Modelling Supply Chain Cyber Risk in a Disrupted World

By Andrea Little Limbago

On March 2, the Biden Administration announced a new National Cybersecurity Strategy. The need for a strategic change should not come as a surprise — Interos’ 2022 Resilience survey of 1,500 procurement and cybersecurity leaders revealed supply chain disruptions from cyber incidents alone cost enterprises $37M annually. Estimates of the global annual cost of cybercrime exceed ten trillion dollars.

Interos is closely monitoring the rising costs of cyber disruption and the continuously changing state of play, among other factors. We’ve refined and updated our cyber risk factor, one of the six factors within the Interos i-ScoreTM, in light of these and other trends shaping cybersecurity. The enhancements include a new cyber behavior model to detect potentially harmful cyber activity regardless of public disclosure, along with commercial cyber ratings, vulnerability information (CVEs), threat assessment (Mitre ATT&CK®), cyber events, regulatory compliance, and operating country regulations and risks into a single score.

You can read about those details in our press release. This blog will focus on those strategic factors driving these changes and the challenges in developing a solution that delivers cybersecurity insights to non-experts, all within the backdrop of the generational shift underway in the international system.

Trends Driving the New Model

To address the growth in scope and scale of cyberattacks (and their ripple effect across the supply chain) the Biden administration’s new National Cybersecurity Strategy is putting more responsibility on vendors and service providers. This is part of a larger trend prompting organizations to prioritize long-term collective investment in cyber resilience – and is reflective of Interos’ collective resilience approach to cyber.

Cyber leaders are also increasingly acknowledging the human element and assessing those risks through a socio-technical lens. This has led to both a focus on user interactions as well as the growth in new compliance frameworks and regulations. That’s why the enhanced Interos cyber risk factor accounts for compliance with CSF V1.1, NIST SP 800-53, PCI DSS V3.2.1 and other standards, as well as the global expansion of data privacy and cybersecurity regulations.

To that end, an organization’s geographic location plays a crucial role in both compliance as well as data risk levels. This variation stems from differing levels of data sovereignty which depend on the localized cyber and privacy environment. Risks surrounding the concentration of the physical infrastructure underpinning the internet also pose a significant challenge, as seen in the case of Russia’s cyberattack on ViaSat’s services in Ukraine or the disconnection of undersea cables which happened in Scotland and France.

The adoption of collective resilience (creating shared supply chain and operational strength) is accompanying our broader understanding of the range of cyber risks, which is why collaboration is prioritized in national and international cyber strategies. As Alejandro Mayorkas, the Secretary of Homeland Security, noted, “We have to drive the entire ecosystem to be more cyber vigilant.”

Developing Interos’ Enhanced Cyber Model

Tackling Key Challenges in the Cybersecurity Landscape

Development of this new model address two core challenges:

  1. Aggregating Data into Intuitive Formats: The difficulty of integrating disparate data sets in a timely manner and presenting them in an intuitive, explorable format. We recognize that many cybersecurity tools are designed for information security professionals, making them inaccessible to others involved in risk management.
  2. Understanding Behavior: The importance of understanding both threat actors’ and defenders’ behaviors and integrating that knowledge to identify the most relevant risks.

Cyber has an interesting data problem in that there is a data deluge and a data desert at the same time – meaning there is so much data, but it’s not always the relevant data. The Interos model addresses the above challenges by focusing on integrating and presenting the range of these trends (over individual data points) to capture the core areas of vulnerabilities, threats, compliance, and adverse cyber events. Through this holistic approach we can provide a comprehensive view of cybersecurity risks across the entire supply chain ecosystem, from vendors and service providers to critical infrastructure and sensitive data.

We also utilized the extensive community work and expertise from federal organizations like NIST CVE and MITRE’s ATT&CK framework while accounting for both opportunistic and targeted threats by identifying industries/groups most susceptible to targeting, and vulnerabilities most likely to be exploited. Our approach also focused on quantifying data risks across locations by merging different data types to capture the diverse data sovereignty and global risk environments — a project we presented at Black Hat cybersecurity conference a few years ago.

Implications and Value: Uncovering Hidden Risks and Enabling Proactive Measures

The implications of this new model are vast. It highlights areas of risk that often are not brought together, allowing users to take action to decrease cyber risk. This may include reaching out to critical suppliers that may be at risk and coordinating a plan to elevate their defensive posture, or identifying those key parts of their supply chain located in areas where the data may be more at risk due to an adverse regulatory environment.

The Interos model surfaces a range of cyber risks, while contextualizing those risks within a broader supply chain risk framework. For instance, users can identify who might be at high cyber risk as well as high financial risk, since these suppliers may not have the resources to grow their defensive posture or could be extremely vulnerable to insolvency if attacked given the cost of breaches.

Personal Observations: Expanding Access to Cyber Risk and Addressing Global Challenges

Two particular aspects of this project are especially important to me, in terms of their ability to address broader systemic challenges across the industry that have significant implications for the future :

  • Addressing the cyber industry’s gatekeeper problem, which restricts risk assessment access to those with information security technical expertise. Interos’ updated model marks a significant stride towards broadening access to cyber risk assessment outside of an enterprise’s Security Operations Center.
  • Further integrating supply chain risk and cyber risk, particularly in the context of a re-globalized world economy, technological bifurcation, and the geopolitical fracturing of the internet. This integration is essential for fostering cyber vigilance and tackling the challenges presented by emerging technologies and global competition.

A modernized approach to cyber risk will be an essential tool for organizations exploring how to adapt to a changing global order whose shifts are being felt across supply chains, geopolitics, and technology development. Interos’ enhanced model for evaluating cybersecurity risk across supply chains signifies a significant step towards that goal.

By expanding access to meaningful cybersecurity information, through a multi-factor, supply chain-wide approach, we can enable organizations to proactively manage and mitigate risks on a far greater scale than ever before, bringing non-cyber experts into the decision room, and fostering resilience and success in this ever-evolving global landscape.

The World in Flux: Preparing for Unthinkable Risks

By Andrea Little Limbago 

Globalization is undergoing a significant transformation. Along geopolitical fault lines, global economies are decoupling, while simultaneously like-minded countries are seeking greater integration. This reglobalization of the international system is defining the new normal, introducing a range of opportunities as well as risks.  

The shockingly swift collapse of Silicon Valley Bank (SVB), China’s announcement seeking greater technological self-sufficiency, California’s record-breaking snowfall and floods, and the U.S., U.K., and Australia trilateral pact announcement, all occurring around the same time, are indicative of this new normal.  

As the International Monetary Fund’s Managing Director noted, organizations need to “think of the unthinkable” to better build toward resilience in light of disruptions. This requires a mindset shift regarding systemic risk – moving from a siloed view of “known” risks (e.g., the shutdown of a single supplier with poor credit) to a multi-faceted approach that accounts for hyper-dependencies in a world routinely shocked by unforeseen risks (e.g., the 48-hour collapse of an industry-leading and deeply connected bank). Organizations that successfully build on and expand their risk mindset to encapsulate the multitude of economic, political, climatological, and technological transformations underway will be at a competitive advantage going forward; those that fail to do so will be ill-equipped to navigate these “unthinkable” risks. 

Multi-faceted Risk and Supply Chain Catastrophe in a Reglobalized World (aka The New Normal)

Traditional risk frameworks crafted over the last few decades are inadequate to address today’s risk landscape consisting of hyperconnected digital economies and multi-layered business ecosystems. That does not mean they aren’t useful — they’re simply not flexible enough to keep pace with modern change.  

The first quarter of 2023 alone has witnessed a series of shocks that were once unthinkable. Ransomware infiltrated a major supplier in the semiconductor industry and propagated across technology and defense communities, causing a $200M hit to its revenue, as well as a $250M hit to a customer. The Middle East may be on the verge of a major transformation following an unprecedented, China-brokered deal to reestablish diplomatic relations between longtime bitter foes Saudi Arabia and Iran. The deal reflects a shift in the balance of power and China’s growing influence in the region. And now SVB – dubbed the tech industry’s banker – experienced the second largest bank failure in U.S. history, with ripple effects from China to Europe. 

 These “unthinkable” events reflect a new status-quo for all manner of risks. For cyber risk, an expanded mindset that includes, but also looks beyond, vulnerabilities is essential. Threats, regulations, and anomalous behavior must also be part of a coordinated cyber risk mindset. On the geopolitical front, organizations must account for changing fault lines which continue to foster new alliances and new divisions. And for financial risk, solvency is foundational, but as the events with SVB illustrate, continuously monitoring solvency alone is not enough. A more nuanced view of financial risk is required to achieve operational resilience against financial volatility in the new normal.  

 For example, in addition to solvency, volatility of equity returns often represent a timelier examination of the business risk of a company. Equity markets are more sensitive to new information and can react more quickly than solvency metrics based on accounting measures reflect. SVB is particularly instructive. For the five years from 2018-2022, SVB Financial’s market fluctuations largely behaved within an expected range. However, in the 47 trading days between January 3, 2023 and March 9, 2023, SVB experienced volatility outside of the expected range it exhibited the previous five years.  

By monitoring stock price volatility outside of historical expectations, organizations can gain a more complete picture of business risk. 

Risk Ecosystems in the New Normal 

Despite the splintering of many historic trade ties along geopolitical fault lines, the new normal will remain defined by interdependence. The pandemic demonstrated how shocks can propagate across industries and countries, as did Russia’s invasion of Ukraine. In addition, over the last year, global democracies collaborated at unprecedented (for modern times) levels, inspiring a sanctions regime against Russia that continues to grow. Russia’s invasion also stimulated enormous shocks that rippled across interdependent supply chains, from key metals to wheat and grains to natural gas. Organizations that believed themselves immune from the ripple effects were soon exiting Russia, some of which have since seen their stock prices impacted due to direct exposure to the conflict.  

In a similar manner, the contagion impact of the SVB collapse continues to garner scrutiny. For instance, customers of HR software startup Rippling experienced payroll delays because it relied on SVB to process the transactions. Thousands of corporate payrolls have been impacted even if they weren’t direct SVB customers. In the new normal, “invisible” software supply chains like this are taking on a greater importance as an expanded view of critical business relationships comes to include everyone from buyer to supplier, investor, or borrower. 

These kinds of connections and dependencies affect every industry. Interos’ analysis revealed the top seven industries with business relationships to SVB include: software, biotechnology, healthcare equipment and supplies, communications equipment, pharmaceuticals, semiconductors and semiconductor equipment, and IT services. This diversity shows how far-reaching the effects of such a collapse may be.  

Moreover, the contagion concerns are not limited to the U.S. Many Chinese companies are scrambling in light of the collapse. Based on Interos data, roughly 11,000 companies have direct ties to Chinese companies with business relationships with SVB. European banks also experienced a decline in stock prices as contagion fears spread, with Credit Suisse shares falling to a record low on Wednesday. 

Operational Resilience in the Face of Potential Supply Chain Catastrophe

A range of forces has ushered in a once-in-a-generation global supply chain transformation –the pandemic, escalating geopolitical tensions, climate change, economic anxiety, and emerging technologies. Global trade is expected to reach a record $32 trillion, while at the same time the pace of global trade growth has slowed and allyshoring is reshaping trade patterns. During a time of heightened transformation, what was unthinkable in previous eras must be imagined — and mitigated against today and tomorrow. 

A siloed or outdated approach to risk is not enough to achieving operational resilience amid sweeping global changes, Organizations must continuously monitor a range of new and emerging risks and gain visibility across their extended supply chain. With an expanded view of risk, organizations can also proactively identify potential vulnerabilities in their supply chain and more easily conduct the due diligence required to inform key decisions – such as alternative suppliers, diversification, and reshoring strategies.  

Shifting mindsets toward the unthinkable is unfortunately a core component of operational resilience in this new normal. Working together to build collective resilience – through innovations in technology, processes, and collaboration – will be the best defense against the risks you can’t imagine today. 

Interos supports organizations seeking to minimize these risks through advanced risk intelligence, supply chain scoring, and relationship discovery technologies that automate assessment, detection, and incident response. This gives procurement and other supply chain leaders a powerful way to quickly produce a list of at-risk suppliers for due diligence and continuous monitoring. 

For more information, contact Interos Customer Success: [email protected] 

Escalating Restrictions & Sanctions Threaten to Fragment Global Trade and Supply Chains

By Geraint John

Restrictions on global free trade and supply chain relationships are flying around like Chinese “spy” balloons over North America were just a few weeks ago.

Last month, China slapped sanctions on U.S. defense giants Lockheed Martin and Raytheon, ostensibly because of their arms sales to Taiwan. But the move was widely interpreted as retaliation for the U.S. government’s decision a few days earlier to blacklist six Chinese companies it accuses of being involved in China’s surveillance-balloon program.

So far this month, the American military has shot down one high-altitude Chinese balloon and three unidentified objects over U.S. and Canadian airspace. China denies U.S. government claims that the balloon was spying on sensitive installations. Their government claims it was used purely for weather monitoring.

Regardless of whose version is true, these tit-for-tit sanctions are part of an escalating technology war between the U.S. and its allies and China that threatens to blow apart the international trading system as we know it.

Global Trade Restrictions Have Increased Sharply

As with geopolitical tensions, trade restrictions on goods, services and foreign investment have increased sharply in recent years. From 2018, when the Trump administration imposed tariffs of up to 25% on many Chinese imports, to December 2022, the number of worldwide restrictions more than doubled to around 2,500, according to data from the International Monetary Fund and Global Trade Alert.

A new Interos white paper reveals that Russia displaced China as the most targeted country for restrictions last year, following its invasion of Ukraine. More than 1,100 restrictions were imposed on Russian entities in 2022 – almost six times more than China.

Russia is also well ahead of Iran and China in terms of the total number of restrictions imposed by other nations since 1981 (see chart).

Chart Showing the top recipients of Global sanctions and restrictions. Russia leads significantly, with Iran and China in a close heat for second place. Syria is fourth and North Korea is fifth.

On the opposite side, the U.S. dwarfs other countries in the number of restrictions it issues (around 8,000 during the past 40 years). And it has dozens of restricted entity lists across different government departments and industry sectors.

Prominent examples include:

  • The Department of Commerce’s Entity List, which sets out export licensing requirements for hundreds of foreign-owned businesses.
  • Sections 889 and 5949 of the National Defense Authorization Act banning the use of certain Chinese products and services for military purposes.
  • The Department of Homeland Security’s UFLPA Entity List for the Uyghur Forced Labor Prevention Act, which bars imports of tainted products from the Xinjiang region of China.

Keeping up to date with the ever-expanding list of prohibited firms and ensuring your organization doesn’t fall foul of new trade rules has become a more complex task. Which is why restrictions risk is one of the six risk factors captured and updated continually in Interos’ Resilience platform.

Implications for Global Supply Chains in Light of Trade Sanctions Against China

Standing back from the detail of these multiple lists and regulations, it’s important to consider the broader implications of the spiraling number of restrictions on international supply chains.

During the past couple of years, the U.S. has implemented progressively tighter and more far-reaching rules around the sourcing of Chinese components and sales of American semiconductors and chip-making equipment to Huawei and other Chinese tech firms.

This is having a dramatic impact on the ability of these companies to scale up production and manufacture products.

Last month, China’s semiconductor industry body issued a strongly worded statement condemning action by the U.S., Japan, and the Netherlands to deny its members vital equipment.

Such measures would “destroy the global semiconductor ecosystem”, it claimed.

Trade Restrictions on China Signal Broader Supply Chain Trend

While complaining loudly and portraying itself as the defender of free trade and globalization – as it did at the World Economic Forum’s meeting of political and business leaders in Davos in January — China is also flexing its trade-restriction muscles.

It has, for example, threatened to stop the export of solar panel manufacturing equipment to the U.S. China dominates the supply chain for this crucial clean-energy technology and could — in a mirror image of its own semiconductor woes — impede American efforts to beef up its domestic solar industry.

Although trade between China and the U.S. grew strongly last year, economists and other critics argue that protectionism, “decoupling,” and politically led moves towards “friend-shoring” (or “ally-shoring”) could have negative consequences for the global economy and supply chains in the years ahead.

These include higher prices, lower efficiency, less innovation, wasted public money through ineffective subsidies and industrial policies, and diminished levels of resilience.

As FT columnist Martin Wolf cautioned in a piece on the “new interventionism” last month: “Fragmentation is very easy to start. But it will be hard to control and even harder to reverse.”


Get more information on trade restrictions, sanctions, regulatory changes and their impact on the global supply chain by reading our latest white paper – the Red Tape Revolution. 

Nigeria Crisis Raises Supply Chain Disruption Risk for Western Companies

By Nicolas de Zamaróczy

Hundreds of thousands of American and European companies that rely on imported products from Nigeria’s supply chain face a heightened risk of disruption as a result of the protracted political and economic crisis gripping the country.

A presidential election held on February 25th proved contentious, with widespread irregularities in voting and significant violence.  The national election commission declared  on March 1st ruling party candidate Bola Tinubu as the winner with 36.6% of the votes cast.  However, opposition parties have thus far refused to accept the results and called for a redo, pointing to the fact that many polling places opened late on election day.  Meanwhile, the country has been reeling for months from a botched currency reform which has completely paralyzed Nigeria’s cash-dependent informal economy.

Western Oil and Agricultural Firms at Risk from Nigerian Supply Chain Disruption

Many foreign companies are at risk of having their imports from Nigeria disrupted. Nigeria’s main export is petroleum, with crude oil, petroleum gas, and refined oil collectively accounting for around 86% of exports by value. However, the country’s cash cow has suffered greatly in recent years with production down to nearly half of its level in 2020.

Nigeria LNG—a natural gas joint venture between the Nigerian state and energy majors Shell, Total, and Eni—has been unable to fulfill export orders for its European customers in recent months. Nigeria’s main other exports are agricultural goods (most notably, cacao beans) and small maritime craft, both of which are at significant risk from the economic turmoil in the country.

Global relationship data in the Interos platform indicates that:

  • Roughly 700 American and 400 European companies have at least one Tier-1 (T1) supplier based in Nigeria.
  • More than 127,244 American companies have an affected Nigerian company indirectly in their supply chains at Tier 2 (T2), with almost 300,000 at Tier 3 (T3).
  • More than 236,000 E.U. and British companies have an affected Nigerian supplier at T2, with over 510,000 at T3.

As has been the case during the last three election cycles (see chart below), Nigeria’s exports to the US had been dropping in the leadup to the election, with the volatile on-the-ground situation complicating normal operations and logistics. (The one-time surge in Nigerian exports to the US in early 2022 was due to re-routing petroleum from other destinations following the breakout of the war in Ukraine.) The lack of clarity in the presidential election suggests that low exports will continue for the foreseeable future.

Chart showing Nigerian exports to the US since 2008. Exports decline prior to elections.

Interos analysis of Panjiva data. Vertical red lines indicate prior election periods.

Nigeria’s Supply Chain Election-Related Disruptions Likely to Persist into Mid-March

Nigeria voted in a tight three-way presidential election on February 25th amidst an atmosphere of intimidation and election-related violence.

ACLED, an NGO which tracks political violence, has counted at least 193 incidents of election-related violent activity since January 1st, 2022 (see map). Human rights observers have issued warnings that Nigeria has not implemented any structural reforms since 2019, when several hundred people died during the last presidential election. These warnings have taken on new urgency following the assassination of a prominent Senate candidate on February 22nd.

Locations of Election-Related Violence in Nigeria (Jan. 2022 through Feb. 2023)

A map highlighting violent events in Nigeria.

Source: ACLED’s Nigeria Election Violence Tracker. Latest data available is February 17. The size of the circle indicates the number of violent events at that location, the color of the circle indicates the specific form of violence (e.g. orange = “violence against civilians” Image Copyright: © Mapbox© OpenStreetMap and Improve this map).

Given that state elections will not conclude until March 11th, high levels of violence and uncertainty are likely to persist through mid-March, with a consequent impact on economic activity.

 “Cash Crisis” Makes Business-as-Usual Impossible

As if the political chaos were not enough, Nigeria is also suffering from the aftermath of a poorly implemented currency reform. When the Nigerian central bank announced the reform in October 2022, the hope was to combat corruption by redesigning the currency bills most used by criminal organizations. But an overly aggressive window for citizens to redeem their old banknotes combined with an extremely short supply of the new banknotes has left the entire Nigerian economy effectively without cash for several months. This has pummeled the Nigerian informal sector, which according to the IMF accounts for over 50% of GDP and over 80% of employment.

Nigerian Exports Likely to Stay Low in the Short Term

American and European firms with Nigerian suppliers in their extended supply chains should stay wary. Interos recommends taking the following actions to promote supply chain resilience:

  • Communicate frequently with key Nigerian suppliers (or suppliers you know to be reliant on Nigeria) to determine the production impacts of the election and cash crisis.
  • Identify which tier-2 and tier-3 Nigerian suppliers are critical to your direct suppliers.
  • Ascertain whether suppliers in Nigeria are prepared for the extended elections period and the likely disruptions it will entail.

Organizations looking to understand where the next big supply chain shock is coming from – and which suppliers they need to engage with to mitigate the impact – should consider investing in supply chain visibility and operational resilience solutions. In times of turmoil, knowing who you are connected to, and how those parties will be impacted by unfolding events, can make the difference between continuity of operations and disaster.

 

Surging Electrical Infrastructure Attacks Pose Disruption Threat for American Businesses – Interos

By Alberto Coria and Trent Chinnaswamy

A growing number of attacks on the United States’ critical electricity infrastructure threatens to cause supply chain disruption to thousands of businesses across the country.

In 2022, the U.S. electrical grid sustained at least 103 deliberate physical and cyber-attacks – the highest level in a decade.

Two recent attacks on electricity substations in North Carolina, and four in Washington, have raised alarm among experts at the U.S. Department of Homeland Security (DHS). These attacks resulted in over 45,000 homes as well as businesses in the surrounding area losing power.

In each case, the modus operandi was similar: intruders carrying firearms gained access to the facilities and disabled them. This has led experts to believe that the attacks, which occurred within a short time of one another, may have been coordinated.

Electrical disruptions in the U.S. caused by intentional human interference are rising. Vandalism accounts for the majority of outages, but suspicious activity – where the intention is unknown – and sabotage are also on the increase (see chart).

The previous peak in vandalism was mostly caused by individuals stealing and selling copper wires. But the industry standard has since changed to use a less profitable kind of copper.

Why then are these attacks increasing and what risk do they pose to businesses?

A graph showing the dramatic increase in suspicious activity, vandalism, and sabotage of US electricity substations - which have increased most significantly since 2017,

Electrical Grid Failure: Supply Chain Implications

Regional blackouts, defined as power loss in an area, can affect not only households, but also industry and logistics operations. However, the degree to which different entities are affected varies. Owing to their typically higher demand for power, manufacturing facilities are more exposed to power surge issues and accustomed to experiencing power failures, with one in four experiencing a power failure once a month.

Manufacturing facilities are also more likely to have backup and stress-tested generators, and have a coverage plan. However, these are generally focused on short-term power outages caused by high energy demands. In the case of a physical attack on a substation, a manufacturing site may have to deal with a longer-term power outage. So they can still face moderate levels of risk in the case of a physical attack.

Non-manufacturing facilities that are part of a supply chain are also likely to be affected by power outages, with the industries most reliant on electricity at the highest risk. These include financial corporations, IT services providers, data centers, perishable item producers, control centers and medical .

Rural Substations are Key Vulnerabilities

The U.S. electrical grid is broken up into three large, connected networks (Texas Interconnection, Western Interconnection, and Eastern Interconnection) that operate fairly autonomously with eight regions seen (see map).

The U.S. Federal Energy Regulatory Commission has determined that transformers in rural substations are most vulnerable to physical attacks. Substations in urban areas typically have higher levels of monitoring and protection, while rural substations are completely unguarded.

The Eight U.S. Electricity Generating Regions

A map showing the 8 regions of the US electrical grid.

While substations in rural areas are at high risk of attacks, and the surrounding areas are at risk of a power outage, only 10.8% of the U.S. electrical grid is subject to “cascading” blackouts.

This means that attacks on substations in rural areas are likely to affect only the surrounding areas, and not cause blackouts in other areas of the country. This likelihood of power outages remaining contained to smaller areas places a greater emphasis on assessing supply chain risk exposure in rural areas.

Transformers at high-voltage and rural substations are prime targets for physical attacks, as transformers are difficult to protect and replacement parts are difficult to obtain.

In many of the higher-risk rural areas, substations are considered “dead-end”. Dead-end structures are where the line ends or angles off, meaning there is no backup power connection. The pink dots on the map below indicate the propensity of dead-end substations across the US. The darker the area, the more likely there is no backup power connection in the case of disruption.

Map showing regions without backup substations. The greatest concentration of backup-less power appears to be in the southern US.

What Companies Should Do

To get ahead of this critical infrastructure risk, Interos recommends that companies do the following:

  • Use supply chain mapping and operational resilience tools like Interos’ Resilience platform and global relationship data to identify suppliers in industries and locations at the highest risk of being affected by potential power disruptions, and which agencies are responsible for power restoration.
  • Engage key suppliers in high-risk regions to understand what impact, if any, they have experienced as a result of physical and/or cyber-attacks.
  • Assess high-risk suppliers’ mitigation plans in the case of a regional blackout, and develop business continuity plans or workarounds for such disruptions where possible.

Peru Protests Create Risk of Supply Chain Disruption for Western Businesses

By Nicolas de Zamaróczy

Thousands of U.S. and European companies are facing supply chain disruptions as a result of the ongoing political violence engulfing Peru.

The six-week-long unrest has seen at least 50 people killed and 700 wounded, while exposing the country’s deep societal cleavages.

Supporters of ousted President Pedro Castillo are demonstrating to secure his return to office, facing off against members of the Peruvian police and military who have routinely employed heavy-handed tactics.

The government recently extended a 30-day state of emergency in the capital Lima, as well as the regions of Cusco, Puno and Callao, which will further disrupt business.

Peru: a Key Commodity Exporter, Gridlocked

Peruvian companies, which are experiencing disruptions owing to the protests and associated road blockades, supply thousands of international businesses.

From a geographical analysis of the affected regions of Peru, Interos identified 2.95 million Peruvian entities whose business operations are likely disrupted.

Global relationship data in the Interos platform indicates that:

  • More than 7,500 North American companies have at least one Tier-1 (T1) supplier among the affected Peruvian companies.
  • More than 1,600 European Union and British companies have at least one T1 supplier among the affected Peruvian companies.
  • More than 116,000 North American companies have an affected Peruvian company indirectly in their supply chains at Tier 2 (T2), with almost 355,000 at Tier 3 (T3).
  • More than 144,000 E.U. and British companies have an affected Peruvian supplier at T2, with over 483,000 at T3.

Peru’s main exports are agricultural products and minerals, and supply chains reliant on these could be hit hard. The Peruvian agricultural producers’ association, for example, estimated in mid-December that its members had already lost $150m in potential exports due to the political crisis, and those numbers will have grown since then.

From an industrial perspective, Peru is the world’s second-largest producer of copper and zinc, and also a major player in silver and gold production.

On 12 January, a major Swiss-owned copper mine near Cusco was attacked by protestors, while a tin mine announced it was suspending operations for the time being.

While most of Peru’s minerals are exported to China and other Asian economies, disruptions could affect commodity prices and inputs availability worldwide. This would be a blow for downstream industries as well as direct purchasers—copper and silver are both widely used in renewable energy and vehicle manufacturing, while zinc is critical to the production of galvanized steel and iron.

Metals and Minerals Are at Risk

Chart showing Peru's minerals and rare earth metals exports.

Source: Interos analysis of various industry reports

Transportation Infrastructure is a Main Target

Despite being primarily located in the country’s more indigenous and poorer southern regions, President Castillo’s supporters have nevertheless achieved a nation-wide impact though the deliberate targeting of critical transportation networks.

One of the protesters’ main tactics has been blockading the highways on which national and international trucking depend. As of 17 January, the Peruvian Ombudsman’s Office reported 96 roadblocks, across 14% of country’s provinces, primarily in the country’s lightly populated but mineral-rich south.

Since the start of the crisis, all of Peru’s airports have experienced temporary closures, rail service in the country’s south has been suspended (including at tourist destination Machu Picchu), and commercial truckers continue to  struggle to enter or exit the key southern port of Matarani.

Cross-border commerce with neighboring Bolivia is at a standstill, leaving companies in eastern Bolivia scrambling to find alternate export routes through Chile.

Growing Polarization within South American Countries Complicates Friendshoring

Peru’s ongoing troubles are part of a broader pattern of political upheaval within South American countries. In 2022, large-scale protests occurred in Brazil, Argentina, Bolivia, and even normally peaceful Chile, worrying NGOs that track political violence in the region.

While historically geopolitical tensions in the region were driven by differences between left- and right-leaning countries, increasingly the turmoil is emerging within societies themselves.

Political scientists use the concept of “group grievances” to understand how schisms between different groups in society — particularly divisions based on social, ethnic, or political characteristics — play a role in governance. Group grievances in Peru are currently the highest among all major South American countries (see chart).

A chart demonstrating Peru's higher-than-average level of social unrest since 2006.

Note: Group grievances scores range from 0-10, where 0 = best
Source: Interos analysis of Fragile States Index data from the Fund for Peace

This increasing inability of many South American governments to maintain domestic order complicates hopes that the region could become a hub for “friend-shoring”, the trend whereby Western companies are seeking to move production out of inhospitable locations to more stable and less geopolitically charged destinations.

Ultimately, any attempt at relocating production or sourcing sites must assess their long-term potential for political instability.

How to Mitigate Supply Chain Disruptions

Expect roadblocks to hit your supply chains in 2023. Chief Procurement Officers can mitigate impacts from the Peru protests by:

  • Better understanding their extended supply chain dependencies on Peru and identifying those at highest risk of being disrupted.
  • Discussing the impact of the protests with T1 suppliers, with an eye towards developing business continuity plans and workarounds where possible/needed.
  • Cultivating alternative sources for the products affected in other countries, and potentially looking to see if the orders/volumes in existing contracts need to be adjusted.
  • Invest in tools that can integrate geopolitical risk into their supply chain risk management process.

Mapping the Solar Panel Supply Chain is Key to Avoiding Forced Labor Risks

By Geraint John and Daniel Karns

Solar panels (and the solar panel supply chain) have an important role to play in the global transition to clean energy, but China’s use of forced labor to produce key components represents a tangible supply chain risk for U.S.-based companies.

Polysilicon – an essential material in the solar photovoltaic supply chain – is one of three items specifically targeted by the Uyghur Forced Labor Prevention Act (UFLPA), which took effect in June. It gives U.S. Customs and Border Protection (CBP) officers the right to detain imported products suspected of being made or partly made in the Xinjiang region of China.

A delayed and much-anticipated report on the situation in Xinjiang published in August by the UN High Commissioner for Human Rights accused China of “serious human rights violations” that “may constitute international crimes”.

As of the end of September – three months into implementation of the UFLPA – CBP commissioner Chris Magnus said that almost half of the 3,000-plus shipments detained by his agency were covered by the new law, with an estimated value of nearly $500 million. He didn’t specify the products affected, but several leading Chinese solar panel suppliers are reported to have had shipments detained or sent back.

Failing to comply with the UFLPA, knowingly or otherwise, presents serious financial, operational and reputational risks for American solar energy and other firms that need to be addressed.

China Continues to Dominate the Solar Supply Chain

Xinjiang, which is home to the predominantly Muslim ethnic minority Uyghur population, produces about 40% of the world’s supply of polysilicon, a high-purity grade of silicon mined from quartz. This is cast into ingots, which are then cut into wafers and used to make the solar cells that are, in turn, assembled into finished panels (modules).

Action by successive U.S. administrations over the past decade has largely halted the direct import of these products from China:

  • Starting in March 2012, the U.S. Department of Commerce imposed tariffs of up to 165% on Chinese solar cells and panels in an effort to stop the dumping of low-cost products into the U.S. market. These measures were ratified and extended in 2014, 2018 and in February of this year.
  • In June 2021, the U.S. Department of Labor added polysilicon from Xinjiang to its annually updated List of Goods Produced by Child Labor or Forced Labor. It joins nine other product groups thought to involve the use of forced labor in the region, including cotton, tomatoes, footwear and textiles.
  • Later that same month, the CBP issued a Withhold Release Order (WRO) against Hoshine Silicon Industry Co. Ltd, a Xinjiang-based firm accused of using intimidation, threats and restricted movement practices against its workforce. The WRO instructs U.S. port officers to detain shipments of silica-based products made by the company and its subsidiaries.

The U.S. Solar Panel Supply Chain

As a result of these actions, U.S. imports of solar panels now come mainly from other countries in Asia. In the final quarter of 2021, Vietnam, Malaysia and Thailand accounted for more than 80% of shipments (see chart).


Pie chart showing origins of US solar panel supplies. Vietnam, Malaysia, and Thailand are the top 3 countries, followed by S. Korea and Cambodia.

However, as with lithium-ion batteries, China dominates solar supply chains. Seven of the world’s 10 biggest solar panel makers are Chinese, and according to U.S. government agencies:

  • China owns 72% of global manufacturing capacity for polysilicon (with 54% of total output produced in Xinjiang).
  • In addition, China controls 98% of global manufacturing capacity for ingots, 97% for solar wafers, 81% for solar cells and 77% for solar panels.
  • Three-quarters of solar cells installed in the U.S. are made by subsidiaries of Chinese firms operating in Vietnam, Malaysia and Thailand, which import large quantities of solar materials from China.

An analysis of Interos’ global relationship platform data in August found:

  • 120 direct, tier-1 relationships between U.S. buyers and Chinese solar panel suppliers.
  • Almost 9,500 indirect, tier-2 relationships, with the vast majority accounted for by four suppliers: JinkoSolar Holding Co. Ltd; JA Solar Holdings Co. Ltd; Trina Solar Co. Ltd; and Suntech Power Holdings Co. Ltd.
  • Hoshine Silicon Industry Co. Ltd – the subject of last year’s WRO action – had just five direct relationships with U.S. buyers, but more than 160 tier-2 connections.

Guilty Until Proven Innocent

Unlike some previous supply chain-oriented legislation, the UFLPA puts on the onus on importers to demonstrate that solar products have not involved the use of forced labor.

In its guidance to importers, CBP notes that “imports of all goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part in the Xinjiang Uyghur Autonomous Region (Xinjiang) of the People’s Republic of China (PRC), or by entities identified by the U.S. government on the UFLPA Entity List, are presumed to be made with forced labor and are prohibited from entry into the United States.”

It continues: “The presumption also applies to goods made in, or shipped through, the PRC and other countries that include inputs made in Xinjiang.”

Mapping solar supply chains is therefore an essential foundation for companies to comply with the UFLPA. Speaking to Bloomberg earlier this month, AnnMarie Highsmith, an executive assistant commissioner at CBP, said companies needed tools to identify potential forced labor in their supply chains and avoid unwitting violations of the act.

A particular danger here is “supply chain washing” – where suppliers seek to avoid the UFLPA and other trade restrictions by routing raw materials, components and finished products tainted by forced labor through intermediary countries.

What can you do to safeguard your solar panel supply chain?

Alongside mapping and monitoring activities, CBP’s guidance document stipulates the following in relation to polysilicon:

  • “Importers need to provide complete records of transactions and supply chain documentation that demonstrate all entities involved in the manufacture, manipulation, or export of a particular good, and the country of origin of each material used in the production of the products going back to the suspected source of forced labor, i.e., production in Xinjiang or by an entity on the UFLPA Strategy entities lists.
  • “Provide a flow chart mapping each step in the procurement and production of all materials and identify the region where each material in the production originated (e.g., from location of the quartzite used to make polysilicon, to the location of manufacturing facilities producing polysilicon, to the location of facilities producing downstream goods used to make the imported good).
  • “Provide a list of all entities associated with each step of the production process, with citations denoting the business records used to identify each upstream party with whom the importer did not directly transact.
  • “Importers should be aware that imports of goods from factories that source polysilicon both from within Xinjiang and outside of Xinjiang risk being subject to detention, as it may be harder to verify that the supply chain is using only non-Xinjiang polysilicon and that the materials have not been replaced by or co-mingled with Xinjiang polysilicon at any point in the manufacturing process.”

CBP officials acknowledge that more staff are needed to fully monitor and enforce UFLPA requirements at U.S. ports of entry. But experience from its first quarter of operation suggests that companies cannot afford to be complacent about the act, which sets a new and higher bar for supply chain risk management.

The Next Hurricane Could Spell Supply Chain Disaster for Companies Without Operational Resilience

By Kate Anderson

Hurricane Ian has caused massive damage to physical infrastructure on the east coast last week, shutting ports and terminals, and further disrupting already-strained US supply chains. Unfortunately, these kinds of weather-related supply chain disruptions are likely to become increasingly frequent. In recent years, hurricane season has become both longer and more intense, with a greater proportion of storms expected to reach Category 4 and 5 levels. NOAA recently projected that 2022 will be yet another above-average hurricane season, with an ongoing La Niña compounding the effects of global warming to increase the duration, frequency, and severity of North Atlantic hurricanes.

Hurricane Ian had devastating local effects, costing private Florida insurance companies an estimated $63 billion in damages—the most costly storm in Florida history. But that is just the tip of the iceberg. In the past few years, marine traffic has shifted away from the beleaguered west coast to the east coast. Some of the largest ports and transportation centers in the country were forced to shut down in anticipation of the storm, delaying shipments. These closures reverberate through supply chains, affecting businesses throughout the US and world.

A proactive approach to supply chain management requires that we heed the warnings of past events like Hurricane Sandy and Ian, to better understand the impact that a single storm could have on U.S. imports. This raises the question: If a major hurricane shut down all ports and terminals from Florida to Virginia, what could we expect to see in terms of supply chain impact? Answering this question requires not only visibility into the ports along the southeastern seaboard, but also the ripple effects as those disruptions propagate through the rest of the system.

Theoretically, What’s the Worst That Could Happen?

Maritime transportation accounts for a majority of U.S. imports and exports, with ports in Georgia, South Carolina, and Virginia among the largest importers on the East Coast.

We explored the potential impact of a theoretical catastrophic tropical cyclone event by looking at what types of commodities and U.S. firms would be impacted if all marine ports in Florida, Georgia, South Carolina, North Carolina, and Virginia were closed due to the dangerous conditions and damage that would come as a result of a severe hurricane.

The goods coming through southeastern ports range widely. Mechanical components make up the largest fraction. Electrical components are also heavily represented. Medical equipment and supplies, including vaccines, also come through southeast ports in volume. Consumer goods such as clothing, food, cars and motorcycles, and other consumer durables would also be affected.

Over 40,000 different companies shipped goods into ports on the Southeastern seaboard during hurricane season last year, many of them receiving hundreds of individual shipments. The largest direct effects are on manufacturing. The largest among these are the transportation industry (automotives, airplanes, trains, roads, etc.) and aerospace and defense. The electronics industry would also be heavily affected, with further disruptions to the flow of crucial electronic components that are already proving in short supply.

Hurricane-driven Disruption Could Have Even Larger Supply Chain Impacts

However, these numbers only represent the initial impact of the port closures. The events of the last few years have taught us that indirect effects can be just as disruptive to operations. Even if your business does not directly import items through Florida ports, you should still anticipate delays in the coming months due to Hurricane Ian. The reason is simple: if your suppliers are missing their shipments, then they are unable to provide you with the items you need for your operations. These “ripple effects” will impact a much larger fraction of the US economy than even the original event.

Image showing three key statistics: Ports in the states affected by our theoretical storm serve over 40,000 companies. But according to Interos data, disruptions to operations in those companies would affect a further 243,000 additional companies. Of these, 105,000 are located in the U.S. The rest of the goods are exported around the world. The situation is even more dire when we consider businesses yet another step out. 522,000 businesses would be affected at that level.

Proprietary Interos data allows us to look at the ripple effect of a severe weather event. Ports in the states affected by our theoretical storm serve over 40,000 companies. But according to Interos data, disruptions to operations in those companies would affect a further 243,000 additional companies. Of these, 105,000  The situation is even more dire when we consider businesses yet another step out. 522,000 businesses would be affected at that level.

Our data also enabled us to take a look at different kinds of goods passing through the various ports affected by our hypothetical storm. We can use this to see which industries would be most-affected by this potential disaster. While the food and beverage, machinery, and automotive sector would be hit hardest, the chart below also highlights how widespread and potentially diverse the impact of major port closures along the US southeast would be.

Hurricane Ian will scarcely be the last major storm to shut down US trade infrastructure. Natural disaster-driven supply chain disruption is likely to only increase in severity and duration over the coming years – these impacts are no longer a matter of “if,” they are a matter of “when.”  Organizations need to start developing effective contingency plans and disaster-preparedness measures to survive and thrive in this new environment of perpetual disruption. Of course, the best defense towards any disruption is a diverse and resilient supply chain. Achieving supply chain resilience first requires understanding the entirety of your supply chain, and the vendors and risks within it.

To learn more about how Interos can help you create total supply chain visibility and build operational resilience, visit our procurement solutions page. If you’re looking to better-understand the real impacts of supply chain disruption, check out our animated and interactive annual survey.

Nord Stream Pipeline Leaks Underscore Threats to Critical Energy Infrastructure

By: Trevor Howe, Senior Operational Resilience Consultant

On September 26th, sudden drops in pressure were observed in the natural gas pipeline Nord Stream 2 before undersea leaks were detected in the Baltic Sea. Shortly thereafter, leaks were also detected for Nord Stream 1. While the pipelines are not currently facilitating gas flows from Russia to Europe, they were filled with natural gas which has leaked into the Baltic, creating an operational hazard for vessels in the area. The Prime Minister of Sweden, Magdalena Andersson, disclosed to a news conference on September 27th that seismologists in Sweden, as well as Denmark, had registered two powerful blasts the day prior in the vicinity of the leaks. Moreover, the explosions occurred in the water, not under the seabed, and at relatively shallow depths which would be reachable by divers or unmanned underwater vehicles.

Nord Stream Sabotage Damages European Energy Infrastructure

While these explosions occurred inside the exclusive economic zones of Sweden and Denmark, they have not been considered an attack on either country, which could trigger NATO intervention through Article V of the Washington Treaty. European Officials, including NATO, have claimed that the explosions were the result of sabotage, though the European Union has not yet named a perpetrator or suggested a reason behind the incidents. The Kremlin’s spokesman, Dmitry Peskov, also told reports that the incidents could have been the result of sabotage and that they would promptly investigate the matter.

While investigations are underway to ascertain the cause of the explosions and responsible parties, neither pipeline was active and these incidents should have no immediate effect on the supply of natural gas to Europe, though they have put additional upward pressure on prices.

Operational Threats Against Energy Infrastructure & Supply Chain

What the Nord Stream events highlight is the fact that European critical infrastructure can be a potential target for those seeking to precipitate disruptions and undermine energy security on the continent. This threat is made particularly dangerous amid EU Member States’ efforts to prepare for the winter season without Russian natural gas.

The speaker of Lithuania’s parliament, Viktoria Čmilytė-Nielsen pointed out that “these incidents show that energy infrastructure is not safe” and that “[the explosions] can be interpreted as a warning.” If indeed these explosions were intended as a warning, it is possible the threat could be directed towards the Baltic Pipe, a new gas pipeline carrying supplies from Norway through Denmark to Poland which was just opened on September 27. Norway has been a crucial supplier to Europe amid the scramble to replace Russian energy, so disruptions to Norwegian exports could have significant downstream effects. However, it is crucial to note that this threat is not unique to Norwegian energy infrastructure.

Cyber Threats Against Energy Infrastructure

While physical threats to critical infrastructure (as defined by Council Directive 2008/114/EC of 8 December 2008) are a priority for EU Member States, governments must also prepare against cyber threats. According to the Commission, “traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks,” and while this makes the energy system smarter, “digitalization creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardizes the security of energy supply and the privacy of consumer data.”

One need only look to the disruptions caused in the U.S. in the wake of the ransomware attack against the Colonial Pipeline Company in May 2021 which led to the shutdown of 5,500 miles of pipeline carrying around 45% of fuel supplies on the East Coast. That attack was made possible by a single password being compromised for a legacy virtual private network (VPN) which didn’t use two-factor authentication. A relatively simple theft enabled hackers to disrupt one of the country’s largest and most vital pipelines, forcing President Biden to declare a state of emergency.

Europe is not immune to threats similar to the Colonial Pipeline cyberattack. Early February 2022 saw a slew of cyberattacks against oil transport and storage companies across the continent. These attacks forced an affected company, Oiltanking Deutschalnd GmbH & Co. KG, to operate at a limited capacity and even caused slowdowns at ports in the Netherlands as barges awaited oil deliveries. With supply chains in a state of recovery due to the COVID-19 pandemic, disruption events like this have the potential to set recovery efforts back significantly, especially at a time when energy security in Europe is a top priority.

Russian Hybrid Warfare

Though Russia has wielded energy as a foreign policy weapon, by cutting flows entirely through the Yamal pipeline and Nord Stream 1 the Kremlin has lost leverage in terms of the future damage it can unilaterally instill via energy exports to Europe. As a result, it would be unsurprising if Russia were to employ additional hybrid warfare tactics in the form of cyberattacks, an area in which the Kremlin wields asymmetrically advanced capabilities, to further Russian national interests. These could include attacks which target critical energy infrastructure to further destabilize Europe’s energy security and put more upward pressure on energy prices which threaten business’ operations across the continent.

Multiple entities in Russia are known to possess and deploy advanced cyber capabilities against adversarial targets, this includes Russia’s Federal Security Service (FSB); Russia’s Military Intelligence Agency (GRU); Russia’s Foreign Intelligence Service (SVR); and a private organization, the Internet Research Agency (IRA). These actors can act alone, or in tandem with one another, to devastating effect if they so desired to further destabilize Europe’s energy security.

Supply Chain Risk Management

To guard against physical disruptions, Norway and Denmark have already stepped-up security posturing around their oil and gas industries’ infrastructure, rigs, and buildings after the Nord Stream incidents. However, physical security does not guard against cyberattacks which can be mounted from halfway across the world.

Companies can better-understand their risk exposure to physical and digital infrastructure attacks by gaining greater visibility into their third parties’ risk posture. Doing this at-speed, continuously, and without breaking the budget requires artificial intelligence-driven software like the Resilience platform offered by Interos.

Additionally, entities should implement risk management programs, conduct internal reviews to assess their own security posture, prepare and test resilience plans for likely scenarios, and strengthen collaboration with stakeholders in their respective industries to better manage risk in their supply chains.

Enabling Operational Resilience with DORA: Supply Chain Risk Management

By Max Kanaskar and Geraint John

Upcoming regulatory compliance requirements under the European Union’s Digital Operational Resilience Act (DORA), will require financial institutions to transform the way they conduct supply chain risk management (SCRM) and thus the way they build digital operational resilience.

However, financial services companies typically do not have visibility of their digital supply chains beyond third parties. Many lack comprehensive operational risk intelligence on their core ICT (information and communication technologies) suppliers, and more still struggle to scale SCRM processes, especially continuous monitoring.

Successful firms will begin by focusing on SCRM resource efficiency and risk mitigation, and transition to engaging it for true operational resilience.

DORA: Beyond compliance to transformation

DORA, an EU-wide rule book governing cyber resilience management for financial institutions and their critical ICT suppliers, is expected to become law sometime later this year. It underscores the strategic significance of operational resilience: the “double dividend” of operational loss avoidance and higher levels of business effectiveness in terms of financial stability, risk-taking and stakeholder engagement.

Leading institutions are approaching DORA not as a compliance requirement, but as a transformational opportunity. Central to this transformation is the maturity of SCRM programs.

Slide highlighting effects of the DORA and how banks can best adapt to it.

While we await detailed supervisory guidance around DORA, European financial services firms are examining their third-party relationships, uncovering hidden risks, and driving maturity of their SCRM processes. In parallel, they are setting up enterprise resilience programs, with a top-down, cross-functional organizational mandate to institute operational resilience.

SCRM can help to enable several resilience-related capabilities, including:

  • Enhanced scenario identification through nuanced illumination of third parties and their connection to critical economic assets and business services.
  • Improved response and recovery speed through timely and targeted event monitoring and third-party engagement.

Building up to this strategic resilience vision is the 360-degree situational awareness of digital supply chain risk – a challenge that many financial institutions still have today.

The importance of multi-tier supplier visibility

Data analysis by Interos using its global relationship mapping platform on 12 systemically important European banks reveals the extent of this challenge:

  • On average, a single such institution has 75 direct, tier-1 (third-party) relationships with ICT suppliers.
  • This quickly explodes to 3,500 relationships when tier-2 suppliers (fourth parties) are included, and a whopping 15,000+ at the tier 3, or fifth-party, level.

Very few institutions have good visibility into this extended ICT supply chain, and fewer still can ascertain where vulnerabilities may arise.

To underline the importance of this multi-tier visibility, Interos’ 2022 global supply chain survey found that while 18% of financial services executives said they experienced disruptions among third-party suppliers in the previous 12 months, the corresponding figures for fourth and fifth parties were 31% and 43% respectively.

If financial institutions do not have visibility of their extended digital supply chains, then they are not prepared to prevent, respond to and recover from incidents that occur there.

At the same time, there is a more insidious effect that companies need to be cognizant of when dealing with ICT suppliers and their extended supply chains: complacency.

Interos’ analysis of the cyber risk scores of the most common ICT suppliers to major European banks reveals that they are generally well positioned to handle cyber threats. However, as recent incidents affecting vendors such as F5 Networks and VMWare show, even the best firms are vulnerable.

Image showing how the Interos Operational Resilience Cloud platform supports key DORA requirements.

Invest in resilience-building capabilities to meet DORA requirements

The impact of this is wide ranging, especially from a resilience standpoint:

  • If financial institutions do not have the required visibility into their extended supply chains, how can they develop sound threat-led penetration tests to test their resilience strategies?
  • How can they engage with suppliers on joint resilience planning if they do not understand their suppliers’ detailed risk profiles?
  • How can they continuously monitor their vast digital supplier relationships and notify concerned authorities under strict SLAs with limited resources?

This challenge is acute for financial services and projected to become even more so, given the exploding number of supplier relationships for a typical company.

Studies highlight the importance of investing in building these capabilities: by one measure, a dollar invested in resilience-building early on helps avoid downstream losses to the tune of five dollars. Other similar other studies have highlighted the impact of resilience on total return to shareholders (TRS).

These financial measures are useful, but only one-dimensional; the returns in terms of preserving trust and reputation with key stakeholders are immeasurably greater – perhaps by several orders of magnitude.

Get started with ‘no regret’ actions

Once DORA becomes law later this year, financial institutions will have two years to comply with the requirements. The EU supervisory bodies that are currently working on the detailed Regulatory Technical Standards for DORA have until six months before the compliance deadline to release those requirements.

Companies have already been complying with various regional, cybersecurity-specific and resilience-related requirements and guidelines that predate DORA. So, from a compliance standpoint, many will not be starting from a greenfield position.

The challenge will be to pursue organizational transformation in the quest for true enterprise-wide operational resilience, for which institutions can start with “no-regret” actions today. These include:

  • Understanding risk exposures of extended digital supply chain – companies can begin by enabling this visibility and creating the supporting process and organizational infrastructure.
  • Leveraging these insights to begin planning for collaborative resilience with their key ICT suppliers.
  • Enhancing their existing resilience operating models to better leverage such risk insights by bringing in SCRM experts earlier in the planning process.

Such actions will not only help financial institutions comply with DORA requirements when they are released, but also will pay off from an enterprise resilience standpoint.

The EU’s DORA framework may well serve as the template for global resilience efforts. Either way, resilience requirements are coming from a regulatory standpoint.

Financial institutions are advised to take action today to prepare for this eventuality and ensure that they don’t fall behind nimbler peers.

To learn more about supply chain issues affecting major financial services institutions and banks, read the FSI cut of our annual industry survey