverages to provide customers with a 360-degree view of their supply chain.  

With this information, businesses can better understand the risks their suppliers face. Based on the risk profile, these companies can switch suppliers, request suppliers better mitigate these risks or accept the inherent risk. This type of visibility through various metrics allows businesses to build a resilient supply chain made up of suppliers with acceptable risk profiles. 

Companies can also use our platform to model disruptive events to find potential weak spots in their supply chain. This all leads to creating an operationally resilient supply chain that can better manage crisis.

Log4j Serves as a Case in Point 

The Log4j vulnerability exposes a considerable part of the global economy to cyber attack. While it may be impossible to see this type of breach coming, suppliers should have the ability to withstand the attack, make the necessary upgrades, and continue operations. 

Our customers can use Interos’ cloud offering to see what members of their supply chain are impacted. They can understand what supply chain members are best equipped to manage the situation and those that cannot. This can guide future supply chain decisions and supplier relationships, reinforcing or removing the companies that lack the necessary capacity. 

The Log4j vulnerability will pass, but another type of cyber disruption can strike at any point. Interos wants to change how you see your supply chain. We want you to understand better the companies you depend on for your success. 

A study we conducted last year found that large businesses lose $184 million annually in supply chain disruptions. This is wasted money. Know the risks your suppliers face and take action to protect your company’s bottom line and its reputation. 

Supply Chain Risk Management Methods Lag Behind New Risks—and Costs are Rising

Monitoring Frequency

Supply chain shocks are causing debilitating effects on large organizations, especially financially. This impact alone is enough to cause significant damage. With so much on the line, businesses need to know if their current supply chain risk management (SCRM) tools and processes are up to the challenge.

Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, found:

  • Only 34% assess their global supply chain on a continuous basis.
  • The remaining 66% do so every month or less.

That means the majority or organizations are operating with large gaps in their supplier visibility and risk mitigation solutions. As discussed in a previous post, that vulnerability is costly:

  • On average, global supply chain disruptions cost enterprise-level organizations $184 million in lost revenue per year.

Assessment Methods

The frequency of measurement depends on the type of SCRM methods an organization uses —manual or automated. The former measures supply chains on an irregular basis and at one point in time, while the latter provides feedback in real time on a continuous basis. Nearly three quarters (74%) of organizations use manual methods at least some of the time, with only just over a quarter (26%) solely using automated methods.

There is a current reliance for infrequent monitoring in all sectors. The enormous financial impact many suffer proves current methods are ineffectual, and organizations need to focus on switching to more automated methods because they are still blind to many of the shocks occurring in their supply chain.

Therefore, it’s not surprising that the majority of decision makers (63%) admit that they need to make improvements to their ability to continuously monitor their supply chains.

 

Visibility is currently a critical weakness among many organizations, especially the ability to see in-depth across sub-tiers in the supply chain. Automatic methods can alleviate this deficit in organizations’ supply chain risk management systems. In fact, when asked to name the benefits of using a fully automated method would be, 64% rank supply chain visibility (ecosystem awareness) as the greatest benefit.

Automatic methods may help to reduce the financial burden brought about by disruptions, with two other benefits which rank highly including cost avoidance (56%) and cost reduction (56%). What is clear is that all supply chain decision makers (100%) believe there are benefits to using automatic methods.

Organizations should view an effective and robust monitoring system as essential. Current methods are likely inadequate at preventing large-scale financial damage as a result of supply chains shocks. Those who employ the most efficient methods are likely to be in the best position to protect themselves going forward.

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs, as well as what current practices are helping organizations mitigate risk and which are not up to the task. Get all the insights here.

As Disruptions Grow, So Does the Quest for Better Supplier Risk Management

The diverse and successive nature of supply chain shocks is challenging every organization. Combine that with the high costs associated with disruptions and businesses have a loud and clear wake-up call: better supply chain risk management and improved monitoring are critical needs in today’s environment.

It’s therefore no surprise that supply chain risk management and resilience are going to become increasingly important to organizations. Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, found:

  • 50% of all surveyed organizations say supply chain risk management (SCRM) and resilience will be their top business priority in two years’ time—while just 39% say they are top priorities today.

As SCRM becomes more critical, the frequency with which those at the board-of-director level discuss the topic reflects this. Overall, over two-fifths of boards (21%) are talking about supply chain risk on at least a weekly basis, with 78% doing so at least monthly.

Supply Chain Visibility

A crucial element of supply chain risk management is the level of visibility that organiza­tions have throughout their supply chain. The less the organization can see across its supply chain, the less it can accurately predict. Intuitively, organizations experience more significant fallout due to disruptions when visibility into their supply chains is lower.

With that being said, it’s not a surprise that the vast majority (88%) of organizations say visibility into their global supply chain is more important now than it was two years ago. The succession, and at times, overwhelming number of recent shocks and related impacts demands that greater importance is placed on visibility.

However, while decision makers note the value that visibility into supply chains can provide them, this does not necessarily translate across the different tiers in an organization’s supply chain.

In fact, visibility levels drop off sharply below the second tier of organizations’ supply chains:

  • 80% say their organization has instantaneous visibility/the ability to continuously monitor their supply chains in the second tier
  • This drops to only 50% at the third and fourth tiers, and only 22% say they can do this at the ninth tier and below

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs, as well as what current practices are helping organizations mitigate risk and which are not up to the task. Get all the insights here.

Supply Chain Disruptions Cost Millions—Here’s How they Add Up

Ensuring supply chain risk management (SCRM) methods are robust enough to keep threats at bay and help organizations stay secure is a critical need today. But a succession of large shocks—including the COVID-19 pandemic, multiple high-profile cyber breaches, and ongoing international trade disputes—have exposed deep supply chain vulnerabilities and revealed shortcomings in SCRM and third-party risk management (TPRM).

Surprisingly, when shocks do occur, little is known about the true extent of the disruption, the wider organizational costs, or damage extending beyond that of a financial nature. Our new whitepaper, “Supply Chain Disruptions and the High Cost of the Status Quo,” based on a survey of 900 enterprise decision makers about their risk management practices, fills in many of those knowledge gaps:

  • On average, global supply chain disruptions cost enterprise-level organizations $184 million in lost revenue per year
  • 83% have suffered reputational damage because of supply chain problems

Looking Deeper at Disruption Data

Our survey found that supply chain events impact geographies and industries in unique ways.

The average revenue loss rises to $228 million for U.S. organizations, compared to UK and DACH where it costs $146 million and $145 million, respectively. There is also a large difference between sectors, with disruptions costing those in IT and technology ($194 million) and aerospace and defense ($193 million) more than financial services, where the average cost to revenue drops to $164 million. However, no matter the location of the organization or the sector they operate within, these costs are an unsustainable and debilitating expenditure.

The cost of supply chain disruptions extends beyond an organization’s revenue, as brand, reputation, and customer perception are also negatively impacted. It’s therefore no sur­prise that more than four in five (83%) of those surveyed say their organization has suf­fered reputational damage as a result of supply chain disruption. Again, those in the U.S. see the most severe impact in this regard, where 87% have suffered, compared to organi­zations in the Nordic countries where 77% say the same.

Understanding Supply Chain Risk Factors

The number of supply chain shocks has grown in recent years. Each disruption proves troublesome for organizations who are likely still reeling from the effects of the previous one. In fact, fewer than 1 in 10 enterprise organizations (6%) say they have not been impacted by supply chain disruptions over the past two years. We can attribute these disruptions across a variety of supply chain threats, with risk spread fairly evenly across all factors. To illustrate this, over the past two years, decision makers report that shocks have been spread across cyber risk and breaches (52%), financial risks (50%), and environmental/social/governance (ESG) (41%), among others.

Decision makers understand the critical need to use SCRM and TPRM to protect themselves against all types of supply chain risk. More than four in five (88% to 81%) believe it is important to guard against all six risk factors. This demonstrates that even if they are not directly impacted by every threat, decision makers understand the wide-ranging sources of disruptions to their supply chains.

Get More Data on SCRM/TPRM Practices and Improving Risk Mitigation

Our paper goes into more detail on the importance of visibility and supply chain risk management needs. It also includes current practices that are helping organizations mitigate risk. Get all the insights here.

Press Release: Interos Raises $100 Million to Protect Supply Chains from Disruption

NightDragon leads the round, which values Interos at more than $1 billion, making it one of the few female-led unicorns

ARLINGTON, Va., July 22, 2021 (GLOBE NEWSWIRE) — Interos, the supply chain risk management and operational resilience technology company, today announced Series C financing of $100 million led by NightDragon. Current investors, including Kleiner Perkins and Venrock, are also participating. This financing brings Interos’ valuation to over $1 billion, and establishes the company as a unicorn.

Female-led Unicorns Are Extremely Rare

Interos, led by CEO Jennifer Bisceglie, becomes one of the few female-led unicorns. According to Crunchbase, “Female founder-CEOs run only 4% of the ‘unicorn’ startups valued at more than $1 billion. Which means that, proportionally, these successful venture-backed female founders are even more rare than female Fortune 500 CEOs, who currently run 7.4% of the country’s largest companies.”

Global Supply Chain Severely Strained Impacting Both Businesses and Consumers

The new funding will help Interos accelerate its business at a time when supply chain vulnerabilities are front and center for companies around the world, following major supply chain shortages due to the pandemic and cyberattacks on organizations like SolarWinds, Kaseya and Colonial Pipeline that put company operations at risk. A severely strained global supply chain is translating to consumers as countless product shortages and to businesses as heavy bottom line and reputational impacts. The Interos Annual Global Supply Chain Report recently revealed that supply chain disruptions cost large companies, on average, $184 million a year, and 83% have suffered reputational damage.

Interos Protects Global Supply Chains from Disruption

An early warning system to identify developing disruptions and supplier problems in real-time is critical to driving business operational resilience, macro economic growth, public safety and national security. Numerous Fortune 500 brands, the U.S. Department of Defense, and NASA are using Interos’ artificial intelligence and machine learning-based cloud platform, which serves as this early warning system. The platform allows customers to instantly map their global supply chains to the Nth tier, continuously monitor those suppliers, flag supplier problems in real-time, and model ripple effects so problems can be quickly resolved before disruption occurs.

Interos Proactively Reveals Physical, Cyber and ESG-Related Supply Chain Risks

The recently updated Interos platform monitors for both physical and digital supply chain issues across  dozens of risk categories, including financial, operational, governance, geographic, and cyber factors. The platform also monitors ESG-related risk factors, such as unethical labor practices and greenhouse gas emissions. The U.S. SEC is developing new ESG reporting requirements for public companies, but this type of risk is currently a major, but unnecessary, blind spot for organizations.

Supply Chain Risk Now a Board Imperative

Global supply chain risk has become a board-level imperative with 78% of respondents to the Interos survey reporting their boards now confer on this topic at least once per month. While 39% say supply chain risk is their business’ current top priority, 50% say it will be in two years.

“COVID-19 and other macro and digital supply chain disruptions over the past year have caused boards of directors and other leaders to awaken to the tremendous impact supply chain disruptions can have on operational resilience, business performance and reputation,” said Jennifer Bisceglie, CEO of Interos. “Manual and annual supply chain risk monitoring is urgently moving to automated and continuous, and that can only be accomplished through AI/ML-based technology. This funding will allow us to accelerate our mission of helping organizations fix supply chain issues before they cause operational disruption.”

Interos Experiencing Explosive Growth

Interos has logged a compound annual growth rate of 303% in the last two years. It notched a 104% increase in its annual recurring revenue in 2020 over the previous year and recorded 132% growth in the number of employees over the same period.

“Over the past year, we have seen that supply chain risk represents one of the biggest gaps for cybersecurity and business resiliency in history,” said Dave DeWalt, Founder and Managing Director, NightDragon. “We are proud to partner with Interos to accelerate their business and help companies around the world close the gap when it comes to supply chain risk.”

About Interos

Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through our breakthrough SaaS platform that uses artificial intelligence to model and transform the ecosystems of complex businesses into a living global map, down to any single supplier, anywhere. Reducing months of backward-looking manual spreadsheet inputs to instant visualizations and continuous monitoring, the Interos Operational Resilience Cloud helps organizations reduce risk, avoid disruptions, and achieve superior enterprise adaptability. Businesses can also uncover game-changing opportunities to radically change the way they see, learn and profit from their relationships. Based in Washington, DC, Interos serves global clients with business-critical, independent relationships across their primary operational areas: supply chain, financial, cybersecurity, regulatory and ESG compliance, and geographical. The fast-growing private company is led by CEO Jennifer Bisceglie and supported by investors Venrock and Kleiner Perkins. For more information, visit www.interos.ai.

About NightDragon

NightDragon is an investment and advisory firm focused on growth and late-stage investments within the cybersecurity, safety, security and privacy industries. Its platform and vast industry network provide unparalleled threat insights, deal flow, market leverage and operating expertise to drive portfolio company growth and increase shareholder value. The NightDragon team has more than 25 years of operational and market expertise and was founded by Dave DeWalt and Ken Gonzalez, who served as senior executives leading technology companies such as Documentum, EMC, Siebel Systems (Oracle), McAfee, Mandiant, Avast and FireEye. For more information, visit www.nightdragon.com.

Biden’s latest supply chain order expands ban on US investment in China

The steady pace of commercial and investment restrictions continued yesterday with the Biden Administration’s latest Executive Order, “Addressing the Threat from Securities Investments that Finance Certain Companies of the People’s Republic of China”. This latest Executive Order follows the same pattern of accelerated industrial policy we’ve been detailing as the uptick continued throughout 2020 and into 2021. However, there are some notable differences with this Executive Order that only adds to the growing complexity of the regulatory landscape as geopolitical and national security concerns intersect with economic and industrial policy, with widespread ramifications across supply chains.

An All of Government Approach

There has been a growing all-of-government focus on supply chain and cybersecurity resilience, with an unprecedented focus on excluding or banning commercial or investment relationships with specific companies (and often their subsidiaries and affiliates) deemed either a national security threat or facilitators of human rights violations, or at times both. From the Department of Commerce’s Bureau of Industry and Security Entity Lists to Section 889 of the 2019 National Defense Authorization Act to the Department of Treasury’s Office of Foreign Assets Control, there have been over 350 Chinese entities with whom U.S. companies and/or federal government partners are prohibited from engaging in commercial or investment relationships.

Subtle Changes from Previous Orders

This Executive Order similarly includes investment restrictions, however there are some nuances that do deviate from previous additions. It builds upon November’s Executive Order 13959 which prohibited financial transactions from entities identified by the U.S. government as “Communist Chinese military companies”. That November Executive Order, in turn, was informed by several lists produced by the Pentagon last year and in January in accordance with Section 1237 of the 1999 National Defense Authorization Act requirement for the Pentagon to produce and update a list of Chinese companies identified by the Pentagon with links to the Chinese military. However, some of the entities on the Section 1237 lists have since sued the U.S. government for inclusion on the list, and Xiaomi has since been removed from the list following their lawsuit.

In the latest Executive Order, the companies listed under last year’s Executive Order, also referred to as the Non-SDN Communist Chinese Military Companies List (Non-SDN CCMC), have been superseded by the Non-SDN Chinese Military-Industrial Complex Companies (Non-SDN CMIC) list introduced by yesterday’s Executive Order. To this end, several companies previously listed on the Non-SDN CCMC list are no longer listed on the Non-SDN CMIC list. However, there are 59 companies in total on the Non-SDN CMIC list introduced in yesterday’s Executive Order and the scope was expanded beyond just those with connections to the Chinese Military to also include those in surveillance and technology, including Huawei and Hikvision. Moreover, the Non-SDN CMIC list will be fully under the purview of Treasury, rather than Defense, and will take effect on August 2, 2021.

What Comes Next?

With a focus on countering surveillance and repression, yesterday’s Executive Order demonstrates a continued focus on building trustworthy and secure supply chains, especially in the areas of emerging technologies. In fact, with a G7 Summit only a week away, the U.S. may take the opportunity to coordinate industrial policies and restrictions on capital flows with allies and like-minded partners. As geopolitical tensions continue and vulnerabilities and dependencies across supply chains emerge, these kinds of restrictions are likely to persist as the new normal in a post-pandemic global order. Unfortunately, there is yet to be an openly available, one-stop-shop integrating these lists. Interos continues tracking and updating our restrictions data and analysis, providing holistic and evolving insights into this ever-changing global regulatory landscape.

The Resilience Operations Center: Understanding Risk and Identifying Assets

The following is an excerpt from “The Resilience Operations Center: A New Framework for Supply Chain Risk Management.” Download the ebook or request a print copy here.

An organization’s ability to create operational resilience depends on agile and informed teams, intelligent use of data, and fast adaptation to changing circumstances. The Resilience Operations Center (ROC) framework—which updates supply chain risk management (SCRM) and third-party risk management (TPRM) approaches—helps deliver on those requirements. Whether you build a virtual or organizational ROC, it will be the foundation you rely on when facing adversity and will empower your organization to deliver for all stakeholders, no matter what challenges arise.

Laying the ROC Groundwork

Risks are everywhere in today’s landscape. The ability to identify ongoing and emerging threats and vulnerabilities and proactively adapt and respond to them through resilient behaviors can help your business thrive. Nowhere is this more important than in your approach to managing operational risks arising from supplier outsourcing decisions.

Organizations need to focus on the operational resilience that is derived from building a joint business-supply chain ecosystem. The concept of a supply chain ecosystem is at the center of effective management of supplier risk in our complex, constantly evolving world. Resilience is the ability to mitigate the consequences of unplanned events, manage adversity, and navigate manmade as well as natural disasters. Resilience demands forecasting and planning for different scenarios while continuously evaluating key organizational risk factors. Connectedness—a willingness to understand your suppliers’ interests, build trust, and act together with them for the strategic good of all—contributes to resilience.

Aligning SCRM/TPRM with Strategic Priorities

Aligning your SCRM or TPRM program with strategic business objectives can help you achieve supply chain operational resilience. As a risk management practitioner, you must understand which assets are critical to your business. To begin identifying them, ask the following questions:

  • What are your industry’s critical assets?
  • How are they used?
  • How are they derived, manufactured, and transported?
  • Where are information assets stored, sent, and shared?
  • Who has access to your assets at each step throughout the supply chain process?

Critical assets vary across industries, and could include the following:

  • Financial services: Banking customer Personally Identifiable Information, including name, address, and account number
  • Healthcare: Patient Protected Health Information, including name, date of birth, and Social Security number
  • Retail: Customer payment card industry data, including card number, expiration date, and Card Verification Value
  • Pharmaceuticals: Proprietary drug formulations
  • Manufacturing: Process patents and other proprietary information

This knowledge, combined with risk appetite (the amount of risk a business is willing to assume to achieve its strategic goals), allows you to implement effective, efficient, and resilient business operational strategies. This provides the ability to prevent disruptions in service or product delivery. It also enables organizations to minimize the impact of and recover quickly from unforeseen events, including unlikely black swan events.

Identifying Key Business Operational Risks

Which operational risks are greatest for your organization? Not all risks are created equal, and they vary by industry. Once you have identified the risks, you need to understand how the organization is monitoring and responding to them.

  • Financial: Trending, growth, solvency, soundness
  • Operations: Bankruptcy resiliency, counterfeiting, business cost trends
  • Governance: Compliance practices, including U.S. and international regulations, country-specific risks, management turnover
  • Geographic: Pandemic impact, corruption and political violence concerns, infrastructure stats
  • Cyber: Data breaches and emerging cyber risks

To achieve resilient operations, you need to expand your horizons to include the operating environments within your extended supply chains, including all tiers and their risk factors. This process should be ongoing so you can spot and address current and emerging risks before they affect the business.

Beyond the obvious cybersecurity and disaster recovery/business continuity risks affecting the supply chain, you should consider geographic and concentration risks, financial disruptions, operations process risks, geopolitical instability, regulatory changes, and gaps in SCRM programs. Environmental, social, and governance (ESG) risks also need to be addressed. This requires working with suppliers to proactively communicate and exchange information to create a strategic advantage and safe operating environments for all participants. The end goal is being able to respond quickly to protect the business and its customers.

More Disruptions are Coming—Get the ROC Book

The Resilience Operations Center book goes into more detail on these and other topics, including identifying stakeholders, telling your SCRM story, and creating business value through supply chain relationships. Get a copy of the book here and put your supply chain and your organization on the road to operational resilience.

Biden EO on Climate-related Financial Risks Sends Clear Mandate to Clean Up Global Supply Chain

Hot on the heels of the recent Cybersecurity Executive Order (EO) and February’s order on securing the supply chain, on Thursday, May 20th, the Biden administration published another EO, this time on climate-related financial risk. The order instructs federal agencies to take steps to identify and mitigate the financial impacts of climate change to citizens, federal programs, and businesses.

The order outlines the clear danger posed to global supply chains by climate change. It also articulates the need for quantifiable metrics to assess climate-driven supply chain risk and financial risk, as well as the need to integrate those metrics into broader risk models.

The need for addressing these long-standing risks is clear. 2020 saw an unprecedented rise in climate-related natural disasters. In the first 9 months of the year alone, 16 weather disasters caused well over $1 billion dollars in direct damages, and untold losses in terms of supply chain disruption. In some places, sea levels are rising as fast as an inch per year. While no single government action can address the staggering impact these disruptions have on supply chains and economic activity, the EO is certainly an impressive and thorough start.

Breaking Down the EO

Beginning with an overview of policy objectives, the EO directs senior policy advisors, the Secretary of the Treasury, and the Director of the Office of Management and Budget to develop, within 120 days, a comprehensive strategy for the “measurement, assessment, mitigation, and disclosure of climate-related financial risk.” There are certainly immediate steps agencies can take to identify their own risk, but any realistic measurement of the true impact of climate-related financial risk must include a deep and continuous analysis of an agency’s supply chain.

The order also makes a clear call for better information sharing of climate-related financial risk information, instructing the Financial Stability Oversight Council (FSOC) to facilitate “the sharing of climate-related financial risk data and information among FSOC member agencies and other executive departments and agencies as appropriate.” This kind of information sharing has historically proven to be a challenge in and outside the federal government, with many organizations struggling under the burden of siloed, legacy systems that use inconsistent metrics and monitoring methods.

This EO makes a clearer case than ever for agencies to adopt common-use tools that can monitor climate-related financial risk, and seamlessly share that information for maximum, government-wide benefit.

The order further instructs several federal agencies to begin a comprehensive review of existing climate-related financial risks to “ensure that major Federal agency procurements minimize the risk of climate change, including requiring the social cost of greenhouse gas emissions to be considered in procurement decisions and, where appropriate and feasible, give preference to bids and proposals from suppliers with a lower social cost of greenhouse gas emissions.”

Measuring the Social Impact of Climate-related Financial Risk in Supply Chains

The EO also immediately directs the Federal Acquisition Regulatory Council (FARC) to consider amending the Federal Acquisition Regulation (FAR) to require major federal suppliers to disclose not just “greenhouse gas emissions and climate-related financial risk” but to also require “ the social cost of greenhouse gas emissions to be considered in procurement decisions and, where appropriate and feasible, give preference to bids and proposals from suppliers with a lower social cost of greenhouse gas emissions.”

Should the FARC agree with this recommendation, there would be an immediate and immense impact to Federal contractors. Objectively assessing and reporting on the often indirect, but very real, social impacts of climate-related financial risk could prove a difficult task without widespread adoption of intelligent tools that can comprehensively measure and report on an organization’s entire supply chain ecosystem.

The order also directly countermands rules set in place by the Trump administration, directing the Labor Secretary to undo actions taken by the previous president that sought to stop investment firms from accounting for ESG factors in managing pensions and retirement accounts.

While the specific outcomes of this EO are still up to choices made at the agency directorate-level, when taken in context with other global regulatory actions, such as Germany’s Initiative Lieferkettengesetz, or the EU’s Sustainable Finance Disclosure Initiative, a clear mandate emerges: Governments are beginning to put teeth behind their words and are prioritizing climate and ESG risk as key area of concern. A time is coming where organizations can no longer skate by on just their word. They will have to provide detailed and objective proof of their commitment to a sustainable environment and mitigating risks from climate change across the entire global supply chain.

Interos

The Interos cloud solution gives you an instant and continuous view of climate-related financial risk across every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem so they can monitor ESG and financial risk in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.