Explore our Annual Supply Chain report today.  

Filter by Categories
Interview
News
Filter by Tags
survey
Filter by Resources Categories
Report
White Papers

Category: News

Expanded analysis on Europe – Ukraine supply chains shows hidden connections

Posted on by interos-blogger

A comment from a Volkswagen executive in the Wall Street Journal this week sums up the challenge facing many European and international companies when it comes to the crisis in Ukraine. “Ukraine is not central to our supply chain, but suddenly we discovered that when this part is missing, it is.”

The war has already taken an extraordinary toll on individuals, families, and communities in Ukraine. Another added layer of anxiety comes from employees and businesses not knowing the full extent of their commercial ties and dependencies on Russia or Ukrainian supply chains in their extended supplier networks.

European reliance on Russia/Ukraine supply chains is greater than it seems

Bad intelligence derived from opaque supply chains can have perilous implications on businesses and individuals. For instance, data from Interos’ global relationship mapping platform shows that less than 250 German companies have direct tier-1 suppliers in either country. But, when the focus is expanded to include their suppliers’ suppliers the number of connections jumps massively.

Germany-based firms across all industry sectors have:

  • Tier-2 connections with more than 1,600 suppliers in Ukraine, and over 7,500 in Russia
  • Tier-3 connections with more than 12,200 suppliers in Ukraine, and over 18,200 in Russia

Broadening the focus to the European Union as a whole plus the UK, the number of tier-2 and tier-3 connections with Russian and Ukrainian suppliers is greater still:

  • More than 8,200 European firms have tier-2 suppliers in Ukraine, and over 38,000 have tier-2 suppliers in Russia
  • More than 109,000 European firms have tier-3 suppliers in Ukraine or Russia

A survey of German supply chain and procurement executives conducted by Gartner last year found that 80%  of companies thought they had good visibility of tier-1 suppliers (more than three-quarters of companies, parts and locations known). However, only 7% said the same about tier 2, and only 5% about tier 3.

Given these findings, the fact that a company like VW is unaware of its risk exposure to the war Ukraine until critical parts stop arriving at its car factories should come as no surprise.

In a lean and just-in-time industry like automotive, where every part is critical no matter how cheap or small, the impact of disruption is more immediate than in other sectors. Which is why VW stopped production at its plants in Zwickau, Dresden and elsewhere this week.

Visibility helps companies respond to crisis

European supply chain leaders – like their counterparts in the U.S., Asia and elsewhere – may not have all the data they need to optimize their scenario modelling and risk mitigation strategies, but they are working towards improving  these capabilities.

Gartner’s 2021 supply chain risk and resilience study found that “better supply chain visibility” was the biggest area for improvement. 70% of the sample ranked it in their top three. 40% said it was their number one priority.

  • Almost two-thirds of respondents (64%) said they were working on multi-tier mapping now, compared with only a fifth (19%) who said they had processes in place previously.
  • Almost three-quarters (73%) said they were looking at technologies to help them map their multi-tier supply chains and improve visibility – compared with just 11% who had already done so.
  • More than half (57%) said that having “better supply chain risk tools/technologies” was a top 3 priority for improving risk management in their businesses.

Many of these improvement efforts and investments will not come in time to enable European companies to avoid supply chain disruptions stemming from the war in Ukraine. It is also unlikely that most businesses have insulted themselves from the impact of sanctions imposed on Russian firms as a result of Putin’s invasion.

This horrific and unjustified conflict has already upended decades of conventional thinking about war and international business, as well as the supply chains that underpin them. The data on tier visibility shared above is crystal clear evidence that despite limited immediate connections, deeper analysis shows just how interconnected and interdependent our economies, businesses, and people are.

Greater awareness of the level and nature of that interdependence is essential to building a supply chain and business community that can withstand immense shocks and continue to provide essential services and information in times of crisis.

Continue to follow the Interos Crisis Resource Center and Blog as the crisis evolves in Russia and Ukraine. We will continue to post supply chain information and insights as they become available.

Impact of government sanctions on Russia’s supply chain

Posted on by interos-blogger

Western governments continue to take actions to isolate and weaken Russia’s supply chain and overall economy in the wake of its invasion of Ukraine. On Monday, the United States took the aggressive move of sanctioning the Russian Central Bank. This will prevent American firms and citizens from doing any business with it.

The comprehensive ban includes the National Wealth Fund of the Russian Federation and the Ministry of Finance of the Russian Federation. As well as restricting U.S. business, the sanctions also ban any foreign financial entity from sending U.S. dollars to the Russian Central Bank, the finance ministry or the National Wealth Fund.

Other prominent sanctions

Other prominent sanctions include:

  • Full blocking sanctions on Russian defense entities. These will make it incredibly difficult for them to build aircraft, fighting vehicles, electronic warfare systems and ammunition.
  • Export controls targeting oil refining, which provide a key revenue source for the Russian government.
  • Adding any firm that supports the Russian and Belarusian military to the restricted Entity List. This would ban all firms that work with these two military operations from also working with American firms.
  • Banning Russian aircraft from entering and using domestic U.S. airspace.
  • The creation of an international investigative team aimed at seizing the financial resources of Russian oligarchs. These oligarchs provide critical financial support to the Russian government.

European and allied governments are acting in concert on most of these sanctions; even the typically neutral Swiss joined the group of nations imposing sanctions on Russia.

These are extremely restrictive measures meant to prevent Russia from stabilizing the dramatic plunge of the ruble by selling other nations’ currency. Russia will have a difficult time stabilizing its banks and even the most basic necessities will soon be unaffordable to many of its citizens.

The Russian Central Bank joins a select group of world central banks that have been cut off from dollar transactions. This group includes Iran, Venezuela and Syria.

Governments have also delisted Russian banks and cut them off from trade financing. Under U.S. and most European Union sanctions, any entity that is 50% or more owned, whether directly or indirectly, by one or more blocked person is subject to the restrictions, even if it is not explicitly listed on the sanctions list.

It is important to note that most sanctions are still not targeting energy exports, and even the U.S. Treasury ban on ruble exchange makes exceptions for certain energy-related payments.

Latest moves to hit Russia’s supply chain follow SWIFT action at the weekend

Last Saturday evening, the U.S., along with the E.U., UK, Canada, France, Germany and Italy announced its plan to ban select Russian banks from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system, a high-security network (messaging system) that facilitates cross-border payments among 11,000 financial institutions in 200 countries.

SWIFT is the principal method for financing international trade, so the removal of Russian banks will have implications for supply chain leaders when their organizations are attempting to buy products or services from firms located in Russia (see “Explainer” below).

The White House Released a joint statement reading: “This will ensure that these banks are disconnected from the international financial system and harm their ability to operate globally.”

The European Union, US, UK and Canada have banned seven banks from SWIFT. They are considered to be those most involved in financing the war and closely tied to President Vladimir Putin and it includes Russia’s second largest bank, VTB. Other entities include Bank Otkritie, Novikombank, Promsvyazbank, Rossiya Bank, Sovcombank and VNESHECONOMBANK (VEB). Sberbank and Gazprombank are likely exempted because most of the payments related to energy flow through them. Eliminating their participation in SWIFT would make it virtually impossible to process funds to pay for Russian oil and gas, which Europe relies heavily on.

Around 40% of Europe’s natural gas supplies come from Russia, and Germany and Italy are among the biggest users of SWIFT.

The SWIFT system processes around 10 billion financial messages a year, is based in Belgium and overseen by the G10 central banks. Russian transactions account for 1.5% of all of SWIFT’s global transactions annually. The U.S. and Germany are the biggest users of SWIFT to communicate with Russian banks.

 

Financial restrictions a key element of wider economic sanctions package on Russia’s supply chain

The selective removal of Russian banks is part of an effort designed to “collectively ensure that this war is a strategic failure for (Russian President Vladimir) Putin.” This follows steps taken late last week by the E.U. and at least six other countries to impose more significant economic sanctions against Russia.

The countries imposing these sanctions announced the launch of a “transatlantic task force.” The task force will “ensure the effective implementation of our financial sanctions by identifying and freezing the assets of sanctioned individuals and companies that exist within our jurisdiction.”

Their action targeted its largest banks, as well as freezing the assets of certain Russian oligarchs and their families. It also directly targeted President Putin and his foreign minister, Sergey Lavrov, and other members of Russia’s security council.

Putin has accumulated over $600 billion in foreign reserves in an attempt to insulate his country from the economic crisis it experienced after the Crimea invasion and 2014 sanctions. But this strategy has failed. It is clear that Putin did not expect such quick, severe and coordinated steps to be taken against Russia.

The West has taken unprecedented steps to prevent Russia from using these reserves to undermine sanctions. To date, all 10 of Russia’s largest financial institutions – which collectively hold nearly 80% of the Russian banking sector’s total assets – have been targeted.

Looking just at the newly U.S.-sanctioned Russian financial institutions, an analysis of Interos’ global relationship data found over 920 distinct related entities in our platform. The majority of the entities directly affected are in the U.S. (8%), followed by the UK and Ukraine (6% each). The industries directly affected by these sanctions are primarily oil and gas (20%). Next are banks (18%) and other firms operating in global capital markets (6%). These numbers will grow exponentially as more sanctions are announced. Russian companies will continue to lose liquidity in equity markets and in their ability to raise capital around the world.

—–

Explainer: How SWIFT works

Example: A German company buys a product from Russia. They transfer money from their German bank account to the Russian company’s account using its SWIFT code.

The German buyer sends a message via SWIFT to the Russian company. The message says that the transfer of the money is incoming, and that it can access the funds.

Russian banks that cannot process these payments will be unable to facilitate international business. Their deliveries of oil, gas and other commodities would stop.

No robust alternatives to this system are available to Russia in the near term. After the 2014 invasion of Crimea and concerns about its dependence on SWIFT, the Central Bank of Russia developed its own payment system. This was titled the System for Transfer of Financial Messages (SPFS). The Russian government subsidizes SPFS to encourage usage of it. It includes 400 Russian bank users (more than in SWIFT) and accounts for around 20% of domestic transfers. However, only about a dozen foreign banks use it, including only one Chinese bank.

Continue to follow the Interos Crisis Resource Center and Blog as the crisis evolves in Russia and Ukraine. We will continue to post supply chain information and insights as they become available.

Supply Beacon Vol. 5 – Russian Invasion of Ukraine Spurs Supply Chain and Cyber Concerns

Posted on by interos-blogger

Guidance: As the invasion of Ukraine continues to unfold, global supply chains are in a highly fluid state – we will be updating this blog with additional insights as more details of sanctions/counter-sanctions related to specific industries, countries and/or commodities are imposed.  Please look to our blog posts and customer communications for guidance on how to use the Interos Operational Resilience Platform to track the ripple effects on your supply chains.

Coordinated sanctions on Russia will impact both financial and physical supply chains

Summary: Following the Russian invasion of Ukraine on Thursday, the UK and US governments announced more significant and sweeping sanctions against major Russian banks, and defense equipment manufacturers. They also announced restrictions on the export of key technologies and other products. This sanctions package is far greater in scope and coordination than any predecessor, and is meant to cut off capital flows and access to technology critical to Russia’s modernization and advancement of its military and aerospace/weapons industries.

The response was organized with solidarity among allies, and the EU, Australia, New Zealand, Canada, Taiwan and Japan followed with their own sanctions on Friday. Canada cancelled all export permits in addition to naming 62 individuals and entities. Taiwan has not yet detailed all the tools it plans to employ, but the country’s inclusion is of critical importance since it is a global leader in the production of semiconductors – which many of the aforementioned countries have now banned exporting to Russia.

Additionally, the UK government banned Aeroflot from landing in the UK, suspended all flights to Moscow,  and will stop exports of high-tech items and oil refinery equipment. The EU is meeting late Friday to seek approval to freeze the assets of President Putin himself and of Sergey Lavrov, his foreign minister. The German government took the bold decision to put the Nord Stream 2 gas pipeline, which connects Russia with Germany, on hold.

The EU has thus far opted not to ban Russia from the Swift high-security network that facilitates payments among 11,000 financial institutions in 200 countries which would greatly impair their ability to pay for energy. However the restrictions leveraged on financial institutions are the most comprehensive in history to be enacted on an economy the size of Russia’s. The range of measures includes freezing the assets of certain Russian oligarchs, their families, and financial institutions, while also banning exports to Russian military organizations.

The sanctions against Russian banks will immediately disrupt Russia’s economy. The technology and industry restrictions could cripple many of the country’s leading companies, since they will choke off Russia’s imports of technological goods critical to operating as a modern economy.

The new restricted lists include a Russia-wide denial of exports of sensitive technology, focusing on the Russian defense, aviation and maritime sectors. In addition to robust restrictions on the Russian defense sector, the U.S. is imposing Russia-wide restrictions on sensitive U.S. technologies produced in foreign countries using U.S.-created software, technology or equipment. This novel use of the FDPR (Foreign Direct Product Rule) includes Russia-wide restrictions on semiconductors, telecommunications, encryption security, lasers, sensors, navigation, avionics and maritime technologies.

President Biden said the U.S. was “building a coalition of partners representing more than half of the global economy” that would limit Russia’s ability to do business in dollars as well as euros, pounds and yen.

In total, the sanctions will ban about $1 trillion in Russian financial assets from flowing through U.S. and allied financial markets.

Interos insight: Looking just at the newly U.S.-sanctioned Russian financial institutions, an analysis of Interos’ global relationship data found over 920 distinct related entities in our platform. The majority of the entities directly affected are in the U.S. (8%), followed by the UK and Ukraine (6% each). The industries directly affected by these sanctions are primarily oil and gas (20%), followed by banks (18%) and other firms operating in global capital markets (6%). The second tier of this supply chain of these 47 organization results in over 91,000 entities that could be affected, with more entities in the second tier located in other counties as Germany (over 7000).

This is a rapidly changing situation and, over the coming days, weeks and even months, we should expect the details of sanctions and export controls to be further refined and, if Putin continues his invasion, even harsher controls to be put in place. We will continue to analyze the complex ripple effects that these new restrictions will have globally, across industries’ supply chains. Additionally, our Resilience platform will be updating relevant policies and restricted lists/entities on an ongoing basis to reflect additional risks in customer supply chains.

Russian escalation raises concerns about state-sponsored cyber attacks on Western companies

 

Summary: Russia’s invasion of Ukraine, and the imposition of sanctions by the U.S. and European nations in response, have raised concerns about a large scale cyber attack against Western companies – and several Ukrainian government websites have already been taken offline.  A spate of ransomware and other attacks against U.S. and European firms in sectors ranging from logistics (Expeditors International) and mobile communications (Vodafone Portugal) to fuel distribution (Marquard & Bahls) were reported in February, causing severe disruption to services and supply chains.

While these attacks have generally been blamed on cyber criminals rather than nation-state actors, the Cybersecurity & Infrastructure Security Agency (CISA) recently posted a “shields up” warning to U.S. organizations, urging them to take steps to protect critical assets against possible Russian government attacks. Similarly, the UK’s National Cyber Security Centre has advised British companies to ensure their cyber defense measures are up to date.

Interos insight: Aside from energy and other critical infrastructure, companies in the aerospace and defense (A&D) industry are an obvious target for state-sponsored attacks, whether for denial of service or intellectual property theft. As well as their strategic importance to national security, they are vulnerable because of high levels of concentration risk in the sector as a result of the specialized products A&D firms rely on.

Concentration is a well-understood, but vitally important and often ignored risk in supply chain security. It refers to a cluster or a shared supplier within a supply chain. A cyber attack against Western companies could have disastrous effects.

If a shared prime A&D supplier were disrupted by a Russian cyber attack, it could have a strong ripple effect across the entire sector – much as the shutdown of Taiwanese chip makers during Covid-19 caused U.S. automotive production lines to grind to a halt.

To gauge the extent of concentration risk in A&D, Interos took the 2021 top 100 list of defense contractors published by the industry publication Defense News and used our global relationship data graph of more than 350 million entities to map their extended supply chains.

Of the 83 companies whose relationships we could map with a high degree of confidence, we found 1,755 common suppliers – that is to say, those that were used by at least two contractors. This included six of the top 20 suppliers to the industry, one of whom had 27 separate connections. And the list doesn’t only include component and material suppliers, but also banks and financial institutions. Indeed, 29 of the 83 A&D companies use the same bank, according to our data.

Most of the top 100 shared suppliers had solid cyber and financial risk scores, based on the Interos i-Score model. However, as we moved further down the list some issues started to appear. Suppliers based outside of Western Europe and the U.S./Canada may not be responding as one might hope to a “shields up” alert.

While criminal hackers pose a real threat to companies with inadequate cyber security measures, those that are state-sponsored – whether by Russia or other malevolent forces – can draw on vast resources and are therefore likely to be more successful in disrupting critical supply chains.

Uyghur Forced Labor Prevention Act set to have a significant effect on supply chains

Summary: In last month’s Beacon, we discussed the newly enacted U.S. Uyghur Forced Labor Prevention Act (UFLPA), which was signed into law on December 23, 2021, as part of the U.S. pushback against Beijing’s treatment of the Uyghurs and other persecuted minorities in China’s Xinjiang Uyghur Autonomous Region (the XUAR).

The effects on some supply chains would be significant since Xinjiang is one of the world’s largest producers of cotton and polysilicon, which is used to manufacture solar panels. The Act mandates that cotton, tomatoes, and polysilicon must be among the high-priority sectors in addition to building upon U.S. Customs and Border Protection’s existing “withhold release order” against all cotton and tomato products produced in the XUAR.

The Act requires the FLETF (Forced Labor Enforcement Task Force) to issue guidance on “due diligence, effective supply chain tracing, and supply chain management measures” aimed at avoiding the importation of goods produced with forced labor in the XUAR within 180 days of the UFLPA’s enactment on June 21, 2022.

Companies with supply chain exposure to the XUAR should expect compliance with the UFLPA to require significant supply chain diligence and documentation obligations. These requirements are likely to be strict given the already high bar on diligence established by the FLETF (and CBP established through continued partnerships with NGOs and other stakeholders focused on ending forced labor from global supply chains).

Interos insight: We identified over 2,000 companies that are directly connected to organizations using Uyghur labor and over 115,000 connected indirectly at the second tier of the supply chain.

Clients can use Interos’ to immediately illuminate companies in their existing supply chain that violate this law and easily screen for problematic organizations as they evaluate potential alternative suppliers of affected products and raw materials.

German Supply Chain Act will impact hundreds of non-German companies

 

Summary: Germany’s new Supply Chain Due Diligence Act comes into force on January 1, 2023. From that date, companies with at least 3,000 employees that have a headquarters or statutory seat in Germany, or those that have a branch in Germany employing at least 3,000 employees, will be required to take action to comply with the legislation.

The law requires both German-based companies (regardless of their legal structure) and foreign companies doing business in Germany to establish due diligence procedures to ensure compliance with specified core human rights and some environmental protections in their supply chains. Significantly, companies must not only conduct ongoing audits of their own business operations, but also those of their direct (tier-1) and, to some extent, indirect (tier-2 and beyond) suppliers.

And it’s not just the biggest companies that will be affected by the legislation. From January 1, 2024, the Act’s provisions will be extended to firms with 1,000 employees based in or doing business in, Germany.

Although other European Union member countries are not yet in agreement on the terms of such legislation, it is likely the E.U. will follow with similar laws in due course.

Interos insight: In its first year of implementation, the law will apply to over 600 German companies and hundreds of foreign firms. The number will grow to over 3,000 companies in the second year.

Interos’ proprietary ESG risk score dynamically assesses an organization’s risks as well as its place in a customer’s supply chain. When assessing suppliers to Germany, for example, we found that about 37% had potentially problematic ESG scores.

Some of the attributes that make up Interos’ country-level ESG score include:

  • Environment risk: CO2 emissions, biodiversity and protected areas, climate change performance index, and net zero commitments
  • Social risk: Global Slavery Index, gender gap, mineral risk score, and digital access index
  • Governance risk: Human rights, freedom index, counterfeit goods risk, political terror score

Supply chain implications of China’s zero-tolerance approach to Covid-19 infections

Summary: China’s zero-COVID policy may increase pressure on the global economy by prolonging supply chain disruptions and intensifying the impact of inflation. Supply chain bottlenecks were expected to “materially ease in the early months of this year,” with downward pressure on producer and input prices and shorter lead times, according to Katrina Ell, a senior economist for Asia-Pacific at Moody’s Analytics. “But given China’s zero-Covid policy and how they tend to shut down important ports and factories — that really increases disruption.”

The US Federal Reserve and the International Monetary Fund have both issued similar warnings. The IMF also revised up its near-term projection for inflation “in response to the anticipated slower resolution of supply issues”.

Interos insight: What was once the “perfect storm” – a confluence of circumstances leading to a rare event – has become the norm. The pandemic has exacerbated supply chain issues, and disruptions have lasted much longer than expected. Inventories in many industries would have reverted towards more typical levels by now, but policy decisions such as China’s zero-COVID rules have caused additional production delays as major cities or regions are shut down practically overnight.

Inflation, a byproduct of many other interdependent factors, makes the pain and real costs for supply chains much worse. Although no human or artificial intelligence system will be able to bring every unknown risk to the forefront, Interos’ supply chain mapping platform can help customers quickly identify where exogenous, unexpected policy decisions might negatively impact their ability to deliver products to customers in accordance with predictable pricing and timescales.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

Supply Chain Disruption from the Russian Invasion of Ukraine

Posted on by interos-blogger

*The statistics in the blog below have been updated following a deeper analysis of the supply chain. We are continuing to monitor the highly volatile situation in Ukraine and will update this piece accordingly as new information becomes available. 

The Russian invasion of Ukraine has the potential to cause extensive and debilitating supply chain disruption across the globe. This may result in rising input costs to a heightened threat of cyber attacks.

Russia and Ukraine Supply Chains Key to Global Economy

Today thousands of U.S. and European companies do business with suppliers in Russia and Ukraine. Many of them could be at risk during a prolonged military conflict. Analysis of global relationship data on the Interos platform reveals critical findings:

  • More than 2,100 U.S.-based firms and 1,200 European firms have at least one direct (tier-1) supplier in Russia.
  • More than 450 firms in the U.S. and 200 in Europe have tier-1 suppliers in Ukraine.
  • Software and IT services account for 13% of supplier relationships between U.S. and Russian/Ukrainian companies. Consumer services represent another 7%. Trading and distribution services account for about 6%, while industrial machinery counts for about 4%. Oil, gas, steel, and metal products account for other everyday items purchased from the two countries.

The proportion of U.S. and European supply chains that include tier-1 Russian or Ukrainian suppliers is relatively low. This increases substantially when incorporating indirect relationships with suppliers at tier-2 and tier-3.

  • More than 190,000 firms in the U.S. and 109,000 firms in Europe have Russian or Ukrainian suppliers at tier-3.
  • More than 15,100 firms in the U.S. and 8,200 European firms have tier-2 suppliers based in Ukraine.

Supply chain and information security leaders in U.S. and European organizations should review their dependence on Russian and Ukrainian suppliers at multiple tiers. This is a key first step in assessing risk exposure in the region and ensuring operational resilience.

Supply Chain Interruption: 4 Major Risks

The many connections between US, European, Russian, and Ukrainian businesses highlight the potential for supply chain disruption.

In the event of a Russian invasion of Ukraine, four major areas could spark supply chain disruption:

Commodity price increases

Energy, raw material, and agricultural markets all face uncertainty as tensions escalate. Russia provides over a third of the European Union’s natural gas, and threats to this supply could force up prices when companies and consumers are already facing higher energy bills. Natural gas supply pressures likely would spike volatility in other energy markets too. By one estimate, an invasion could send oil prices spiraling to $150 a barrel, lowering global GDP growth by close to 1% and doubling inflation. Even lower estimates of $100 a barrel would cause input costs and consumer prices to soar.

Food inflation is another risk that may cause supply chain disruption. Ukraine is on track to being the world’s third-largest exporter of corn, and Russia is the world’s top wheat exporter. Ukraine is also a top exporter of barley and rye. Rising food prices would only be exacerbated with additional price shocks, especially if Russian loyalists seize core agricultural areas in Ukraine.

A conflict could continue to squeeze metal markets. Russia controls roughly 10% of global copper reserves and is also a significant producer of nickel and platinum. Nickel has been trading at an 11-year high, and further price increases for aluminum are likely with any disruption in supply caused by the conflict.

Firm-level export controls and sanctions

U.S. and European export controls could exacerbate commodity cost pressures. The use of such controls to restrict certain companies or products from supply chains has soared over the last few years. While many have been aimed at Chinese companies, a growing number of Russian firms have been earmarked for export controls for “acting contrary to the national security or foreign policy interests of the United States.”

Not surprisingly, U.S. companies and business groups are urging the government to be cautious in how it applies any new rules. Prominent Russian companies already on a U.S. restrictions list include Rosneft and subsidiaries, and Gazprom. Extending export controls and sanctions to Gazprom’s subsidiaries, other energy producers and key mining and steel market firms could further impact supply availability and input costs.

U.S. and E.U. export controls would also likely target the Russian financial sector, including state-owned banks, as a deterrence tactic. U.S. officials have noted that any sanctions would be aimed at the Russian financial sector for a “high impact, quick action response.”

Cyber security collateral damage and supply chain turmoil

Entities linked to malicious cyber activity may also face further repercussions from the U.S. and its partners. Ukraine is certainly no stranger to Russian cyber aggression. Russia has twice disrupted the Ukrainian electric grid, first in December 2015, leaving hundreds of thousands of Ukrainians in the cold, and again the following year. But destructive attacks on the country’s infrastructure could also spark significant collateral damage in global supply chains.

In 2017, the NotPetya attack on Ukrainian tax reporting software spread across the world in a matter of hours. The attack disrupted ports, shut down manufacturing plants, and hindered the work of government agencies. The Federal Reserve Bank of New York estimated that victims of the attack, including Maersk, Merck, and FedEx, lost a combined $7.3 billion.

This figure could pale compared to the global supply chain impact of a Russia-Ukraine military conflict, which would inevitably include a cyber element. Whether Russia would target its cyberwar playbook at U.S. or E.U. targets in retaliation for any support to Ukraine remains hotly debated. But the Cybersecurity Infrastructure and Security Agency (CISA) has been urging U.S. organizations to prepare for potential Russian cyberattacks, including data-wiping malware, illustrating how the private sector risks becoming collateral damage from geopolitical hostilities.

Geopolitical instability

Cyberwarfare would be unlikely to remain within Ukraine’s borders. Thus the destabilizing effect of a Russian invasion could have wider geopolitical ramifications. In Europe, a refugee crisis could emerge, with three to five million refugees seeking safety from the conflict. In Africa and Asia, rising food prices could fuel popular uprisings. Of the 14 countries that rely on Ukraine for more than 10% of their wheat imports, the majority already faces food insecurity and political instability.

China is watching closely to see how the world responds if Russia invades Ukraine. The superpower has its own aspirations of seizing territory and extending its sphere of influence. Taiwan’s defense minister has remarked that tensions over Taiwan are the worst in 40 years. A Russian invasion could further embolden China to enlist military tactics against Taiwan. In addition to far-reaching geopolitical implications, this would have a significant impact on electronics and other global supply chains.

How to Stop Supply Chain Disruption

Many of these risks may not materialize and represent a worst-case scenario. But executives should think carefully about the potential impact of a Russia-Ukraine military conflict. These leaders need to ensure appropriate contingency plans for their most critical supply chains and riskiest suppliers in the region.

Risk mitigation strategies include:

  • evaluating required levels of inventory and labor in the short to medium term;
  • discussing business continuity plans with key suppliers; and
  • preparing to switch to, or qualify, alternative sources for essential products and services.

With the right technology to enable proper analysis, planning, and execution, it is possible to mitigate significant risk, ensure operational resilience, and avoid supply chain disruption. For more information about the Interos platform and how it can help with this process, visit interos.ai

Supply Beacon Vol. 4 – Cyber Mercenaries, Chip Complications, and a whole lot of China

Posted on by interos-blogger
The Top 5 Supply Chain News Stories You Need to Know
The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

 

Facebook says 50,000 users were targeted by cyber mercenary firms in 2021

Private surveillance and hacking groups have used Facebook and Instagram to target at least 50,000 people in over 100 countries, according to a published investigation by Meta, Facebook’s parent company.

The existence of private companies that use sophisticated digital tools to expose secrets from people’s work and private lives—sometimes in legal-but-ethicallydubious ways—is no secret. What this new study shows is that the surveillance-for-hire industry that was previously thought to focus on spying on a handful of companies and services actually includes a much more expansive spider-web of connections. Meta’s investigation outlines private-sector mass surveillance on a scale never before shown.

The perpetrators, so-called “cyber mercenaries” who operate at the behest of governments and private entities, were shown to target Journalists, human rights advocates, activists, dissidents, clergy, politicians, and their families – sometimes resulting in torture or worse.  

The ultimate goal of the work Meta’s study is to prompt a broader discussion about the surveillance-for-hire industry. They recommend strengthening transparency and “know your customer” laws, deepening industry collaboration to counteract surveillance firms, and increasing accountability through new legislation and export control laws. 

Interos InsightThe Meta investigation revealed seven surveillance businesses worldwide that employ illicit surveillance. These firms’ customers were numerous and diverse, both commercial and governmental. Companies mentioned here are at risk of getting banned or put on ESG or cyber-related restricted lists. A recent example is Israel’s NSO Group, creator of Pegasus spyware, which the US Commerce Department put on its Entity list — a move that sent the company spiraling towards bankruptcy.  

Spyware and the privatization of cyber weapons are serious threats to national and personal security. Clients must be aware of related companies in any part of their supply chain that might compromise their business, negatively affect their clients-or wind up on a restricted list like NSO. Interos provides this transparency to companies and their clients via an AI-powered platform that alerts users to threats like these as soon as they are discovered. 

We have taken this research a step further: An active internal Interos study has captured data on dozens of countries purchasing surveillance technology from private entities. Some countries are repeat offenders, purchasing this type of software many times over. Interos integrates government surveillance policies and accountability into its cyber risk model and continues to track those governments and companies exploiting the hacking-for-hire market and putting corporate data at risk. To account for the rapid pace of change in the cyber-warfare space, our cyber model is not static and evolves with the changing risk landscape to provide even more comprehensive data to help our customers assess the true risk in their supply chain.  

Nation-state cyber capabilities are increasingly abiding by the “pay-to-play” model: any government — even those with limited resources — can purchase these surveillance and hacking tools from private firms. The software companies conceal who their clients are, making it harder for defenders to find the actual source.  

An Interos map (below) reveals the global proliferation of surveillance software sold to governments and private entities: 

 

 

Why your organization needs a software bill of materials 

Summary: The recent Log4j vulnerability exposed systemic problems in how businesses build and monitor their use of open-source software. The Log4j vulnerability was almost immediately weaponized and exploited by criminal gangs who used this exploit to plant crypto-hijacking and other malware. Organizations rushed to find all instances of the exposure in linked libraries, but most had no clear overview of where such instances existed in their systems. Google’s research showed that more than 8% of all packages on Maven Central have a vulnerable version of Log4j in their dependencies.  

CISA has created a dedicated Log4J webpage to provide an authoritative, up-to-date resource with mitigation guidance and resources for network defenders, as well as a community-sourced GitHub repository of affected devices and services. Organizational leaders should also review NCSC’s blog post, “Log4j vulnerability: what should boards be asking?” for information on Log4Shell’s possible impact on their organization as well as response recommendations.  

Interos Insight: The first line of defense is a good software and dependency inventory  

In last month’s Supply Beacon, we referenced CISA’s SBOM (Supply Chain Bill of Materials) educational webpage and their work relating to Executive Order 14028. This EO requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains.  

Over the past month, Log4J has emerged as one of the most severe cyber threats to date. The silver lining of this unfortunate vulnerability is that it is likely to hasten SBOM adoption. It is a concrete example illustrating the need to be fully informed of your cyber exposure across your entire enterprise. Never before has it been more important to map and monitor your whole supply chain. Interos can help partners establish automated mapping, arming them with the visibility to invest in the right, trusted technology while cataloging the use of open source and third-party software to deliver a complete and accurate SBOM with visibility into the supply chain to the nth degree.  

 

Chip Makers Contend for Talent as Industry Faces Labor Shortage 

Summary: In yet another challenge for the semiconductor industry, the world’s largest chipmakers are fighting for workers to staff the billion-dollar-plus facilities they are building to address the ongoing chip shortage.  

A dwindling supply of qualified workers has worried semiconductor executives for years. That fear has manifested to a far greater degree than anticipated due to the global labor shortage, a pandemic-fueled demand for all things digital, and a race among governments to bolster their local chip-manufacturing capabilities.  

Interos Insight: The US alone expects a shortage of up to 300,000 semiconductor workers by 2025. In recent Interos’ research, we cited the shortage of skilled laborers as a significant issue in the semiconductor supply chain, possibly disrupting the desired outcome of legislative efforts and related investments in production facilities.

The two primary areas expected to face shortages are technicians to run the plants and researchers to design the newest chips. The semiconductor firms are implementing new recruiting plans, and US chip manufacturers are lobbying for more foreign work visas to fill the gap. With semiconductor chips a geopolitical flashpoint for the 21st century, making silicon work appealing is a matter of national security. Leading Taiwanese universities are launching semiconductor-specific courses together with TMSC, and 12 Chinese universities have already created chip-focused colleges to fill the void. Even with growing demand, employment in semiconductors in the United States has remained a problem for the past decade and will likely require substantive policy changes to combat.  

 

 

U.S. chipmaker Magnachip, China’s Wise Road end $1.4 bln merger deal 

Summary: Chinese private equity firm Wise Road Capital Ltd. and US chipmaker Magnachip Semiconductor Corp. abandoned their $1.4 billion merger agreement struck in 2021. The Committee on Foreign Investment in the United States (CFIUS) had suspended the transaction during the summer, pending its review of the deal due to national security risks. According to the parties’ announcement, they couldn’t obtain CFIUS’s approval despite months of costly attempts. With an uncertain future, Magnachip could not make concrete strategic plans, affecting its equity valuation. It has hired JPM Morgan as an advisor as it attempts to find another buyer a year later.  

Interos Insight: Over the past few years, cross-border transactions involving any technology or sector deemed critical and a risk to US national security has experienced a significant surge in CFIUS investigations. US protection over semiconductor assets is unspectacular; what was notable and unexpected is CFIUS’ involvement in a transaction between two non-US companies. CFIUS’s jurisdiction is triggered by a takeover of (or certain types of investments in) a “US business.” Other than Magnachip’s Delaware parent company, which essentially serves as a holding company, the business has no US entities and no US employees. Its research, development, and functional operations are all located and conducted outside the country. While some may think that CFIUS’ jurisdiction over any particular deal is limited, the Committee is obligated to act whenever anything seen as critical to the US defense, intelligence and national security community is involved. In this case, it was the supply chain for semiconductors. After the enactment of the Foreign Investment Risk Review Modernization Act (FIRRMA), Treasury and other Departments have dedicated considerable resources to expanding and developing CFIUS’ authority to identify concerning transactions.   

Under CFIUS’s expanded regime, some transactions (including takeovers of companies with technology subject to US export controls) must be reported. Parties should not overlook the possibility that regulators could intervene after definitive agreements are signed and sometimes even after closing had been consummated for years. However, even in those cases where the mandatory filing triggers are not present, a voluntary filing is still warranted. Interos’ supply chain maps help customers identify the ownership, the extended relationships as well as the financial and regulatory risk of companies to which your organization is connected, enabling businesses to identify potential FIRRMA concerns before they manifest.  

 

Biden signs bill banning goods from China’s Xinjiang over forced labor 

Summary: US President Joe Biden signed into law legislation that bans imports from China’s Xinjiang and imposes sanctions on individuals responsible for forced labor in the region. 

The Uyghur Forced Labor Prevention Act is part of the US pushback against Beijing’s treatment of the China’s Uyghur Muslim minority, which Washington has labeled genocide. The bill passed late December after lawmakers reached a compromise between House and Senate versions.   

Key to the legislation is a “rebuttable presumption” that assumes all goods from Xinjiang, where Beijing has established detention camps for Uyghurs and other Muslim groups, are made with forced labor. It bars imports unless proven otherwise.  

The Uyghur Forced Labor Prevention Act cements the Administration’s sights on three products in particular: cotton, of which Xinjiang is one of the world’s largest producers; tomatoes; and polysilicon, a material used to produce solar panels.  

Interos Insight: The Act is the latest in intensifying US penalties against China for alleged abuse of ethnic and religious minorities. Earlier in the year, US Customs and Border Protection (CBP) within DHS started to detain cotton products and tomato products produced in China’s Xinjiang Uyghur Autonomous Region  

Country or, in this case, region-specific restricted lists are growing by the day. Just the week before Biden signed the Act, the US government put investment and export restrictions on dozens more Chinese companies, including top drone maker DJI, accusing them of complicity in the oppression of China’s Uyghur minority and helping the Chinese military. Human rights risk, are almost impossible to track throughout your extended supply chain with manual methods like surveys or spreadsheets, a challenge that will only grow as these restricted lists continue to expand. Interos’ mapping provides insight into every restricted list, with a scoring system that not only ensures compliance but helps you assess potential exposure and avoid reputational or operational harm so you can source with confidence

And a Follow-up: 

 

Minmetals confirms China rare earths merger, creating new giant 

Summary: Since we last discussed the matter in last month’s Beacon, final details of China’s newly formed massive and global force in the Rare Earths space were confirmed. The consolidation gives China the ability to control pricing, increase efficiency, and secure its strategically crafted dominance and competitiveness. Three of China’s Big Six rare earth groups will team up in a merger to create the world’s 2nd-biggest producer, a state-owned enterprise. 

The group would have significant pricing power for some rare earth elements such as dysprosium and terbium, which are essential for producing high-performance magnets. 

Interos Insight: This consolidation comes at a critical time as Washington grapples with US and Allied dependence on Chinese rare earths. In response, a February executive order identified critical minerals as one of four key areas in need of a complete review and improved policy options to address related risks to the supply chain. Considering the importance of rare earths to national security, it would not be a stretch to imagine a related US State Dept Strategy for our Allied partners or potential inclusion of the Chinese critical mineral companies on section 1260H of the National Defense Authorization Act for Fiscal Year 2021, since they are “military-civil fusion” operators in the Chinese Industrial base.”  

A bipartisan piece of legislation (Restoring Essential Energy and Security Holdings Onshore for Rare Earths Act) has already been introduced in the US Senate. It would force defense contractors to stop buying rare earths from China by 2026. It would track and disclose the country of origin of certain rare earth metals used in systems delivered to the military. Companies with any component in their supply chain that requires rare-earth materials will want to keep abreast of related policy and legislative developments 

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

Supply Chain Sustainability Info Gap Exposed in New Survey

Posted on by interos-blogger

Companies today want to create a sustainable supply chain – but they often lack the data and visibility into their partners to truly meet their sustainability goals, according to new research from Interos and Procurement Leaders.

The report — “Supplier Sustainability: From Intent to Impact” — revealed that 37% of responding businesses struggle to obtain the data to measure supplier sustainability accurately.

Businesses have long relied on suppliers to self-attest to their sustainability and ethics status. This information is often inaccurate and submitted through a cumbersome manual process on an annual basis. Given the rapidly changing nature of the modern supply chain ecosystem, periodic self-reporting is no longer adequate, but it is still the method 74% of businesses rely on, according to our study.

This lack of trustworthy information leads to real-world problems: 41% of organizations reported that ESG-related risk factors had caused detrimental impacts to their business in the past two years, making it harder to achieve a sustainable supply chain.

Get Ahead of the ESG Sea-Change

To make meaningful progress towards creating a sustainable supply chain, companies first need accurate information on the companies they work with directly and indirectly. This is where Interos comes in. Our cloud-based, artificial intelligence platform monitors more than 80,000 data streams to provide visibility into your suppliers’ risk posture as it changes, not 9 months after-the-fact.

Per Procurement Leaders: “The path forward is clear: companies looking to get ahead in public opinion and compliance will benefit from adopting automated solutions that leverage machine learning and AI.” “Automated solutions are the only type that can scale to match the size and speed of the global economy and represent the best path forward to defeating ESG risk in the supply chain.”

While many companies have a good understanding of the partners they directly interact with (their Tier-1 suppliers, also known as first parties), they often lack any visibility beyond that point. Procurement Leaders found that while 79% of procurement teams regularly engage with Tier-1 suppliers, that number quickly drops to 35% for Tier-2 suppliers and just 9% for Tier-3 and beyond.

This lack of visibility can cause tremendous peril, as we’ve seen over the past two years of intense disruption, laying bare the fragility of the global supply chain. For instance, a shutdown at a lower-tier supplier – like a factory shutting down due to a Covid outbreak – can cause ripple effects all the way up the chain to the consumer. When procurement teams set their sights on a truly sustainable supply chain, improved visibility is urgent. 

The Supply Chain Sustainability Report Reveals The Cost of Inaction

The Interos Annual Global Supply Chain Report found that supply chain disruptions cost large companies, on average, $184 million a year. Combatting that costly disruption can have many benefits in addition to the potential for significant cost savings. Improving supply chain visibility can also help reduce reputational risk and enhance regulatory compliance while increasing rates of innovation and attracting more talent. A transparent, sustainable supply chain also shows customers you operate an ethical company that cares about its community and the environment.

As our survey showed, businesses rated eradicating slave labor and using fair business practices as their most important sustainability goals:

Supplier Sustainability Goals by Importance.

The Sustainable Supply Chain is a “Board-Level” Priority

The potential opportunities and challenges of today’s supply chain make it an issue the entire C-suite and board should know and understand. Thankfully, business leaders are beginning to understand this dynamic and see the sustainable supply chain as something more significant than just the domain of a chief procurement officer or a logistics team.

On average, corporate boards are meeting to discuss supply chain risk 22 times each year. In addition, 50% of supply chain leaders report that the issue of supply chain risk will be their organization’s top business priority in two years. Just a few years ago, maintaining a sustainable supply chain was barely on the corporate leadership agenda, consigned to the remits of procurement and security leaders. It is now top-of-mind for the most senior executives, and companies looking to protect their reputation and bottom-line will need to take action on ESG risk.

For more information on reducing your supply chain risk, and to download the full sustainability report, please click here. To learn more about Interos, visit interos.ai.