Uyghur Forced Labor Prevention Act (UFLPA) & ESG Violations – Interos

CBP Implements UFLPA: The Newest Law Targeting Supply Chain Washing and ESG Violations

On Monday, the United States’ Uyghur Forced Labor Prevention Act (UFLPA) goes into effect. Focused on a controversial region in northwest China, the landmark law creates a presumption that any products “manufactured wholly or in part” in Xinjiang are made with forced labor. It bans all imports from the territory unless a company can prove otherwise.

The guidance sets out CBP’s agenda of enforcement and prioritizes investment in supply chain visibility technology and “digital traceability.” It also explicitly bans US companies from importing any products from a list of 20 newly named Chinese companies (many of which are based in Xinjiang), unless the importer proves the goods were not made with forced labor. The list of restricted companies is expected to grow as further labor violations are uncovered, and as named companies adopt aliases to evade detection. Interos is adding these restricted entities to our platform to help customers ensure they’re not in violation.

The law is the latest and boldest attempt to combat an increasingly common practice known as supply chain washing – the concealment of critical information about how products and services are sourced and sold.

While bad actors are certainly responsible for a significant amount of supply chain washing, even companies that believe they are acting in good faith can inadvertently violate sanctions, restrictions, and export controls through hidden unknown relationships in their supplier or customer networks.

Concerns Over Supply Chain Washing, Supply Chain Visibility, Rise 

The implementation of the UFLPA comes at a time when outcry over supply chain deception is high, as much of the world witnesses China’s persecution of the ethnic minority Uyghur population in Xinjiang. The U.S. has described China’s treatment of Uyghurs as genocide.

The UFLPA is part of a series of growing global regulatory actions requiring organizations to act on ESG hazards in their supply chains.

Global supply chains could be significantly impacted by the new law, since Xinjiang is one of the world’s largest producers of cotton as well as polysilicon, which is used to manufacture solar panels.

These growing regulatory dynamics are creating a new urgency to comply with the UFLPA and the many other anti-supply chain washing laws being passed around the world. In their enforcement strategy, US Customs and Border Protection (CBP) specifically cites supply chain washing as a concern, stating that “manufacturing processes and multi-tiered supply chains can further obscure the use of forced labor inputs by incorporating them into legitimate manufacturing processes… Such goods could then be exported from a third country to the United States as a means of obscuring or “laundering” the importation of tainted raw materials from Xinjiang.”

The shifts require organizations take a multi-pronged approach to reduce related supply chain risk.

UFLPA Forces Extra Due Diligence and Required Documentation

  1. To comply with the law and overcome the rebuttable presumption, importers with exposure to Xinjiang or need to be implement a heightened due diligence process for supply chain tracing. The UFLPA requires a significant, risk-based supply chain diligence program, including a written code of conduct, an ongoing monitoring and compliance program and plans on how to remediate violations. The evidence required to demonstrate supply-chain tracing is extremely detailed and requires very extensive mapping and documentation.
  2. A substantial portion of CBP’s guidance focuses on prioritizing “cutting-edge technologies to identify and trace goods made with forced labor, specifically those technologies that support enhanced visibility into trade networks and supply chains that source goods or materials made with forced labor.”
  3. The Forced Labor Enforcement Task Force (FLETF) has issued detailed guidance on “due diligence, effective supply chain tracing, and supply chain management measures” aimed at avoiding the importation of goods produced with forced labor in Xinjiang. CBP points to the Department of Labor’s Comply Chain as a template for a compliant due diligence program.
  4. Supply chain leaders should only expect the need for compliance to rise with future guidance, as CBP makes clear in their release of intent to gather “foreign corporate registry data to map the structure of multinational companies and their global corporate networks.”

Anti-Supply Chain Washing Laws are On the Rise Globally

The UFLPA is far from the only sign that global regulators are cracking down on supply chain washing.

The US Securities and Exchange Commission has proposed rules to dramatically increase ESG disclosure requirements, and is taking a much stricter approach towards enforcement, probing large investment firm’s so-called sustainability funds

Take the example of S&P: In late March S&P settled allegations that it violated U.S. sanctions on Russia when it continued to extend credit to Rosneft, the country’s leading oil and gas company. Or examine recent incidents where components sourced in the UK and Germany were found in Russian warfare machinery being used against the people of Ukraine.

It’s simply not enough to know just who is in your supply chain and what they are doing. You also need to know about where your own products end up.

Supply Chain Washing Can Occur Anywhere

Xinjiang is far from the only area of the world generating concern over supply chain washing:  On June 29, the Financial Times published a story highlighting evidence that strongly suggests that Russia may be using concealed/intentionally mislabeled shipments to export stolen grain from Ukraine through already-sanctioned ports in Crimea. Authorities admit confirming whether or not these shipments contain looted grain is difficult, and that ships containing sanctioned goods will often directly transfer cargo to other vessels once at-sea to avoid detection.

Despite these difficulties, accepting shipments of potentially sanctioned goods creates massive risk for large companies. In an interview with the Financial Times, Aline Doussin, a partner at Hogan Lovells, stated that even companies in locations that have not directly placed sanctions on Russia “might find that large multinational companies from those places stop trading with them over concerns that they were indirectly trading with sanctioned entities.”

German Law Shows Trend in Supply Chain Accountability 

Germany’s Supply Chain Law takes effect January 1, 2023. That law requires any company doing business in Germany to vet both their direct (Tier 1) and indirect (Tier 2) suppliers for compliance with core human rights and environmental protection measures – or face fines of up to 2% of their global revenue.

In analyzing companies subject to the German law, Interos found approximately 53% have problematic ESG scores using a proprietary scoring method that dynamically assesses an organization’s risk.

Although other European Union member countries are not yet in agreement on the terms of such legislation, it is likely the E.U. will follow with similar anti-supply chain washing laws in the near future.

ESG Supply Chain-related Disruptions Remain Expensive

The Interos 2022 Annual Global Supply Chain Report revealed that ESG-related issues currently cost companies, on average, $35 million per year – and those costs will rise as more anti-supply chain washing laws are enacted.

But many aspects of global supply chains are complex and opaque: most organizations only have visibility of their first- and second-tier suppliers.

Almost one-third (30%) of respondents to Interos’ annual survey said they would only know about an ESG violation in their supply chain if it occurred at their first tier of suppliers – not beyond.

Awareness of ESG issues in a company’s supply chain is no longer optional. Ignorance is not only costly financially and reputationally, but it can also put a company out of compliance with governmental regulations

Organizations must prepare for increasing scrutiny of ESG risks in their supply chains

The UFLPA is just one piece of a growing body of global legislation aimed at cracking down on unsound business practices, and the supply chain washing measures used to conceal them.

With new regulations being implemented every day, the already-high cost of noncompliance and poor supply chain visibility is only going to rise – but most organizations still report limited visibility of their suppliers, and a majority have ESG scores indicating noncompliance with some emerging laws.

Organizations will need to invest in capabilities and tools that give them continuous visibility over their direct and indirect suppliers and buyers. CBP’s guidance specifically states that the organization will invest in “enhanced supply-chain tracing technology that can connect imported goods to Xinjiang and other parts of the world at high-risk for forced labor. CBP also plans to invest in advanced search engines that may allow CBP to link known or suspected forced labor violators with their related business structures and transactions.”

As mentioned, Interos is adding the 20 entities named in Monday’s guidance to our automatically monitored entity list. We will continue to update our platform to assist with UFLPA compliance.

When it comes to sustainability and supply chain washing, the tide is clearly turning. Businesses that invest in powerful technology solutions and build robust compliance programs will be able to embrace this change with open arms. Those that ignore this wave of change, do so at their peril.

How Interos Can Help

The video below shows how Interos customers can quickly check their exposure to Xinjiang and the companies sanctioned in the UFLPA with just a few clicks – and how to setup continuous monitoring groups to receive alerts should their risk exposure change.

Russia Natural Gas Exports, Gazprom, and Europe: Energy as a Foreign Policy Weapon

By Trevor Howe

As the Russian invasion of Ukraine continues, one of the biggest global impacts is unfolding through Russia’s natural gas exports — or the potential lack thereof. Namely, the relationship between Europe’s gas supply and Gazprom, a Russian state-owned enterprise (SOE), is a critical concern. 

In late March, Russian President Vladimir Putin announced that natural gas deliveries from Public Joint Stock Company (PJSC) Gazprom would need to be paid for in rubles by “unfriendly states.” Notably, this decree contradicted an overwhelming majority of contracts (97%) that European companies already signed with Gazprom (and its subsidiaries or affiliates), which stipulated that Russia natural gas exports would be paid for in either euros or US dollars. According to the demand, buyers of natural gas would have to open accounts with Gazprombank and pay for deliveries in euros which would be converted into rubles. 

While this could be interpreted as a breach of sanctions by some, the European Commission clarified that this process would not constitute a breach of sanctions so long as companies declared their contractual arrangements complete when payments were made in the agreed-upon currency in existing contracts.

Cutoffs to Bulgaria and Poland of Russia’s Natural Gas

Despite this existing route for sanctions regime compliance, both Bulgargaz EAD in Bulgaria and Polskie Górnictwo Naftowe i Gazownictwo S.A. (PGNiG) in Poland rejected Gazprom’s new payment process. Notably, both had already decided not to extend long-term contracts with Gazprom, leading the Russian SOE to announce on April 27 that it would no longer facilitate natural gas flows to either county. However, because these markets were closing at the end of the year, this was widely interpreted as a low risk “shot across the bow” to demonstrate that the Kremlin was willing to act on its threats. Other current Russian threats include the further deployment of nuclear weapons in response to Western efforts to aid Ukraine and the potential for an expansion of the North Atlantic Treaty Organization (NATO).

American and European officials have highlighted the Kremlin’s operationalization of energy as a foreign policy weapon to attain desired geopolitical aims or influence through thinly veiled blackmail and coercion. To decouple from its reliance on Russian energy and build structural supply chain resilience, the European Commission has prioritized identifying and switching to non-Russian energy suppliers in the wake of Russia’s invasion of Ukraine. However, shifting supply sourcing presents itself as a technical, long-term process requiring reliance on infrastructural capacity that has not yet been developed both in Europe and countries like Algeria, which can supply the continent with liquefied natural gas (LNG) alternatives. A report published in April by the Interos Business Analyst Team has taken a closer look at this issue.

Gazprom, Europe’s Gas Supply, & Compliance with the New Payment Process

To cope in the meantime and to avoid further significant disruptions to global supply chains, several European companies have opted to comply with Gazprom’s new stipulations for the sale of Russia natural gas exports. Although a complete list of companies to open accounts with Gazprombank has not yet been made publicly available, the Deputy Prime Minister of the Russian Federation, Alexander Novak, stated the public will receive a new list in the coming days. 

The Deputy PM stated that of the 54 European companies that Gazprom supplies, “about half of them have already opened accounts [in Gazprombank], one in foreign currency and one in ruble.” Companies which appear to have complied with the demand of payment for natural gas in euros to be converted into rubles include:

Company of Interest  Interos Resilience ID 
MVM CEEnergy Zrt.   N/A 
VNG Handel & Vertrieb GmbH   17e1344f-c114-4b18-ad1d-92ab80ca13fa  
RWE Supply and Trading GmbH   e28c889e-f99d-46f8-b126-2a2f9f5f0e33  
Uniper SE  78e28c84-a3eb-497d-a49b-752ca0e8d4f0  
Engie S.A.  ae88735a-4b96-451e-9d29-337da235b8cb  
Eni S.p.A.  210942de-5153-4b0c-a677-5c15d315b4a6  
OMV Gas Marketing & Trading GmbH  eb656a9d-b5c1-4f0e-999d-ea8d9d72d751 
ČEZ, a.s.   2e644251-5a5f-4a43-9e7a-d6713567352d  
Slovenský Plynárenský Priemysel (SPP) a.s.  78e574c5-e46e-4fcb-87bb-f2e885f1bda6 
Geoplin d.o.o. Ljubljana  b28f227a-29ce-43a9-a656-acbba73c6640 
DEPA Emporias S.A.   7fb8ca3c-96f8-483e-8116-773eb787559c 
Mytilineos S.A.  4f64a2d9-fc88-4da0-b08d-7853638f0b8a 
Public Power Corporation (PPC)  1f574b1c-ed79-4ba4-9801-59a0ebc2ba1f 
Prometheus Gas S.A.  11df5809-bf6a-40d5-95f7-db9b4c64d472 

Non-Compliance with Gazprom’s New Payment Process 

On the other side of the Gazprom Europe gas supply issue, the group of companies that have thus far refused to comply with Gazprom’s current ruble payment demand is under threat of natural gas cutoffs. On May 21, Russia suspended flows to Gasum Oy in Finland after a payment dispute. Clear geopolitical undertones were on display as Finland, in conjunction with Sweden, officially applied for membership to NATO just three days prior on May 18. 

While Finland relies heavily on Russia for imports, natural gas only accounts for approximately 5% of the country’s annual energy consumption. While this limits the effect of the shutoff, industrial sectors rely on the energy source heavily. Chemical companies like Neste Oyj, forestry companies like Metsa Board Oyj, and other Finnish companies in the food industry will need to secure alternative sources to avoid disruptions.

Shortly thereafter on May 31, Gazprom announced additional flow shutoffs to three more European companies who refused to comply with ruble payment demands. Those were:

Company of Interest  Interos Resilience ID 
GasTerra B.V.   3f761976-6724-4ecf-9c34-ca8636616451 
Ørsted AS   7e7c3b7a-b2ef-46d1-af99-a476afac9c2f 
Shell Energy Europe Limited   dbba945b-d763-4bc3-aba0-1782bbc66086 

Companies of Interest

GasTerra B.V. is a partial Dutch SOE, Ørsted AS is a Danish energy company focused on sustainable energy through wind and solar farms, and Shell Energy Europe Limited is a UK-based supplier whose recent cuts will deprive German buyers of 1.2 billion cubic meters per annum (bcma) of natural gas.

According to Eurostat, in 2020 the Netherlands relied on natural gas for 37.6% of its total energy consumption, importing 45% of consumed gas to meet demand. Of that 45%, roughly 30.3% came from Russia. Although this has exposed the country to vulnerabilities from Russian supply, the country appears to be taking steps to lessen industrial reliance on natural gas and to fill storage facilities ahead of next winter to 70% levels to avoid supply gaps.

While Denmark has experienced natural gas shutoffs, the country does not appear to import from Russia directly. Instead, according to Eurostat in 2020 Denmark imported 99.9% of natural gas from Germany, a country that imported 66.1% of its gas from Russia. While natural gas consumption in Denmark accounted for approximately 12% of total energy consumed in 2020, the country plans to quadruple green power production by 2030. This will boost green gas and temporarily hike domestic natural gas production to offset Russian imports as the country phases out natural gas.

Companies at Risk of Cutoffs from Gazprom

  • Companies that refuse to comply with Gazprombank’s new payment process.
  • Companies located in countries or territories the Kremlin deems “unfriendly.”
  • Companies with Gazprom supply contracts that expire this year which they have not extended or renewed.

Along with these metrics, one example of a company under potential threat of a cutoff from Russian natural gas exports is Edison S.p.A., an Italian company with a Gazprom contract for 1 bcma that expires this year. It appears the company will not seek to renew. As part of the European Union (EU), Italy is included in the Kremlin’s unfriendly states list. Edison also appears to be shifting away from Russian natural gas in favor of American LNG with a deal the company signed in 2017 to supply 1 million tons per annum from the Calcasieu Pass LNG export facility in Louisiana.

According to Interos data, Edison S.p.A. is a direct supplier for 69 companies worldwide. Although the company anticipates deliveries from Calcasieu soon, commercial operations from the Louisiana facility are not expected to begin until Q4 2022 or Q1 2023. Were cutoffs to occur soon against Edison, its operations could be disrupted for weeks if the company cannot secure interim supplies quickly. Therefore, this scenario could have adverse ripple effects in the supply chains that connect to Edison. In the case of cutoffs to Bulgaria and Poland, Gazprom already demonstrated its willingness to forgo a couple of months of revenue from a single buyer they would lose anyway to gain credibility to reinforce Gazprom’s threats against European gas supplies.

Cutoffs to Italy from Russia would be significant. In 2020, natural gas accounted for 40.5% of all energy consumption in the country, the highest of all EU countries. In the same year, Italy was 92.8% reliant on natural gas imports, 43.3% of which came from Russia. This dependence underscores the country’s vulnerability to any Russian gas shutoff, making the Gazprom Europe gas supply crisis more pressing. 

Natural Gas Consumption, Imports, and Russian Reliance of EU States

In 2020, the EU’s energy mix consisted of 35% oil and petroleum products, 24% natural gas, 17% renewables, 13% nuclear energy, and 11% solid fossil fuels. Natural gas is a significant fuel for electricity production and household heating, and it also serves as a vital input to multiple highly energy-intensive manufacturing sectors. Of all energy sources, natural gas is the fuel with the highest exposure to imports from Russia. In 2020, the EU received 46% of its natural gas imports from Russia to satisfy 41% of gross available energy derived from natural gas.

 

Meanwhile, regional production has played a diminishing role in satisfying European natural gas needs over the past decade, which has made Gazprom’s disruption of European gas supply more urgent. From 2010 through 2020, natural gas production in the EU and the UK declined by more than 50%, from 18 billion cubic feet per day (Bcf/d) in 2010 to 9 Bcf/d in 2020. This significant decline has resulted from resource depletion and government initiatives to fully phase out natural gas production in favor of other sources such as solar and wind.

As a result, Italy is not alone in its vulnerability to vacillations in the Russian natural gas supply; in 2020, Russian natural gas exports served as 25% or more of overall natural gas imports for at least 16 EU countries, according to Eurostat.

Currently, Romania imports less natural gas than most other EU countries. Moreover, the development of the Black Sea gas fields would make Romania the European Union’s biggest natural gas producer. In 2020, Romania published a new strategy document emphasizing an increase in gas-fired power generation across the country, mainly as an implicit shift from coal to natural gas in the power generation sector.

 

While the EU has yet to target Russian natural gas in its waves of sanctions, the bloc has recently agreed to an embargo on Russian crude oil imports that will take effect by the end of 2022. The ban aims to halt 90% of imports by the end of the year, but to achieve required consensus the ban notably provided carveouts to Hungary, Slovakia, and the Czech Republic. Bulgaria was also given an exemption which will last until the end of 2024. 

All four countries have an entrenched reliance on Russian exports of oil and natural gas, which is why they originally resisted the EU ban, citing severe economic consequences. Exemptions for these four countries comprise the remaining 10% of imports not covered by the ban. Moreover, the effort revealed divisions within the bloc on the issue of Russian sanctions, which could be exacerbated were Russian natural gas to be targeted next.

Perhaps the most significant progress in weaning off Russian gas can be seen in the Baltic States. Lithuania became the first European country to stop using Russian gas entirely. Although heavily dependent upon Russian gas, Latvia moved to end its reliance by the end of 2022, and Estonia’s government has likewise motioned to stop imports by the end of 2022.

Natural Gas-Intensive Industries at Risk of Disruptions

Several highly energy-intensive manufacturing sectors rely predominantly upon natural gas as the main energy carrier and thus particularly are exposed to inflated production costs in times of constrained supply. Those increased costs could serve as financial barriers to operations. 

High energy-intensive sectors relying on natural gas include:

  • Manufacture of clay building materials
  • Manufacture of pulp, paper, and paperboard
  • Manufacture of glass and glass products
  • Manufacture of basic iron and steel and of ferro-alloys
  • Manufacture of man-made fibers
  • Manufacture of refractory products
  • Manufacture of basic chemicals, fertilizers and nitrogen compounds, plastics, and synthetic rubber in primary forms (In 2016, nitrogen fertilizer plants were the most natural gas intensive plants)
  • Manufacture of abrasive products and non-metallic mineral products n.e.c.
  • Manufacture of other porcelain and ceramic products

A recent report published by the Interos Business Analyst Team already identified that within German industry, chemical manufacturers, in particular, would be vulnerable to constrained supplies of natural gas in the event of further cutoffs affecting the country. German industry is already bracing for gas rationing as government policies have given priority to households in the event of constricted supply.

Other countries that could be vulnerable to disruptions in the event of constrained supplies of Russia natural gas exports include:

Austria

In 2020, Austrian industries accounted for 41% of natural gas consumption, up from 36% in 2010, with power plants accounting for 26%. With a current 80% reliance on Russia for natural gas, Austrian industries would be devastated if taps were to be shut off abruptly. The Austrian paper milling industry in particular is dependent on natural gas for 35% of energy needs, which, if disrupted, would also have negative supply chain effects for paper-based hygiene products. Thus far, the Austrian company OMV has complied with Gazprom’s new payment scheme to avoid flow disruptions to Europe’s gas supply.

Romania 

In 2019, Romanian industries accounted for 36.1% of natural gas consumption. The following year, Romania’s top exports were vehicle parts, cars, insulated wire, electrical control boards, and rubber tires, which could be undermined with constrained gas supply. Romania’s energy minister, Virgil Popescu, stated that the Romanian state does not have direct contracts with Gazprom, but rather natural gas is supplied to the country by intermediaries who bring in Russian gas.

Concluding Remarks on Russia’s Natural Gas Exports

LNG alternatives will be crucial in achieving the bloc’s goal of weaning off reliance on Russian natural gas. Europe has been the top export destination for American LNG for the past several months amid Russia’s invasion of Ukraine. However, American LNG exports will not completely replace Russian gas, and ramping up LNG production and exports comes amid pushback from those citing climate concerns that could deviate the current administration from its stated goals.

To provide insights amidst an environment of uncertainty, the Resilience Analytics portion of the Interos Resilience platform can highlight suppliers that are vulnerable to a Russian energy shutoff. This portion of the platform is linked directly with our data lake and allows users to filter their three-tier ecosystem by entity name, location, industry, or risk scores. Using these filters, platform users can identify which suppliers are direct or indirect Russian energy consumers. Once these connections are found, the data can be exported as an image, .pdf, or raw data extracted to be analyzed and viewed outside the Resilience platform. To learn more about Interos, visit interos.ai.

The US Government’s Cyber Supply Chain Warning

By Stuart Phillips & Geraint John

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has urged government and commercial organizations to patch vulnerable software and IT systems more rapidly in response to a flurry of malicious attacks against the cyber supply chain.

Last week, CISA issued an emergency directive requiring all federal civilian agencies using VMware’s Workspace ONE Access and other products to either patch or disconnect these systems by 5 p.m. ET this past Monday.

Separately, CISA also warned that hackers were actively targeting unpatched versions of F5 Network’s BIG-IP systems used to manage network traffic.

These new alerts join several others issued in recent weeks regarding cyber supply chain risks.

Earlier this month, CISA and other national cybersecurity agencies warned that managed service providers and their customers were at a heightened risk of attack. In late February, CISA issued a wide-ranging “Shields Up” advisory in the wake of Russia’s invasion of Ukraine, warning that malicious cyber activity was likely to increase.

VMware and F5 vulnerabilities exposed

Commenting on one of these vulnerabilities, CVE 2022-22954, cybersecurity firm Mandiant said: “An attacker could exploit this vulnerability to perform a server-side template injection… An attacker would need to send a specially crafted request to the vulnerable system. A failed attempt at exploitation could potentially cause a crash of the application, resulting in a denial-of-service condition.” 

On April 13, VMware confirmed the exploitation of this vulnerability in the wild. On April 25, The Hacker News reported that a threat actor known as “Rocket Kitten” actively exploited this vulnerability to deploy the Core Impact penetration testing tool on vulnerable systems. 

Mandiant Threat Intelligence wrote that they consider this “a high-risk exposure due to the potential for arbitrary code execution with no user interaction required.”

VMware issued patches for this and other vulnerabilities in April and released additional fixes last week. CISA’s emergency directive suggests that many organizations have not quickly updated their systems.

And it’s not just government agencies that are at risk from these supply chain risks. 

“We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks,” CISA said late last week.

Vulnerabilities extend into the cyber supply chain 

There are many reasons why organizations fail to update their software and hardware fast enough, but budget and staffing shortages are primary.

Proactive Chief Information Security Officers (CISOs) can quickly discover if they have an installed vendor with security issues and schedule patches or updates to mitigate the problems. 

The real challenge is knowing whether their cyber supply chains have critical suppliers or partners using compromised systems and then taking steps to address those vulnerabilities. 

An analysis of Interos’ global relationship mapping platform data reveals the scale of the challenge: 

  • 1,239 companies were identified using VMware’s Workspace ONE Access or F5’s BIG-IP products.
  • 88 of these companies use both vendors.
  • Of the top five direct buyers, more than half (58%) were U.S.-based and more than one-quarter (29%) were in the IT software and services sector.
  • The U.K., Canada, Australia, and India are also home to major direct buyers, with banks, consumer services firms, and healthcare providers.

Looking further upstream into the extended cyber supply chain:

  • The 1,239 companies using the affected VMware and F5 products directly supply more than 98,000 customers in the U.S., U.K, Germany, Canada, and other countries.
  • These 98,000-plus firms, in turn, do business with more than 600,000 firms at Tier 2. 

Mandiant’s 2022 M-Trends report, published last month, found that supply chain intrusions were the second most prevalent form of attack in 2021.

Almost one-fifth (17%) of intrusions involved a supply chain compromise – up from just 1% in 2020. The vast majority of these attacks were related to the SolarWinds breach

Last week, cybersecurity firm SentinelOne published an analysis of a new supply chain malware attack against the Rust development community.

CISOs must monitor supply chain risks

Predicting the next supply chain cyber-attack or disruption is a dark art. However, being aware of all your suppliers and their connections may give you a better chance to understand weaknesses in your cyber supply chain and mitigate risks. 

Gone are the days when sending a survey to a supplier every two years and asking only about cyber risk was a practical approach. 

The best CISOs actively contribute to operational resilience by continuously monitoring their entire supply chains for multiple types of threats – including vendor financial weakness – using a risk mapping and scoring solution such as the one developed by Interos. 

To learn more about Interos, visit Interos.ai

Redesigning Global Supply Chains to Build Greater Resilience

By Geraint John and Margaret D’Annunzio

The ongoing litany of supply chain disruptions is prompting many organizations to redesign their global supply networks to build resilience. New research published this week by Interos found that almost two-thirds (64%) of executives said their organizations planned to make “wholesale changes” to their supply chain footprints.

And it’s not only business leaders that are focusing on the need for greater supply chain resilience.

Heavyweight economic and political institutions are also weighing in on the issue and proposing a variety of (sometimes conflicting) solutions – as evidenced by two recent reports from the International Monetary Fund (IMF) and the U.S. government.

The latter’s “Economic Report of the President,” (Economic Report) published in April, devotes an entire chapter to “building resilient supply chains.”

This portion of the Economic Report robustly analyses the evolution of modern supply chains and discusses some of the failures associated with firms’ and countries’ increased reliance on outsourcing and offshoring.

The Economic Report suggests that some of main reasons for supply chain globalization since the early 1990s are: Greater access to foreign suppliers through IT advances and lower trade barriers; government subsidies for key manufacturing sectors; and short-term financial incentives for top executives.

It argues that although COVID-19 exacerbated supply chain risks and made them more obvious, the pandemic did not create the majority of vulnerabilities, nor will its end abate them.

“Because of outsourcing, offshoring, and insufficient investment in resilience, many supply chains have become complex and fragile,” the report notes.

Shining a Light on Concentration Risk

Interos’ own research found that concentration risk is of particular concern to senior supply chain executives. Almost 9 out of 10 of the 1,500 procurement, IT and IT security professionals surveyed by Interos in the first quarter of 2022 agreed they had too many suppliers located in one area of the world.

Concentration is a Big Concern

“My organization has too many suppliers concentrated in one area of the world and this is of concern to us”

n=1,500; Source: Resilience 2022: The Interos Annual Global Supply Chain Report 

The White House report cites several examples of highly concentrated supply chains:

  • Taiwan (and its dominant manufacturer Taiwan Semiconductor Mfg. Co. [TSMC]) produce 92% of the world’s supply of advanced semiconductors
  • China manufactures 73% of lithium-ion batteries and has a 97% global market share of ingots and wafers used to make solar panels
  • China also has a dominant position in the battery raw materials: lithium and cobalt, of which it refines 60% and 80% of global supply, respectively

Recent analysis of Interos’ global relationship mapping database found that while TSMC, as a contract manufacturer to the semiconductor industry, has a relatively small number of direct customers in the U.S. and Europe (Apple being the largest), its importance at tiers 2 and 3 is enormous.

And a new Interos report on rare-earth elements (REE) – which are also important inputs to computer chips and electric vehicles, among other products – noted that China controls 84% of the global market, with over 100,000 U.S. companies and more than 50,000 European firms having the top 21 Chinese REE suppliers in their extended supply chains.

Will Reshoring Really Bring Resilience?

One potential solution to fragile and concentrated global supply chains that gets plenty of airtime is reshoring production back to “home countries”.

Respondents to Interos’ annual survey said that, on average, they expected to reshore or nearshore around half (51%) of foreign supplier contracts in the next three years.

The White House’s Economic Report argues that “at least some domestic production of critical goods” such as semiconductors and batteries is required – in part for national security reasons.

However, the IMF, in its equally detailed analysis, takes a somewhat different view, noting that, on average, 82% of Western firms’ intermediate inputs are already sourced domestically. It argues that “policy proposals to reduce dependence on foreign suppliers, especially in strategic sectors… may be premature, if not misguided.” Instead, the IMF advocates greater diversification in international sourcing – that is to say, increasing the number of suppliers and locations used.

Interos’ survey findings appear to support this view, with more than 60% of executives saying their organizations plan to increase the number of firms in their supply chains over the next three years, compared with 15% or less that expect to reduce them.

Supplier Diversification is Happening

How the number of companies in organizations’ supply chains will change

n=1,500; Source: Resilience 2022: The Interos Annual Global Supply Chain Report 

 

Even if managers do successfully make the business case for bringing product manufacturing back onshore, they still face a number of challenges – not the least of which is developing a local supply base.

French sportswear brand Salomon is a case in point. It decided to make its running shoes in a highly automated plant in France after many years operating in Asia, but found it was still reliant on suppliers of soles and other parts in China and Vietnam.

Improving Supply Chain Visibility & Resilience

Despite their differences, the IMF and White House reports do agree on some things. Chief among these, perhaps not surprisingly, is the need for government policy to support companies in their resilience-building efforts.

Interventions include:

  • Improving transportation infrastructure, such as major ports
  • Reducing international trade costs, and in particular non-tariff barriers
  • Convening and coordinating firms to develop standards and find industry-wide solutions
  • Aggregating and disseminating data that help companies better understand their supply chains

On this latter point, both reports emphasize the importance of supply chain visibility.

“Visibility into supply chain relationships is necessary to identify vulnerabilities in supply chains, so that firms can properly plan for disruptive events,” notes the White House report.

Interos’ survey found overwhelming support among executives for technology to solve this problem.

Although less than a fifth said their organizations were already using intelligent, automated solutions to understand interdependencies at multiple tiers, three-quarters expected to have such technology in place within the next 12 months.

To download a copy of Resilience 2022: The Interos Annual Global Supply Chain Report, click here.

Impact of European Dependence on Russian Natural Gas

Ripple effects from the war in Ukraine continue to threaten global stability and expose European dependence on Russian gas. 

Last week, Russia officially halted natural gas exports to Poland and Bulgaria, a major turn of events given Europe dependence on Russian gas. The two countries declined to meet President Vladimir Putin’s mandate that customers pay with rubles held in Russian-owned banks in order to continue receiving Russia natural gas.

This is seemingly a tit-for-tat continuation of ongoing economic warfare. Poland had just extended sanctions on 50 Russian oligarchs and companies, including Gazprom, which informed the countries of the natural gas suspension. 

As the humanitarian catastrophe in Ukraine continues unabated, this is simply the latest example of the second-order effects stemming from Russia’s invasion that will continue to propagate across the globe.

Russia Natural Gas Concentration Risks

Russia supplies more than 90% of Bulgaria’s gas needs. Poland is less dependent, having invested in infrastructure in a liquified natural gas (LNG) terminal years ago. Later this year, the “Baltic Pipe” will open, bringing Poland more natural gas from Norway and helping to reduce Europe dependence on Russian gas. 

Russia accounts for 40% of EU natural gas, a dependence that has prompted many European countries to begin weaning off Russian gas to various degrees. In March, the European Commission announced a plan to cut Russia natural gas imports by two-thirds by the end of the year. As European Commission President Ursula von der Leyen explained, “We simply cannot rely on a supplier who explicitly threatens us.”

Russia has thus far only “suspended” gas delivery to Bulgaria and Poland. Still, these initial suspensions haveraised the alarm across the region that Russia may continue to make good on its threats. This concern – and dependence – varies significantly across Europe, as Europe dependence on Russian gas is not uniform across the continent. 

Poland and Bulgaria rank sixth and twelfth among European buyers of Russian natural gas. Germany, Turkey, Italy, France, and Austria were the top recipients during the first half of 2021. European allies and those Putin has labeled “unfriendly countries” have prioritized resilience in expectation of future suspensions.

Collective Resilience in the Face of Europe Dependence on Russian Gas

Part of the European Union’s ongoing plans to diversify its natural gas supply chain includes importing from reliable sources, such as strengthening imports from Norway, where it gets 16.4% of its natural gas, and expanding natural gas imports from the U.S. In March, the Biden administration announced that the U.S. would ship an additional 15 billion cubic tons of LNG to Europe through the rest of the year. While questions remain on accomplishing the logistics behind this commitment, it is yet another sign of the deepening unity across Europe, the U.S., and global democracies in light of Russia’s invasion of Ukraine.

This increase in unity will likely be necessary to offset the unintended ripple effects of Russia’s foreshadowed cutoffs. While Bulgaria and Poland are not considered essential global trading partners by many metrics, a closer look at global supply chains reveals more about American and European dependence on Russian gas.

Interos analyzed U.S. and European (EU+UK) reliance on Bulgaria and Poland, mapping connections to those countries. While direct (Tier 1) connections were unsurprisingly low, Tier 2 and Tier 3 connections expanded into the hundreds of thousands.

For comparison, our analysis of U.S./EU reliance on Russia and Ukraine found that more than 190,000 firms in the U.S. and 109,000 firms in Europe have Russian or Ukrainian suppliers at Tier 3. Many EU and U.S. firms rely on Poland and Bulgaria once accounting for sub-tier supply chains. This suggests that cutting off Russia natural gas may have wider-ranging implications than expected. 

As is true across the broad range of supply chain shocks over the last few years, the challenges are too widespread and complex for any single organization or government to solve on its own. Bulgaria has been in talks with Greece and Turkey to cut its dependence on Russia for LNG, with Greece publicly offering recent support to Bulgaria. While the gas suspension intends to weaken resolve across Europe and its allies, it likely will continue to have the reverse effect. With Germany halting the Nord Stream 2 natural gas pipeline earlier this year and dropping opposition to a Russian oil embargo, this latest gambit by Russia likely will only deepen ties and accelerate efforts to phase out dependence on Russian natural gas and other commodities.

Looking Ahead: Global Ripple Effects

Despite these efforts, there are concerns of stockpiling that could drive up natural gas prices across the globe, prices that are already spiking. In the U.S., natural gas prices hit a 13-year high in April. At the same time, European gas storage hit a five-year low at the end of the winter and continues to rise following Russia’s suspension of Bulgaria and Poland. In preparation for winter demand, energy rationing could also stunt economic growth, persist inflation, and potentially instigate a recession.

Many are forecasting continued volatility in the natural gas market throughout the year, due in part to Europe dependence on Russian gas, and concerns over additional supply chain disruptions continue to grow. 

For instance, a brief analysis of U.S. companies with Tier 1 suppliers in Bulgaria and Poland quickly highlights almost 8,000 companies, which quickly expands to well over 200,000 companies with Tier 3 connections to those countries. 

Those numbers are slightly smaller for European companies, with almost 4,000 companies having Tier 1 connections and about 180,000 with Tier 3. 

Russia’s suspension of natural gas to Bulgaria and Poland has instigated uncertainty within the environmental, social, and governance (ESG) investment market. The U.S. commitment to increase LNG supplies to Europe may come with externalities, including investing in the LNG import and export terminal infrastructure required to export LNG at scale. These LNG investments require capital, which ESG investor groups often deny in favor of clean energy investments. Those priorities may shift to meet this commitment so as to reduce Europe dependence on Russian gas. That said, as part of its decoupling from Russian energy sources, the E.U. could more quickly expand investments in renewable energy to meet its net-zero commitments. 

Finally, suppose the “unfriendly countries” continue to deepen their resolve in support of Ukraine. In that case, Russia not only may extend the natural gas suspensions as part of the ongoing tit-for-tat economic warfare, but the Putin regime may accelerate and expand its hybrid warfare, resulting in the need for improved cyber supply chain risk management. Microsoft’s recent report highlights the malicious cyber activity of six state-linked actors and 237 operations against Ukraine. As NotPetya illustrated, Russia’s targeted activity has a history of spreading into the wild. There also are growing concerns about military expansion beyond Ukraine. Explosions in the Transnistria region heighten fears about violence spilling over into neighboring countries. The instability could also extend to North Africa and the Middle East due to grain shortages – especially wheat – and those regions’ dependence on Ukraine and Russia. They together supply more than a quarter of the world’s wheat.

The suspension of natural gas to Poland and Bulgaria, coupled with the ongoing invasion and other humanitarian crises, are prompting more swift diplomatic action and movement toward energy diversification than has occurred in previous decades. As International Energy Agency Executive Director Fatih Birol explained, “Nobody is under any illusions anymore. Russia’s use of its natural gas resources as an economic and political weapon shows Europe needs to act quickly to be ready to face considerable uncertainty over Russian gas supplies next winter.” 

Click here to download a new Interos white paper that further explores Europe’s dependence on Russian natural gas: Report: Analysis of Russian Natural Gas in Europe – Interos.  Then, to learn more about how the Interos platform can help you stay aware of risks, visit interos.ai

 

The Three Supply Chain Tasks for a CISO

Managing supply chain security and mitigating attacks has become critical for Chief Information Security Officers (CISOs)

As we outline below, Interos has found three main tasks that CISOs must lead to protect their organization’s supply chain and improve overall visibility.

Incident Response – Dealing with a supply chain attack.

SolarWinds, Kaseya, Log4J, and other supply chain attacks have grabbed the headlines. A CISO must prepare for the next event without knowing its type, motive, or origin. SolarWinds had no cyber warning indicators before its major breach. All the firewalls, agents, policies, and other traditional tools would not have prevented this type of attack since SolarWinds had complete access to the network.

CISOs need to determine if they are at risk when these attacks happen. The traditional method for risk management is to send surveys to all suppliers and third parties. Unfortunately, since most CISOs do not have visibility into their supply chains, they must start from scratch. Hopefully, they have a third-party assessment tool, but often the CISO must get a list of suppliers from procurement. This list usually only includes the first tier of suppliers. While waiting for the surveys to be completed and returned, the organization remains exposed to the threat. This means that the CISO cannot readily confirm to leadership that the threat has been mitigated, often for weeks or months.

The Interos operational resilience platform continually maps, monitors, and models an organization’s extended supply chain. When new attacks happen, Interos alerts customers so they can strategize a reaction to the threat. It takes a few seconds to discover where the affected supplier resides within the supply chain and how it connects to the organization. A CISO using Interos can start mitigation efforts almost immediately, which reduces the time before confidently reporting to the C-Suite that they have resolved the problem.

Proactive Assessment – Auditing the supply chain.

An unhealthy supply chain can cause tremendous problems for an organization.

The CISO’s role is to protect the organization and they must understand the health and potential risks of their supply chain. Organizations should not trust a supplier with poor cyber hygiene. They should also look to replace any equipment supplier who has gone bankrupt or out of business. Even if the technology works, the manufacturer can no longer provide updates and patches for future cyber vulnerabilities.

Continually assessing and monitoring the extended supply chain can be difficult or impossible without the proper tools. A CISO can lessen the damage or prevent supply chain attacks if they know where to focus their efforts. However, most are blind to potential problem suppliers.

The Interos operational resilience platform continually assesses and monitors the extended supply chain, integrating six risk factors to come up with a comprehensive score. A CISO can use this information to focus on the worst offenders in each category, getting the best result for their efforts. A CISO can also understand if the suppliers are subject to US, UK, or EU sanctions or restrictions, which may cause business problems. With Interos, the CISO can be proactive and improve their supply chain’s health, reducing incidents and supplier churn in the future.

Supplier Onboarding

Vetting of new suppliers for cyber risk is a task often given to CISOs. There is often pressure on the CISO to complete the assessment quickly if the new supplier is deemed acceptable already by management. Since requests to vet a supplier are random, it is impossible to schedule. Knowing that a new supplier is at a high risk for cyber issues is critical to ensuring a company’s data security.

Getting new supplier information is traditionally done by sending them a survey with questions or asking for the results of a recent SOC audit. Often the surveys take a long time to complete and return. While a security operations center audit is preferable in most cases, it can be costly to conduct.

The Interos operational resilience platform uses public and private data sources combined with one of the largest business relationship data lakes to build a viable picture of an organization in a few minutes. The CISO can enter the company name and create a helpful report without sending and waiting for the return of surveys. The Interos analytics engine can provide insight into the supplier in all six risk categories, location, and other relevant data. This approach can enable a CISO to know within a few minutes if the supplier is bankrupt, doing business in concerning areas, or has connections to questionable organizations. The Interos approach is standardized and repeatable without requiring a high level of supply chain expertise from the cyber analyst.

To see a demonstration of the Interos Operational Resilience platform, please go to https://www.interos.ai/resources/interos-product-overview/

 

Report: China’s Market Dominance for Rare-Earth Elements

By: Michael Eddi, Taiwo Ogunbayo, and Margaret D’Annunzio

Concerns over the west’s economic reliance on China are at an all-time high and cover a staggering breadth of industries. But few exports are more critical than China rare-earth elements (REEs) — or raise more urgent questions regarding China and supply chain concentration risk.  The REEs are a set of seventeen metallic elements. These include the fifteen lanthanides on the periodic table plus scandium and yttrium. Rare-earth elements are essential in the creation of virtually all advanced technology ranging from weapons systems critical to national defense to electric vehicles and devices imperative to a society’s modernization and advancement. 

China holds an 84% market share of REEs, creating a highly concentrated marketplace at risk of monopolization. This concentration creates potential crises for the companies who rely on these elements as sanctions and geopolitical conflicts, among other disruptions, could make acquiring REEs incredibly difficult.

According to the France-based International Energy Agency (IEA), China today extracts 60% of all rare-earth elements that are consumed by the global market. The country also refines 87% of the world’s REE supply, so many of the materials mined outside of China’s borders must be sent there for processing.

Analysis of 21 Chinese REE companies on Interos’ global relationship mapping platform reveals the extensive connection between China and supply chain concentration risk: 

  • More than 100 U.S. companies buy directly from these Chinese REE suppliers at tier-1, 3,500 indirectly at tier-2, and more than 102,000 buy indirectly at tier-3. 
  • Nine European firms (European Union plus UK) buy directly from these Chinese REE suppliers at tier-1, and 1,600 buy indirectly at tier-2, while over 56,000 buy indirectly at tier-3. 
  • Electronic equipment and components, machinery, software, and metals and mining are the main industry segments represented in trading relationships surrounding China rare-earth elements.  

The limited growth of western refinement capabilities is largely due to the potential impact on conservational efforts, as mining and refining operations come at the expense of environmental degradation. Despite this, avenues are being explored by North American firms to increase refinement capacity and ability with the goal of further reducing overall dependence on China.  

The Potential Impact of Sanctions on China Rare-Earth Elements

The Interos report includes a scenario matrix that represents seven distinct hypothetical situations with varying degrees of probability examined through the overarching scope of probability and impact. 

By understanding these potential scenarios, customers can use the Interos cloud-based artificial intelligence-powered supply chain risk management solution to game out how these scenarios could impact your business. 

Let’s look at each one in more detail.

Sanction and Tariff Scenarios: Navigating China and Supply Chain Concentration Risk

Scenario 1: Sanctions are placed on Chinese state-owned mines and mining operations 

Scenario Likelihood: Low

Projected Impact to Metals Supply Chain: High

Under this scenario, the American Office of Foreign Assets Controls (OFAC) would sanction Chinese state-owned mines, hence restricting American entities from purchasing or doing business with such mines. With over a dozen Chinese-owned mining companies in China, one-third are state-owned. On December 23 of last year, China approved the merger of three of its largest state-owned mines (MinMetals, the Aluminum Corp of China, and Ganzhou Rare Earth Group). 

This effort helps Beijing consolidate its position over the mining sector by allowing the government to have control over the entire supply chain of China rare-earth elements. This move led to the creation of a single state-owned company with a 70% share of the domestic production quota, which is vital to the creation of high-tech products. Due to the ongoing geopolitical tension between the U.S. and Chinese government, the merger will give the Chinese government the leverage it needs while negotiating with the U.S. Most importantly, it will advance China’s goal of total dominance, pricing power, and influence in rare-earth production. For the U.S. to levy such a sanction, it would need to increase its rare-earth output to mitigate China’s supply chain concentration risk.  

Scenario 2: A targeted sanction placed on C-suite leadership of Chinese mining companies 

Scenario Likelihood: High

Projected Impact to Metals Supply Chain: Low

Under this scenario, the U.S could take a similar approach as it did when it sanctioned Rusal. Using the template from the Rusal sanction, OFAC would designate specific Chinese mine owners, along with the mines they control or own. Concurrent with this designation, OFAC would issue general licenses to minimize immediate disruptions to U.S. persons, partners, and allies. Since the sanction targets a single entity rather than all the mining companies, U.S. entities can go to other Chinese rare-earth element suppliers. The license provided by OFAC would allow them to continue business with the sanctioned companies. In the sanctions levied against Rusal and its leadership, the State Department removed the entity sanction when its biggest shareholder Oleg Deripaska reduced his stake in the company. 

Scenario 3: A sanction is placed on Chinese minerals/metals from the Xinjiang region 

Scenario Likelihood: High

Projected Impact to Metals Supply Chain: Medium

With the U.S.’ latest efforts to curb the harsh treatment of Uyghur Muslims, bills and sanctions have been implemented to ban imports from China’s Xinjiang region. In 2021, President Joe Biden signed The Uyghur Forced Labor Prevention Act, which prohibited imports from Xinjiang and imposed sanctions on individuals responsible for forced labor in the area. Under this scenario, OFAC would require U.S. companies to exit supply chains or ventures that connect them to the Xinjiang region. Mining companies would be required to ask their suppliers to provide an affidavit to determine the product’s origin. In this scenario, the likelihood of this sanction being implemented would be high, but it would also affect American businesses’ supply chains and lead to higher prices in consumer products. 

Scenario 4: Sanction metal producers and mining companies and designate them to the NS-CMIC 

Scenario Likelihood: Low

Projected Impact to Metals Supply Chain: Low

Under this scenario, the U.S. government would prohibit American investments by “U.S. persons from purchasing or selling publicly traded securities of any persons designated or determined to meet certain criteria, including having operations in defense and related materials sector or the surveillance sector of the Chinese economy or being affiliated with such entities.” Designating a company as Non-SDN Chinese Military – Industry Complex Companies List (NS-CMIC list) prohibits U.S. investments in Chinese companies that undermine the security or democratic values of the U.S. and its allies. Presently, none of the Chinese mining companies have ties to the military complex making the likelihood of such a sanction being implemented low, and its effect on the supply chain rated insignificant.  

Scenario 5: Quota on any U.S. persons or entity importing over 50% in rare-earth minerals and metals from China.

Scenario Likelihood: Low

Projected Impact to Metals Supply Chain: High 

Under this scenario, the U.S. would place a quota on U.S persons or entities importing over 50% of their overall rare-earth metals imports. Any Chinese metal and minerals imported over the 50% threshold would be required to pay a 10% tariff. The President would then exercise his authority under Section 232 of the Trade Expansion Act of 1962. Section 232 of the Trade Expansion Act of 1962 “allows any department, agency head or ‘interested party’ to request that commerce investigate to ascertain the effect of specific imports on U.S. national security”. President Trump utilized this approach when he imposed a 10% tariff on aluminum imports with exemptions for Canada and Mexico to protect national security. Implementing a similar strategy on China rare-earth elements would be detrimental to American entities and consumers. It would increase the price of imported goods, create inefficiencies, and trigger retaliation from China. The probability of this sanction being implemented is low as it would have a high impact on the supply chain.

Scenario 6: Sanctioning of Chinese mining companies operating in Afghanistan/Africa 

Scenario Likelihood: High

Projected Impact to Metals Supply Chain: Low

With the U.S. exit from Afghanistan and the Taliban takeover of the country, China is working on filling the void by offering economic investment in the country’s mining sector. Though politically and economically unstable, Afghanistan holds copper, cobalt, iron, sulfur, lead, silver, zinc, niobium, and 1.4 million metric tons of rare-earth metals, which the Taliban will seek to exploit. As of March of 2022, mining company Metallurgical Corp of China has discussed plans to open an office in Afghanistan’s capital city Kabul in early spring to begin mining copper and lithium. Currently, the U.S. maintains sanctions on the Taliban as an entity with the power to veto any moves by China and Russia to ease United Nations Security Council restrictions on the military group[i]. Additionally, the U.S. has frozen nearly $9.5 billion in Afghanistan’s reserves and the International Monetary Fund has restricted Afghanistan access to its resources. Using this approach, OFAC can possibly sanction Chinese mining companies in Afghanistan and certain African countries and prohibit American entities from purchasing rare-earth metal from mining companies located in the targeted regions. Due to the U.S. having other options to buy its metals and minerals, possible sanctions here would not invoke issues with Chinese supply chain concentration risk. As such, the probability of such a sanction being implemented is high, with a low chance of impacting the supply chain. 

Scenario 7: Sanctioning of American individuals or entities from doing business with Chinese mining companies acquiring minerals and metals from Taliban/Afghanistan 

Scenario Likelihood: High

Projected Impact to Metals Supply Chain: Low

Under this scenario, OFAC would sanction American individuals or entities doing business with Chinese mining companies acquiring minerals and metals from Afghanistan or the Taliban. Currently, the Taliban has been designated as a Specially Designated Global Terrorist (SDGT) under Executive Order 13224. This order prohibits transactions with persons who commit, threaten to commit, or support terrorism. It also prohibits U.S. individuals and entities from making any contribution of funds to or for the benefit of entities or persons named on the OFAC-controlled master list of Specially Designated Nationals & Blocked Persons. 

Using the guidelines provided in this order, the U.S. would sanction persons and entities doing business with Chinese firms acquiring rare-earth elements from the Taliban. This sanction’s probability is high with a low impact on the supply chain. It would be easy for U.S entities to require a supplier to provide a country of origin for its minerals. This approach would also encourage more transparency in the supply chain and ensure compliance with the Executive Order. 

Download the full report

Contact Interos to Learn More

The last two years have shown the importance of supply chain visibility. Our supply chains find themselves under constant threat from disruption, with China rare-earth elements at the center. Concentration risk serves as one of the most difficult risk factors to plan for as certain parts of the world dominate particular industries, like China’s control over REEs.  

By understanding your supply chain and these inherent risks you can make proactive plans to line up secondary suppliers or contingency plans in the face of changes. 

Contact Interos to learn more about how we can provide enhanced visibility into your supply chain to better identify these risks.

Earth Day 2022: Invest in our Planet

Given today’s geopolitical conflicts, global economic uncertainty and growing fears of yet another COVID variant wave on its way, it could be easy to overlook the importance of Earth Day 2022.

But hopefully, on April 22 most of the world can pause for a moment and reflect on the timely theme of this year’s Earth Day — “Invest in Our Planet.”

Quite frankly, I can’t think of a more appropriate theme.

Over the last several months, I’ve been in talks with industry and government leaders on a range of operational resilience, risk mitigation and supply chain visibility issues.  One of their top concerns: ensuring that environmental, social and governance (ESG) best practices are woven throughout their enterprises and are creating shared value for their customers, employees, communities and businesses.

Earlier this month, we announced a partnership with ServiceNow that will help many of these business leaders sleep better at night. The integration of our technology into ServiceNow’s Vendor Risk Management (VRM) offering will give their customers greater visibility into ESG risks by providing instantaneous multi-factor risk assessments for every entity in their supply chain.

One firm already leveraging this technology integration is Blackstone. Jennifer Morgan Global Head of Portfolio Operations at Blackstone, put it this way: “Blackstone believes that ESG principles are crucial to developing strong, resilient companies and assets that deliver long-term value for our investors. We’re focused on addressing ESG related risk in a holistic manner that helps our portfolio companies drive deeper visibility into their supply chains to ensure resilience, mitigate environmental, social and regulatory risk, and promote growth.”

The volume of these discussions has risen considerably since last month’s proposal by the U.S. Securities and Exchange Commission to require standardized reporting of ESG practices. I wrote about the implications of that proposal a few weeks ago and noted that more and more investors are truly focused on investing in our planet.

Other recent actions, including New York’s proposed Fashion Sustainability and Social Accountability Act, Germany’s Due Diligence and Supply Chain Act, and The European Union Corporate Responsibility Reporting Directive all point to greater societal and regulatory accountability for businesses here in the U.S. and around the world.

Invest in our planet with technology

Little wonder that technology investments in supply chain businesses are. Supply-chain technology startups raised $24.3 billion in venture funding in the first three quarters of 2021, 58% more than the full-year total for 2020. That pace of investment has not abated.

The sense of urgency is clear, especially among leaders in the consumer-goods industry. Consider that by 2025, almost two billion people are expected to become global consumers, nearly doubling the amount of people purchasing goods from global supply chains in 2010.

In addition, the consumer goods sector is expected to grow by five percent a year for the next 20 years. To meet new global climate requirements, consumer goods companies will need to trim greenhouse gas emissions by more than 90 percent by the middle of the century. The mandate for B2B enterprises is equally strong especially as more transactions and relationships have migrated to the digital world, raising the bar on trust and visibility.

You can only measure what you can see

These challenges are underscored by the fact that only about one in five supply chain managers today say they have visibility into their suppliers’ sustainability practices.

Additionally, our own surveys at Interos show that 37% of responding businesses struggle to obtain the data to measure supplier sustainability accurately.

Businesses have long relied on suppliers to self-attest to their sustainability and ethics status. This information is often inaccurate and submitted through a cumbersome manual process on an annual basis. Given the rapidly changing nature of the modern supply chain ecosystem, periodic self-reporting is no longer adequate, but it is still the method 74% of businesses rely on, according to our study.

This lack of trustworthy information leads to real-world problems: 41% of organizations reported that ESG-related risk factors had caused detrimental impacts to their business in the past two years, making it harder to achieve a sustainable supply chain. ESG-related disruptions today cost companies an average of $35 million in lost revenue annually.

The environmental impact in the supply chain isn’t limited to greenhouse gas emissions. Water scarcity, negligent land-use practices, toxic waste, water pollution, deforestation, air quality and energy consumption are all important factors.

Four investment priorities to think about

In my recent discussions with leaders, at least four key areas consistently surface as priorities around technology to invest in our planet.

  • The first is investing in tools that increase supply chain transparency to ensure suppliers are using ethical sourcing. Today’s supply chain leaders need that visibility to ensure suppliers are following sustainability standards and regulation, whether it’s in their mining, manufacturing or labor practices. Transparency also helps sourcing managers make informed decisions when onboarding new suppliers. Equally important, it is the difference between investors having confidence in your data or not. Blackstone’s Jennifer Morgan further explains: “Our job is to invest in amazing companies and support them to reach their potential. A huge part of that is the way we help them drive ESG value. Technology is transforming how businesses do that.”
  • The second is investing in visibility tools that can provide for greater supply-and-demand planning to reduce overproduction and inefficiencies. When supply and demand planning is out of sync, the results can lead to too much or too little production and distribution, all of which results in waste that impacts the environment. Leaders can avoid these issues with the smart deployment of artificial intelligence, machine learning and predictive analytics that create more efficient supply and manufacturing processes.
  • The third is investing in visibility tools that can help optimize routes and reduce fuel consumption. With greater visibility into supplier behavior and other factors that can impact distribution, such as natural disasters, new regulatory measures and cross-border conflict, leaders can optimize international, national and local shipping routes. Advanced analytics can even update routes in real time to take account of congestion and other issues.
  • The fourth is investing in visibility tools that streamline supply chain processes to reduce waste. While supply chains can be improved through major transformational changes, they can also benefit greatly from iterative improvements. Good analytics and reporting works with machine learning to continually improve processes throughout the supply chain. Every change that slightly reduces waste, speeds up delivery or enhances quality can improve the health of both your business and the environment.

As we recognize Earth Day 2022 and its theme of “Invest in our Planet,” I hope everyone takes a moment to reflect on the technology investments needed to help organizations create more sustainable, responsible and ethical supply chains.

Here’s to a productive Earth Day.

The Future of the Semiconductor Supply Chain

By Trevor Howe, Daniel Karns, and Alberto Coria

As the war in Ukraine continues, companies and countries are urgently assessing where the next major conflict and supply chain disruption may arise. As trade and economic friction grow between Western nations and China, concerns over China’s designs on Taiwan (and the impact of those plans on the global semiconductor industry) have increased. These concerns have only highlighted the need for greater visibility of sub-tier supply chains for critical commodities like semiconductors, and the need to intelligently diversify semiconductor supply chains.

Market Share of Semiconductor Companies (as of Q3 2021)." TSMC, Samsung, and UMC take the first three spots.

The market share of the global semiconductor industry is heavily concentrated in Taiwan, and in particular, Taiwan Semiconductor Manufacturing Co., Ltd. (TSMC). TSMC alone holds a majority of market share with 53.1%, followed by South Korea-based Samsung Electronics with 17.1%. Taiwan-based United Microelectronics Corp. (UMC) comes in third with 7.3%, bringing the market share concentrated in Taiwan to above 60%. Given Russia’s war in Ukraine, there is concern of similar territorial ambitions held by China regarding Taiwan which would disrupt future semiconductor production and global supply.

When considering disruptions to the semiconductor supply chain, the effect that COVID-19 has had cannot be overstated. However, this industry was already inundated with disruptions before the pandemic as well. Instances of earthquakes in the Pacific Rim, clean room contamination events, compromised materials making their way into processes, water supply shortages, cyber-attacks, facility fires, and power outages have all put upward pressure on lead times for semiconductor devices through the years.

There are several notable events which have adversely affected the semiconductor industry since just the beginning of 2020. The ongoing trade war between the U.S. and China raises the cost of certain goods and limits access to certain products by blacklisted Chinese entities. In December 2020, the U.S. added Semiconductor Manufacturing International Corp. (SMIC) to a trade blacklist due to a relationship linking SMIC to China’s military, limiting the already constrained pool of chipmakers from which American companies can receive their chips.

According to Interos data, Taiwan and Japan experience the most disruption events to their semiconductor manufacturing industries. Earthquakes account for a significant portion of disruptions in both countries. Moreover, captured Moderate and Major Impact events were concentrated in Japan. 

Disruptions to the Semiconductor Manufacturing Industry Over Time by Country and Disruption Type.

With 33 captured events, Taiwan has experienced the highest number of disruptions to its semiconductor manufacturing industry as well as the most diverse collection of event types. Japan has experienced the second-most disruptions with 24 captured events. When all disruption events are combined from Taiwan with Japan, earthquakes comprised 67% of all disruption events, with power outages serving as the second-most-common type of disruption.

Disruptions to the Semiconductor Manufacturing Industry Over Time by Disruption Type and Severity

Interos data also revealed that an estimated 45% of disruption events have significant ripple effects on the semiconductor supply chain. Their impact is somewhat ameliorated by the disaster-conscious design of many semiconductor fabs.

Cyber-attacks, like the malware virus that affected TSMC machines in 2018 or the ransomware attack X-Fab Silicon Foundries experienced in 2020, account for just 5% of all captured events, but data indicates a significant upward trend in their frequency since the onset of the pandemic. The increase stems from a rise in global cybercrime and state-sponsored hacking, particularly from state-sponsored groups in China seeking to steal intellectual property to bolster domestic chip manufacturing capabilities.

As the West imposes sanctions on Russia as its invasion of Ukraine continues, Russia is likely to respond against the West with targeted cyber-attacks. This industry could pose a potential target for Russian cyber-attacks, especially since export controls against shipments of semiconductors to Russia would significantly mitigate any negative effects directly felt by Russia as a result.

The American Semiconductor Industry: An Overview

While the U.S. has taken steps to mitigate the spread and ensuing supply chain disruptions precipitated by COVID-19, policymakers have also strived for an expansion of the American semiconductor manufacturing industry to offset future economic strain resulting from a global shortage of semiconductor devices.

Both chambers of Congress passed bills aimed at growing the American semiconductor manufacturing industry with funding incentives. These are the America COMPETES Act (H.R. 4521) which passed in the House in February 2022, and its Senate counterpart, the United States Innovation and Competition Act (USICA) (S. 1260) which passed months prior in 2021. Currently, reconciliation efforts are underway in Congress to agree on final texts and move this legislation closer to becoming law.

Both bills make allocations for three funds intended to promote American semiconductor manufacturing:[4]

  • CHIPS for America Fund – $50.2 billion USD
  • CHIPS for America Defense Fund – $2 billion USD
  • CHIPS for America International Technology Security and Innovation Fund – $500 million USD

These bills also call for the establishment of a National Semiconductor Technology Center (NSTC) to provide a public-private consortium for advanced research, prototyping, and innovation. Current reconciliation efforts will need to address differences between the two bills, such as funding recipient eligibility and direct loan or loan guarantee authority given to the Department of Commerce.

Partly in response to these expected incentive programs, several prominent foundry companies have recently announced expansions in their U.S. operations. Announcements in 2021 included those made by Intel in March 2021, TSMC in April 2021, GlobalFoundries in July 2021, and Samsung Electronics in November 2021. This year, Intel announced a $20 billion USD investment for fabs in Ohio, and as of March UMC has reportedly been eyeing Detroit as a potential investment site for a new fab. Additionally, Micron Technologies has been scouting potential fab sites as part of a 10-year $150 billion USD investment plan in Texas, California, and Arizona.  The CEO of Intel stated in a recent Senate committee hearing that Intel would likely increase its Ohio investment and therefore production capacity were federal incentives to be made into law soon, underscoring the importance of this legislation to the semiconductor supply chain.

Though federal incentive programs would promote American manufacturing, a shortage of skilled workers in the U.S. to operate planned semiconductor fabs poses a threat to the success of these legislative efforts. According to a recent study, 82% of semiconductor industry executives reported a shortage of qualified job candidates. Moreover, an estimated 500,000 positions for engineers in the semiconductor field will open in the next decade, creating a gap which the U.S. will likely need to rely on foreign infusions of talent to fill.

Surviving Semiconductor Supply Chain Shortages

There does not appear to be a consensus on when the current semiconductor shortage will end. Opinions range from the second half of 2023 to well into 2024. Although foundries are investing capital and in some cases are already breaking ground on new fabs, many of these new fab sites will not be online until 2024 or 2025. Moreover, those slated for completion in 2022 and 2023 are not guaranteed to meet their deadlines as COVID restrictions and supply chain delays for construction materials and highly specialized equipment can be expected to continue. Furthermore, with the addition of production capacity comes increased demand as an increasing number of manufacturers rely on semiconductor devices.

Companies should expect the semiconductor device shortage to continue through 2023, underscoring the need to adapt to this environment. Several options are available to companies that rely on semiconductors:

Identify specific supply inhibitors

Automotive manufacturers’ operations have been held up by power management integrated circuits (PMICs). PMICs cost less than $1 USD but their short supply has cost automotive manufacturers billions of dollars as they have been forced to stall operations as they await PMIC deliveries. Since “semiconductor” is an umbrella term for multiple specific-function devices, end-users should identify the exact products presenting problems within their supply chains. Afterwards, Interos automated solutions and machine learning technologies can aid companies to restore or improve their supply chains.

Diversification of suppliers

Supplier diversification is only possible with a comprehensive understanding of the supply chain. The Interos Resilience platform enables visibility into these sub-tiers, allowing companies to identify nodes of concentration as well as alternative suppliers in the event of disruptions.

Balance selective ‘just-in-time’ practices with maintained inventories

Identifying reliance on specific components and assessing the global situation can inform which components would benefit from having an expanded inventory to hedge against disruptions.

Conduct semiconductor supply chain planning exercises

Unfortunately, front-end fabrication is just one piece of the puzzle in this complex industry and diverse supply chain. Bottlenecks elsewhere, from the supply of materials to the delivery of specialized equipment, can have significant ripple effects on capacity, not to mention disruptions in shipping and logistics that can add delays to lead times.

Any approach to expanding chip capacity at scale and understanding your supply chain risk exposure must be multi-faceted and thorough, leveraging real-time sub-tier supplier insights that provide holistic, multi-risk-factor monitoring.

Then, to learn more about the Interos platform, visit interos.ai.

The Increasing Role of the CISO in Operational Resilience

The Increasing Role of the CISO in Operational Resilience

As supply chain attacks and disruptions are becoming more common, Interos sees the increased need for the Chief Information Security Officer (CISO) to become more proactive in dealing with business continuity and risk management to achieve operational resilience. This need is discussed in detail in Michael Rasmussen’s paper, www.interos.ai/mikesbloglink/ from GRC 20/20 Research.

Michael is a well-known figure in the cybersecurity and governance, risk management, and compliance (GRC) community. He was for many years a top Forrester Research analyst, and now runs GRC 20/20. In this paper, the need for the CISO to look at operational resilience as an achievable task is well laid out both in approach and goals.

CISOs Must Consider Business Continuity and Risk Management

Operational resilience is the ability of an organization to plan for supply chain disruption, be able to execute correctly, and take advantage of new situations. Many organizations lack the agility to deal with supply chain disruption because they fail to see it as a regular part of business continuity & risk management planning. Recent events have shown how some organizations have been caught entirely off-guard by disruption, but others have pivoted and thrived. 

The CISO’s role is one of protecting the organization. This is now increasing to include active threats, including supply chain cyber disruptions and risks. A cyber-attack can disrupt a supply chain because a supplier was found to be using counterfeit goods or subject to sanctions. The recent Log4J event highlighted this problem. Most vendors provided a patch, which was the most straightforward approach. For instance, some vendors’ solutions had to be repositioned within the network behind a Web Application Firewall (WAF). Still, others that could not be mitigated had to be removed and replaced, which was the most disruptive. 

Supplier issues are addressed in the same way. A supplier may have a cyber-breach, but most can address this with patches and taking a positive approach to resolving the problem. Suppliers found to be using counterfeit goods may have some products discarded or re-worked with new material, fixing the problem. But a vendor who cannot come into compliance or has fundamental issues like bankruptcy must be replaced, which has the most negative effect on the organization. The CISO must look at more risk factors than cyber to address this proactively. They must coordinate with the other teams within their organization to discuss business continuity & risk management concerns, and ultimately guide executive leadership on the best way to achieve operational resilience and prepare for supply chain issues.

The GRC 20/20 paper addresses this subject in detail. Interos suggests you review it and learn from Rasmussen’s vast experience the best approaches for a CISO to become a master of operational resilance. To learn more about the Interos platform, and how it can help CISOs with challenges tied to business continuity and risk management, visit interos.ai.

Download report.