Banking on Security: Unveiling the Secrets of Third-Party Risk Management in Financial Services

By Patrick Van Hull

Throughout our webinar, “Banking on Security: Unraveling the Secrets of Proactive Resilience in Third-Party Risk Management,” Chris Ballantyne of TD Bank, Michael Nassar of Deloitte, Jennifer Bisceglie, CEO and founder of Interos, and I delved into the landscape of managing third-party risks and the wide range of opportunities for financial services leaders to realize the value-generation opportunities of TPRM.

The financial services sector faces an ever-shifting panorama of risks, demanding a proactive stance to stay ahead. Traditional approaches are no longer sufficient; organizations must embrace real-time monitoring and continuous risk assessment. Disaster recovery and business continuity planning must evolve to encompass new risks and scenarios.

This transformation entails shifting from defensive to offensive strategies, focusing on mitigation, and adopting digital supply chain programs to develop comprehensive approaches to risk management.

Harnessing Data and Advanced Analytics for Effective Risk Management

Improving data quality and adopting advanced analytics and AI are central to this journey. These transformative tools streamline processes, enhance predictive capabilities, and enable proactive handling of third-party breaches. Organizations can swiftly identify and mitigate risks by leveraging external market intelligence and internal data analytics, bolster operational resilience, and protect against potential costs.

A clear majority of poll respondents in the webinar audience selected combining internal and external data to enhance risk assessment as a critical way to ensure technology and data integration in TPRM programs for maximum effectiveness.

The TPRM approach at TD Bank, according to Chris, also includes that sentiment: “We’ve been looking at how we can leverage data more effectively, both internal data and external data that are available, but also our suppliers and their supply chain, to figure out and triage an event more effectively, respond faster, and address them in a more timely manner to quickly shut down where that risk exists within our supply chain.”

Technology’s Influence on Operational Resilience and Compliance

Technology is both a boon and a challenge in the quest for operational resilience and regulatory compliance. While regulatory changes pose hurdles, they also spark innovation opportunities. Integrating commercial technology facilitates the transition from mere visibility to actionable insights, navigating the complex terrain of compliance while progressing along the industry’s maturity curve.

Nearly half of the webinar poll responses selected continuous compliance monitoring and management to encourage ongoing alignment with evolving regulations and industry standards in TPRM, with Michael’s thoughts expanding further: “to actually focus on that proactive element and respond with more agility and efficiency and effectiveness to the evolving threat landscape to the increase in incidents from third parties that is only going to frankly be impressive as a practice to regulators because it allows you to respond, assess, triage and action those incidents more quickly than you ever could before.”

Cultural and Technological Alignment

Crucially, this transformation necessitates alignment with cultural and technological shifts. Third-party risk management must become ingrained within organizational culture, grounded in data, and demonstrate tangible business value. Initiatives should start small but aspire to grand visions, moving beyond reactive approaches to emphasize proactive intelligence-driven decision-making.

As Jennifer puts it, there’s growing momentum toward “how do I do my day job faster, better, quicker, more efficiently, repeatable, and predictable? So, I don’t have to defend why I made the decision. I’m more focused on what I’m going to do with that decision. And that’s really been the big material change.”

Along the lines of that thought comes the fostering of a culture of shared responsibility for risk management, which was the most selected response to the poll question about how organizations can collaborate to embed TPRM capabilities into their culture effectively.

Setting a Path Forward

As Chris, Michael, and Jennifer see it, this journey toward resilience begins with mastering third-party risk management, which is not merely necessary for the future but is also a strategic imperative for financial institutions. Risk management may not be one-size-fits-all, but several core capabilities are essential in the path forward, including:

  • Building visibility by mapping third-party ecosystems to quantify risk exposure and continuously monitor critical indicators.
  • Leveraging trustworthy data intelligence combining internal and external sources to understand risk materiality.
  • Demonstrating actionability and agility in making decisions without compromising on risk.

To progress through ongoing expectations of uncertainty and rapid change, organizations must confidently navigate the turbulent waters of disruption and emerge stronger by embracing proactive resilience, leveraging technology, and fostering cultural alignment.

Watch a replay of the webinar here.

Spyware and Sanctions Create Emerging Supply Chain Risks

On the surface, the recent spyware campaign by the Vietnamese government against U.S. politicians may not seem relevant to supply chain risk. That would be a faulty assumption. More than 70 governments have deployed spyware over the last decade. While government officials and journalists are often the targets, the private sector is not immune. Businesses located in countries with governments deploying spyware and pursuing digital authoritarianism – widespread data and internet control – face a heightened risk of data exfiltration.

But spyware doesn’t just create cybersecurity risks, it also creates regulatory risk. Earlier this year, the Biden Administration introduced new restrictions on spyware companies due to the security risks they pose. Along with the UFLPA, these additions reflect a growing focus on human rights violators. These changes acknowledge “the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights violations.”

In the new normal defined by geopolitical fault lines and a splintering of cyber norms, both the deployment and production of spyware should be a growing consideration for supplier due diligence and risk assessments.

The Proliferation of Spyware

Spyware is a form of malicious software installed on devices to collect information without the owner’s consent. Previously, governments had a near monopoly on these capabilities. However, thanks to the privatization of spyware, offensive cyber capabilities continue to proliferate among state and non-state actors. NSO Group, Cellebrite, and Candiru are just a few of the companies selling spyware. A recent Interos analysis assessed the number of spyware companies linked to national governments. The number reached into the double digits in some cases.

Global map showing how many spyware companies have been linked to a national government, by region. Hot spots include Mexico, Columbia, Morocco, Nigeria, Saudi Arabia, and Thailand.

These numbers only reflect the open source disclosure of spyware. In reality dozens of governments now possess some level of offensive cyber capabilities, the majority of which remain classified. China leverages spyware for widespread espionage campaigns, while reporting has linked numerous governments to Pegasus spyware. This year’s ODNI (Office of the Director of National Intelligence) Annual Threat Assessment notes “commercial spyware and surveillance technology, probably will continue to threaten U.S. interests.” ODNI estimates the commercial spyware industry to be worth $12 billion. Vietnam’s targeted deployment of spyware reflects this growing risk.

Spyware and Restrictions

The proliferation of commercial spyware and surveillance technologies is not only a security risk. It is also reshaping the regulatory environment. Section 889 of the 2019 NDAA was among the most expansive prohibitions against the use of surveillance technologies by federal agencies and their partners. Focused on Huawei, Dahua, ZTE, Hytera, and Hikvision, and their subsidiaries, Section 889 reflects the growing risks of surveillance technologies due to both data exfiltration risks as well as regulatory risks.

While Section 889 focuses on dual use surveillance technologies, this year’s Executive Order explicitly addresses commercial spyware focused on surveillance and data exfiltration. It has already resulted in several more companies being flagged as surveillance risks. This includes the addition of Intellexa and Cytrox to the Entity List. Initially, restrictions such as Section 889 largely focused on companies partnering with the United States governments. However this has been extended to a broader commercial restriction following the inclusion on the Entity list. This is not only a U.S. concern; the E.U. has called for a ‘de facto’ moratorium on spyware in May, while Australia has similarly debated controls on commercial spyware.

Looking Ahead: The Splinternet & Supply Chain Risks

Just as globalization and supply chains continue to be upended along geopolitical fault lines, so too does the internet. Reflecting opposing norms toward digital government intervention and data privacy, today’s siloed and fractured “Splinternet” introduces new digital risks across a company’s supply chain. Digital authoritarianism, wherein governments seek digital sovereignty and control over the Internet and the data passing through it, is on the rise and is powering the proliferation of spyware. While democracies are not immune from the use of spyware for national security, authoritarians are much less constrained on their use of offensive cyber capabilities across a growing population of targets.

The ODNI Annual Threat Assessment summarizes the national and commercial risks posed by digital authoritarianism and offensive cyber capabilities. Revelations of Vietnam’s use of spyware is not surprising to those following the expansion of digital authoritarianism. Over the last few years, Vietnam has adopted increasingly stringent data restrictions, including mandating local data storage and government control over data. These laws have prompted comparisons to Chinese digital authoritarianism and the data trap which eliminates corporations control over their own data.

Vietnam also is a top contender for companies seeking to diversify supply chains away from China. While it may provide favorable labor and economic environments, Vietnam’s cyber risks are often overlooked. While governments are more-frequently targeted than corporations by spyware, history has proven that it’s only a matter of time before business are equally under fire by adversaries with espionage or profit motivations.

Diversification with Cybersecurity and Regulatory Risk in Mind

As companies explore reshoring and supply chain diversification, the cybersecurity risk environment must be part of the calculation. A growing component of this analysis is the offensive deployment of spyware for data exfiltration. Similarly, surveillance technologies within a supply chain are also at heightened risk of regulatory fines and penalties. These heightened risks reflect ongoing geopolitical and technological transformations and introduce a range of opportunities and risks.

Those who prioritize and design operational resilience in sync with these transformations will gain a competitive advantage and be better prepared for the new normal compared to those who remain focused on the risks of yesteryear.

To learn more about how to identify and combat risks related to spyware in your supply chain, contact Interos. 

Child Labor is a Growing Risk Across American Supply Chains

By Geraint John and Taiwo Ogunbayo

Child labor is an issue most often associated with countries in the developing world – but it’s also a growing risk for companies with supply chains in the United States.

Investigations by U.S. government agencies, research firms, non-governmental organizations and media outlets reveal a spike in the number of children working illegally for U.S.-based suppliers, some of them used by major American companies. Since the beginning of 2022, Interos has identified 139 companies implicated in breaches of child labor regulations in the U.S. alone.

In June, an ESG advisory firm owned by Goldman Sachs downgraded U.S. supply chains from “medium” risk to “high” risk, in part because of the treatment of migrant and other children.

Aside from financial penalties for non-compliance with child labor laws, U.S. firms run the risk of damaging their brand reputations by being associated with illegal practices taking place within their domestic supply chains.

A Global Problem Mirrored in the U.S.

Child labor is a growing problem globally. Around 160 million children aged 17 or under – almost 1 in 10 of the world’s population – were working in factories, on the land or in other jobs in 2020, according to Unicef.

This figure was up by over 8 million on 2016 estimates, with agriculture accounting for more than 70% of children in work.

However, this growth is not limited to traditional hotspots in Sub-Saharan Africa, Pakistan, India and other developing countries. In February, the U.S. Department of Labor announced a crackdown after the number of child labor law violations jumped by 69% since 2018 and 283% since 2015 (see chart).

The U.S. Fair Labor Standards Act (FLSA) of 1938 sets a minimum working age of 14 and limits the number of hours that can be worked by minors under 16. The act also bars those under 18 from working in hazardous occupations.

The labor department’s most recent data shows that:

  • The U.S. government has successfully prosecuted 835 cases involving the illegal employment of more than 3,800 children in U.S. fiscal year 2022.
  • The annual number of cases involving children working in hazardous jobs almost doubled, to 688, between 2015 and 2022.
  • Fines for child labor law violations totaled almost $4.4 million in FY 2022 – up 315% on 2015.

 

Cases Reflect Migration and Labor Market Conditions

Since 2022, Interos has documented 139 companies implicated in breaches of child labor regulations in the U.S. Our analysis found that:

  • These entities are connected to more than 600 U.S.-based customers, heightening the risk of child labor violations for those companies.
  • The sectors with the highest incidence of violations include food services and restaurants, transportation equipment manufacturing, and administrative support services.

Media reports over the past year have highlighted a number of cases in these and other industry supply chains of major U.S. and foreign companies. For example:

  • An investigation by Reuters last year discovered underage children being used in auto parts factories supplying South Korean car makers Hyundai and Kia in Alabama.
  • Earlier this year, a Wisconsin-based cleaning supplier used by JBS Foods, Cargill, Tyson Foods and other meat processing firms was fined $1.5 million for illegally employing more than 100 minors at sites across eight U.S. states in the south and Midwest.
  • The Department of Labor investigated a Michigan-based snack-food and cereal manufacturer supplying household-name brands after being called out in a New York Times article.

Migrant children are particularly at risk. There has been a big rise in the number of Central American children sent unaccompanied by their parents to work in the U.S. More than 250,000 are reported to have entered the country in the past two years alone.

Another contributing factor is the state of the U.S. labor market. With firms in many industries hit by rising wage costs and a shortage of workers, pressure on state legislators to relax some FLSA regulations has intensified.

To date, 14 states – including Arkansas and Iowa – have proposed or enacted laws that weaken federal restrictions on child labor, according to the Economic Policy Institute.

With an increasing number of states relaxing their child labor regulations, the U.S. is likely to see a continued rise in the number of reported and investigated cases over the next few years.

Child Labor Requires Focus and Visibility

Perhaps because it is regarded as a “developing world problem”, child labor has not been as high on the ESG agenda for many Western firms as either environmental issues or other working conditions such as forced labor.

A recent Interos survey of 750 procurement leaders in the U.S., Canada, the U.K. and Ireland found that child labor ranked the lowest of nine ESG activities, in terms of the progress made with suppliers to tackle it during the past three years (see chart).

Almost one-quarter of the 400 U.S. respondents in aerospace & defense, financial services, energy, healthcare and federal government reported either no progress or regression on child labor. Only 10% believed this type of supply chain risk was “not applicable” to their organizations.

Chart showing survey results ranking progress made by procurement executives in resolving ESG issues - child labor is last.
One of the main barriers to making progress with suppliers on child labor, as on other ESG issues, according to our survey findings, is a lack of sub-tier visibility.

A common source of supplier risk in several recent U.S. cases is recruitment agencies, which are often present two or three tiers deep in the supply chain. Several have been blamed for supplying children to customer workplaces without properly verifying their ages or legal status.

Not knowing who your tier-1 or tier-2 suppliers use for staffing, other services such as cleaning and catering, as well as product manufacturing, in turn results in a lack of awareness about both child labor risks and specific instances of illegal activity.

Just 16% of U.S. procurement leaders were confident they would be aware of a supplier ESG violation in most or all of their supply chain tiers within 48 hours (see chart).

Pie chart showing visibility levels procurement leaders have on ESG supply chain violations. Most would not be aware of ESG violations within 48 hours in most tiers of their supply chains.

 

What American Leaders Need to Do

To manage domestic regulatory and reputational risk around child labor effectively, U.S. procurement and supply chain leaders need to:

  • Strengthen sourcing policies and supplier codes of conduct to make it clear that the illegal use of child labor in U.S. operations is unacceptable.
  • Ensure that contractual terms specify the right to on-site audits of direct and, in certain circumstances, indirect suppliers to check they abide by federal and state child labor laws.
  • Invest in software tools to map multi-tier supplier relationships, model supplier ESG risks, and continuously monitor events involving the potential use of child labor.
  • Keep a close watch on suppliers in sectors implicated in employing illegal child labor, such as cleaning services, contingent staffing, and low-valued-added product manufacturing.
  • Assess child labor risks and mitigation plans in regular review meetings with key suppliers.

The growing catalog of evidence and convictions demonstrates that child labor is not an issue that U.S. companies should be concerned about only in their foreign supply chains; it is one that also requires action in multiple industry sectors within America itself.

As with other forms of ESG risk, complacency is not a safe route to compliance.

Latest Salvo in the Chip Wars: Chinese Export Controls on Gallium and Germanium May Undermine Western Industries

By Trevor Howe, Senior Operational Resilience Consultant

 

China’s imposition of export controls earlier this month on two strategic raw materials could have significant implications for Western manufacturers of electric cars, smartphones and a host of other advanced technology products.

 

The restrictions require Chinese firms to attain special permits from the government to ship gallium  and germanium out of the country. Gallium compounds are commonly used in the manufacture of semiconductors, defense systems, medical devices and solar cells, while germanium is most often used in fiber optics.

 

Both the United States and the European Union (E.U.) are heavily reliant upon China as a source of these two critical commodities (see table below). So the Chinese government’s move could undermine global supply chains and increase the potential for disruption.

 

In the short term, these new export controls may add upward pressure to commodity prices in anticipation of constricted supplies to global markets. In the medium to long term, they could further accelerate moves in multiple countries to diversify the raw material supply chain away from China.

 

U.S. and E.U. Dependence on China for Gallium (Ga) and Germanium (Ge)

 

Net Reliance on Imports for Ga Import Reliance on China for Ga Net Reliance on Imports for Ge Import Reliance on China for Ge
U.S. 100% 53% >50% 54%
E.U. 98% 71% 42% 45%

 

Sources: The United States Geological Survey Mineral Commodities Survey (2023); The European Commission Study on the critical raw materials for the EU (2023)

 

An Escalating Technology Trade War

 

China’s action comes as it has been openly sparring with the U.S. in an escalating technology trade war. The export controls on gallium and germanium are widely seen as retaliation for the U.S. government’s restrictions on sales of advanced semiconductors and chip-making equipment to Chinese companies.

 

As well as its own export controls, the U.S. has been putting pressure on partners such as Japan, South Korea and the Netherlands to limit their sales. The Netherlands, for example, recently implemented controls on the export of advanced semiconductor manufacturing equipment to China from ASML. ASML is currently the only company in the world to produce extreme ultraviolet lithography machines used to produce leading-edge chips.

 

Given the reliance of American and European firms on Chinese supplies of gallium and germanium, experts are worried about the effect China’ new controls could have on aerospace & defense, energy, telecommunications and other industries affected. Moreover, there is the potential future threat to rare earth elements (REEs), the supply of which China also dominates. REEs are crucial for clean energy technologies, electric vehicles, consumer electronics, and national defense.

 

Gallium-Related Products Facing Export Controls

 

Gallium occurs in very small concentrations in ores of other metals. Most gallium is produced as a byproduct of processing bauxite, and the remainder is produced from zinc-processing residues. The metal is not currently recyclable and there is no substitute for its use in some products where increased semiconductor performance and efficiency are required.

 

Aside from gallium metal itself, China’s new controls will apply to several gallium-related products:

 

Material Usage Examples

 

Gallium arsenide (GaAs) Uses include as a doping material to manufacture compound semiconductor wafers used in integrated circuits (ICs) and optoelectronic devices, which include laser diodes, light-emitting diodes (LEDs), photodetectors, solar cells, and solid-state devices such as transistors. While several substitutes for GaAs do exist, no effective substitutes exist for GaAs in many defense-related applications where GaAs-based chips are used because of their unique properties.

 

Gallium nitride

(GaN)

Uses have been growing in importance because of its ability to offer significantly improved performance across a wide range of applications while reducing the energy and the physical space needed to deliver that performance when compared with conventional silicon technologies. For example, GaN is used in advanced radars such as the AN/TPQ-53 which has been provided to the US military.

 

Gallium phosphide (GaP) Uses include as a semiconductor and optical material for the manufacture of low and standard brightness red, orange, and green light-emitting diodes.

 

Gallium antimonide

(GaSb)

Uses include as a compound semiconductor for infra-red (IR) photodetectors used in sensing and imaging applications. The application of GaSb detectors is extensive, encompassing military, industrial, medical, and environmental uses.

 

Gallium oxide

(Ga2O3)

Uses take advantage of conduction and luminescence properties; this includes in semiconductors, gas sensing, catalysis, and nanostructures as blue and UV light emitters. Ga2O3 is also ued in spectroscopic analysis.

 

Gallium selenide

(GaSe)

Uses include as a nonlinear optical material for frequency conversion of laser light and as a photoconductor.

 

Indium gallium arsenide (InGaAs) Uses include within photodetectors and short-wave infrared imaging (SWIR) devices, solar cells, high-speed electronics, and medical imaging.

 

____________________________________________________________________________________________________

Germanium-Related Products Facing Export Controls

 

The major use of germanium worldwide is for fiber-optic systems, whereby germanium is added to the pure silica glass core of fiber-optic cables to increase their refractive index, minimizing signal loss over long distances.

 

The available resources of germanium are associated with certain zinc and lead-zinc-copper sulfide ores. On a global scale, as little as 3% of the germanium contained in zinc concentrates is recovered. Significant amounts of germanium are contained in ash and flue dust generated in the combustion of certain coals for power generation.

 

Germanium is more available than gallium, with around 30% of global supply produced from recycled materials. However, there is a notable lack of information surrounding the mineral. According to the 2023 Mineral Commodity Summaries published by the U.S. Geological Survey, no data was available pertaining to world refinery production and reserves of germanium.

 

In addition to germanium metal, ingots, and substrates, China’s new controls will also apply to several germanium products:

 

Material Usage Examples

 

Germanium dioxide (GeO2) Uses include in phosphors, transistors, diodes, infrared-transmitting glass, and electroplating.

 

Germanium tetrachloride (GeCl4) A colorless liquid, its uses include as an intermediate in the production of purified germanium dioxide and germanium metal. GeCl4 is transparent to infrared light and therefore useful in optical materials. It is also widely used as a semiconductor and as an alloying agent.

 

Zinc germanium phosphide (ZnGeP2) Uses include in high power, high frequency applications and in laser diodes, especially as a component for the laser source of infrared countermeasure systems in military aircraft which protect aircraft from heat-seeking missiles.

 

 

 

Substitutes for germanium do exist (e.g., silicon in certain electronic applications and antimony/titanium are substitutes for use as polymerization catalysts), providing a degree of resilience to undercut supplies to global markets.

 

Government and Company Actions to Manage Strategic Risks

 

Given the geopolitical context for China’s controls on gallium and germanium exports, and the concentration of global supply, there will inevitably have to be problem solving at the government level to address any shortages. Countries can bolster their resilience by maintaining strategic stockpiles, identifying alternate suppliers, investing in domestic extraction or production, or promoting the expansion of the industry via incentives for the private sector.

 

South Korea serves as a prime example; officials there reported that the short-term effects on operations in their country would be limited due in part to stockpiling and alternative supplies. The Korea Mine Rehabilitation and Mineral Resources Corporation has approximately 40 days’ stockpile of gallium that domestic manufacturers could use.

 

Meanwhile, the E.U. is engaging with countries in South America to secure further access the region’s abundant raw materials. If the E.U. can successfully expand its partnership with the Southern Common market (MERCOSUR), it would help achieve its strategic goal of securing a diversified, affordable, and sustainable supply of critical raw materials.

 

At the same time, the E.U. intends to bolster domestic production through recently proposed legislation such as the Critical Raw Materials Act.

 

While governments must step in to secure their countries’ respective supply chains, companies can ill afford to sit idly by and not take proactive steps to secure their direct supply chain. Although relatively few companies would be in a position to invest in REE or critical commodity extraction or production, they can still benefit from identifying where these materials are sourced from within their ecosystem.

This type of visibility deep into the supply chain can help uncover concentrated reliance on a supplier or region, and the information leveraged to pursue de-risking methods such as supply base diversification to bolster resilience against certain risks.

 

With its artificial intelligence-based software, Interos is well positioned to support supply chain risk management programs for companies around the world trying to address this issue, as well as future disruptions that may arise.

Forced Labor Regulations Materially Impact U.S. and European Supply Chains

By Geraint John

Forced labor is becoming an ever more impactful source of supply chain risk as new regulations on both sides of the Atlantic begin to bite.

In the United States, the Uyghur Forced Labor Prevention Act (UFLPA) has seen more than 4,600 imported shipments worth over $1.6 billion intercepted by U.S. customs officials in its first full year of operation. This week, U.S. customs added new Chinese companies to the list of those restricted from selling their products in America.

The law seeks to stop products associated with forced labor in China’s Xinjiang region from entering the U.S. Recently, a growing list of companies have been accused of flouting the legislation. They include the parent company of printer manufacturer Lexmark International, power tool maker Milwaukee Tool and Nike Canada.

In Europe, automotive firms BMW, Volkswagen and Mercedes-Benz have also been accused of using forced labor in their Chinese supply chains. If true, they would be in contravention of Germany’s new Supply Chain Due Diligence Act (SCDDA). The SCDDA came into force in January.

This specific complaint, brought by a Berlin-based non-profit, has yet to be proven. However, it is a stark warning to larger companies that they need to up their game when it comes to managing forced labor risk in their extended supply chains.

Regulations Address a Growing Global Problem

Forced labor is defined by the International Labour Organization (ILO) as “all work or service which is exacted from any person under the menace of any penalty and for which the said person has not offered himself voluntarily.”

According to a recent report, as many as 50 million workers worldwide may be enduring forced labor or “modern slavery” conditions. The report estimates this number has grown by 25% over the past five years. The report argues that this increase is due to global trade conducted by G20 developed nations.

A new Interos survey of 750 procurement leaders in North America and Europe underlines the significance of new supply chain regulations that seek to tackle this issue. It found that:

  • 80% of those in the U.S. and 71% in Canada see the UFLPA as having a significant or moderate impact on their organizations. Energy and A&D sectors were the most affected.
  • 61% overall think the SCDDA will have a significant or moderate impact. This rises to 77% in the energy and financial services sectors.

The UFLPA has a direct operational impact. Violations lead to the physical detention of shipments at entry ports, as well as cost and reputational implications. The SCDDA, meanwhile, gives the German government powers to levy fines of up to 2% of a company’s annual turnover. They may also be banned from competing for public contracts for up to three years.

Revealed: The Highest Risk UFLPA Goods

Of the 4,651 shipments detained by U.S. Customs and Border Protection (CBP) under the UFLPA to the end of June, 872 (19%) were denied entry, 1,849 (40%) were released and almost 2,000 were awaiting a decision.

But Interos’ analysis of CBP’s data reveals that shipments of specific products from certain countries are much more likely to be rejected than others. In particular:

  • Almost half (46%) of all shipments detained (worth $1.37 billion – 84% of the total value) were electronic products. However, just 3% of CBP decisions resulted in these being refused entry. The vast majority are shipped from Malaysia.
  • In contrast, customs rejected almost two-thirds of industrial raw materials and more than 62% of pharmaceutical and chemical products. Well over half of apparel, footwear and textiles met the same fate (see chart).
  • Vietnam has the highest proportion of shipments denied entry (49%), with 89% of raw materials and 69% of apparel, footwear and textiles rejected. This demonstrates that attempts to skirt the UFLPA by shipping from outside China don’t always work.
  • China itself is the second riskiest originating country for U.S. imports, with 40% of CBP decisions denying its shipments entry. Compare to an 11% rejection rate for Thailand and just 2% for Malaysia.
  • China’s highest risk category is apparel, footwear and textiles (64% rejected). This was followed by pharmaceutical and chemical products (62%) and raw materials (44%). At the other end of the scale, just 14% of agricultural products and 8% of consumer products were denied entry by CBP officers.

Products at Greatest Risk From UFLPA

Percentage of CBP decisions where shipments are denied entry, June 2022 – June 2023

Source: U.S. Customs and Border Protection

Polysilicon – a key raw material in the production of solar panels – is one high-risk product targeted by the UFLPA. More than 40% of the world’s supply of polysilicon comes from Xinjiang. Following previous action against Chinese imports, Vietnam is now the biggest exporter of solar panels to the U.S. Vietnam accounts for one-third of solar panel shipments in 2021.

Actions That Companies Need to Take

Companies can take similar actions to manage forced labor risk and comply with both the UFLPA and SCDDA. At a foundational level, they include establishing a robust risk management and due diligence system capable of identifying and remediating illegal practices.

Interos’ recent survey found that nearly two-thirds of procurement leaders believe they have made significant or moderate progress on forced labor with their suppliers over the past three years (see chart).

Forcing the Issue on Forced Labor

Progress made with suppliers in the past three years

n=750 procurement leaders

Source: Interos Resilience Survey 2023

However, as with other ESG issues, one of the main challenges around forced labor is a lack of sub-tier supply chain visibility. This ranked as executives’ joint top barrier to progress alongside a lack of reliable data for setting and tracking goals.

To support their regulatory compliance efforts on forced labor, procurement leaders need to:

  • Use supply chain mapping and risk-scoring tools to pinpoint high-risk relationships with both direct and indirect suppliers in geographies prone to forced labor.
  • Ensure that existing direct and sub-tier suppliers are not on, or being added to, any restrictions lists, including those specific to the UFLPA.
  • Harness detailed risk intelligence to help identify and mitigate forced labor risks before selecting or onboarding new suppliers in China or other at-risk countries.
  • Keep a close eye on high-risk raw materials and products shipped by Chinese or other firms based in Vietnam, Malaysia, Thailand, Mexico and other countries on the U.S. CBP watchlist.

Supply chain regulations impose a heavy burden on companies. They require time, money and resources to ensure compliance. 79% of CPOs we surveyed agree with that view.

But the same proportion also believes that regulation forces their organizations to do a better job of managing supply chain risk. 70% say it even enhances their competitive advantage in the market.

So the message on forced labor, as with other types of supply chain risk, is that it pays to invest. Organizations can derive value from both complying with emerging regulations, but also proactively developing greater operational resilience.

G7 Confronts China’s Designs on Semiconductor Supply Chain

G7 leaders meeting in Hiroshima, Japan this past weekend were hardly short of major global issues to discuss. From Russia’s unprovoked war in Ukraine and the proliferation of nuclear weapons to the steady march of climate change — the potential scope of the agenda was vast. So it was significant that the leaders devoted part of the summit’s agenda and communiqué to the risks facing critical supply chains and the need for greater resilience.

Nowhere is this more concerning for the world economy than in the case of Taiwan. We are at a time of heightened tensions between the United States and China. An all-powerful President Xi Jinping is intent on reuniting the two rival Chinese republics. Consequently, the concentration of semiconductor manufacturing in Taiwan is the biggest geopolitical risk facing supply chains today.

Taiwan-based companies control more than 90% of the world’s production of advanced microchips. These chips are used in everything from high-end smartphones to cutting-edge military hardware. One company, Taiwan Semiconductor Manufacturing Co. (TSMC), dominates this niche and owns more than half of global chip-making market share.

A Chinese invasion or blockade of its neighbor across the Taiwan Strait would have a devastating impact on the global economy one far greater in scale and longevity than the havoc wrought on food and energy supplies by Vladimir Putin’s aggression last year. So it is right that G7 leaders focused on the issue.

Taiwan’s Supply Chain: Powered by Semiconductor Exports

Taiwan exported $479.4 billion of products in 2022. The U.S. was the second biggest importer after China, with 15.7% ($74.9 billion) of the total. Japan was fourth with 7% behind Hong Kong, while the other five G7 countries Canada, Germany, France, Italy and the U.K. made up a combined 4.3% ($20.9 billion).

Many different products are shipped to these and other nations in Asia-Pacific and beyond (see chart). But it is electronic components, and especially “integrated circuits/microassemblies” in other words, semiconductors that dominate the list. The latter accounted for $183.5 billion, or 38% of Taiwan’s total exports by value last year. Despite a falloff in demand for chips in recent months, this figure was up 17.7% on 2021, which in turn was up 22.4% on 2020.

Taiwan Exports by Commodity, Q1 2023. Electronic components are the largest category.

Dependence on Taiwanese supply chains among G7 countries is, as you might expect, extensive. An analysis of Interos’ global database of business relationships shows that:

  • U.S. companies have almost 70,000 direct (tier-1) relationships with Taiwanese suppliers. Companies in other G7 member countries have almost 10,000 between them.
  • When indirect multi-tier relationships are included, G7 member companies have more than 315,000 tier-2 and 750,000 tier-3 connections to Taiwanese firms.
  • Although tier-1 relationships with the two major Taiwanese semiconductor manufacturers, TSMC and United Microelectronics Corp. (UMC), are relatively small in number (led by the U.S. with around 220), as tier-2 and tier-3 suppliers these two companies are present in hundreds of thousands of supply chains in G7 countries.

 

The Likelihood and Impact of China Invading Taiwan

Two key questions that arise from discussions around the China-Taiwan situation are:

  1. How likely is it that China will seek to take Taiwan by force, and when might this happen?
  2. What impact would Chinese action against Taiwan have on the global economy and supply chains?

Opinions among commentators and analysts on the first question vary widely. Some see an invasion occurring as soon as later in 2023, to sometime in the 2030s, to never. China’s official policy is one of peaceful reunification. However, U.S. intelligence reports suggest that President Xi has ordered the People’s Liberation Army to develop capabilities to seize the island by military force by 2027.

A geopolitical risk assessment of conflict between China and Taiwan by Interos concluded that the likelihood of an invasion in the next 2-5 years was “roughly even odds (45-55%).” The assessment also noted that “the majority consensus [among government policy makers and think-tank experts] appears to be that there will be an armed conflict over the island.”

On the second question, Interos’ analysis identified that a partial blockade or full invasion could disrupt ocean and air cargo shipments from Taiwan. Our analysis also raised the possibility that Taiwan could be completely cut off from international trade.

Potential Supply Chain Scenarios for Semiconductor Disruption

A tabletop exercise conducted last year among U.S. government and business leaders by the RAND Corporation centered specifically on the likely impact to advanced semiconductor supply chains. Participants were asked to consider two potential scenarios in which China imposed a “coercive quarantine on Taiwan”:

  1. Uncontested, China acquires a significant portion of global semiconductor capacity. This leaves the U.S. and other countries with a choice of continuing to buy from Taiwanese suppliers or imposing sanctions on China.
  2. China faces resistance in its attempts to take control of Taiwan’s fabs. This leads to a rapid loss of access to the country’s semiconductors, and triggers U.S. and other government action to ration limited supplies.

Unpalatable outcomes from these two scenarios included a fundamental change in the balance of global power in China’s favor, and an extended economic depression for most of the world. Unsurprisingly, given the impact on multiple industries (see graphic), business participants were keen on ensuring continuity of supply even if this meant relying on semiconductor firms such as TSMC under Chinese control.

How Loss of TSMC Would Impact Different Industries.

Military action against China, whether by Taiwan or the U.S. and its allies, was not considered in this simulation. But a recent assessment by The Economist laid bare the imbalance in military capabilities between China and Taiwan. The analysis also articulated the dire consequences of military conflict over the island state. This included “incalculable damage to the world economy” as a result of disruption to semiconductor supply chains.

The threat of war looms large over the Indo-Pacific region. Hence efforts in recent weeks by Japan and other G7 countries, including the U.S., to take some of the heat out of relations with China. In their communiqué, the G7 leaders emphasized that actions designed to boost economic and supply chain resilience were about “de-risking, not de-coupling” from China.

Some Major Players Begin Diversifying Chip Capacity Away From Taiwan

In practice, de-risking means diversification. Since their 2022 meeting in Germany, the response of G7 countries to semiconductor concentration risk has been to tempt advanced chip-making capacity away from Taiwan through vast public subsidies. The U.S. has led the way with its CHIPS and Science Act, but Japan, the European Union, and the U.K. have all followed suit, albeit with fewer billions of dollars to throw at the problem.

Over the next five years these industrial policies should result in new fabs, supply chains, and skilled workforces being developed in multiple geographies. However, Taiwan is set on keeping much of its domestic semiconductor “shield” intact, both in terms of manufacturing and R&D. Aside from contributing 15% of Taiwan’s GDP, the industry serves as vital leverage for Taiwan in its efforts to maintain independence from China.

Confidence in this strategy in waning in some quarters.  \Warren Buffett’s Berkshire Hathaway recently announced that it had sold the remainder of its $4.1 billion stake in TSMC. This is in spite of the fact that the shares were purchased as recently as November last year — and that TSMC is regarded as one of the world’s best-managed companies.

“I don’t like its location,” Buffett told analysts. “I feel better about the capital that we’ve got deployed in Japan than in Taiwan.”

Action CPOs Should Take to Prepare for Potential Disruption

To reduce the exposure of their organizations to semiconductor concentration risk, chief procurement officers should do the following:

  • Assess your dependence on Taiwan by understanding the relationships you have with Taiwanese suppliers. Include both the direct, tier-1 relationships and those at tiers 2, 3 and beyond. Chip makers such as TSMC and UMC are often present at this sub-tier level.
  • Evaluate the extent to which key semiconductors, electronic components, and other items you depend on from Taiwan-linked supply chains are single- or sole-sourced. Identify where you have viable alternative options already in place.
  • Develop a strategy aimed at diversifying your supply base to other geographies. Consider sourcing from new suppliers and/or by working with existing partners to utilize alternate and emerging capacity.
  • Conduct scenario plans and risk simulations – like the one run by British telecommunications group BT last year. These can gauge the impact that disruption to Taiwanese semiconductor supply chains might have on your business.
  • Continuously monitor your Taiwan-dependent supply chains for geopolitical, operational, financial, and cyber risk events.

Until new semiconductor capacity comes online in the U.S., Japan, Germany, South Korea, and elsewhere, companies will continue to over-rely on Taiwan-based suppliers. However, it is important to be prepared for, and to support the creation of, a more diversified global supply chain for microchips – as it is with other critical products and raw materials that are heavily concentrated in particular geographic locations.

More ‘Critical’ Firms Face Tougher Cyber Laws

By Geraint John

Companies in critical industries on both sides of the Atlantic face more stringent cybersecurity regulations as governments seek to boost national security and operational resilience.

New laws passed in the U.S. and Europe call for rapid reporting of significant cyber attacks and ransom payments, improved cyber risk management practices, a greater focus on supply chain partners such as IT and cloud services providers, and stronger collaboration between the public and private sectors.

Crucially, the legislation also extends the range of firms covered from those operating core infrastructure. That includes everything from water and transport to services such as banking, telecommunications, and healthcare, along with manufacturers of food, chemicals, pharmaceuticals, medical devices, and other “essential” products.

White House and SEC Work to Improve U.S. Critical Infrastructure Cybersecurity

In the U.S., the Biden Administration published its National Cybersecurity Strategy at the beginning of March. The first of its five pillars is titled “Defend Critical Infrastructure.” The strategy is aimed at both federal agencies and private-sector companies.

The strategy document argues that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”

As well as targeting critical infrastructure providers, it also pledges to “drive better cybersecurity practices in the cloud computing industry and for other essential third-party services” that these organizations depend on.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires companies to report certain types of cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours.

CISA is currently working on implementing the reporting requirements, which must take effect by September 2025 at the latest.

Separately, the Securities and Exchange Commission (SEC) is expected to finalize its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules in April. These will require public companies to report “material” incidents within four business days. They must also provide updates on previous cyber attacks.

European Union Upgrades its Main Cybersecurity Directive

In Europe, the new Network and Information Security (NIS2) directive came into force on January 16th. It replaces the first-iteration NIS law, which has been operating since 2018. NIS2 is designed to strengthen security requirements, reporting obligations, and supply chain cybersecurity.

NIS2 also provides for stricter enforcement, with administrative fines of up to €10 million or 2% of global revenue for non-compliance.

Like the U.S. legislation, NIS2 expands its scope to a broader range of “critical sectors and services,” including information and communications technology (ICT) providers.

The new directive joins a raft of other new European Union laws, including the Digital Operational Resilience Act (DORA) for financial services and the Critical Entities Resilience (CER) Directive, which addresses physical security and terrorism, as well as cybersecurity.

E.U. member states have until October 17th 2024 to transpose NIS2’s measures into national law.

A European Parliament briefing document on NIS2 argues that companies need to invest more in cybersecurity. It cites study data suggesting that E.U. organizations spend on average 41% less on cybersecurity than their U.S. counterparts.

Interos Analysis: Cyber Risk Status in Energy and Healthcare Firms

To assess the impact of this spending gap, and to identify where cybersecurity practices are most in need of improvement, Interos conducted an analysis of cyber risk scores for the top 10 U.S. and European (E.U. plus U.K.) electric utilities, energy, and healthcare (pharmaceutical manufacturing) companies using our newly enhanced cyber risk model.

This analysis found that:

  • Overall company cyber risk scores – calculated from 20 subfactors and 91 attributes at both a firm and country level – vary widely. They go from a low of 59/100 — in the case of a European oil company — to a high of 82/100 for a European renewable electricity generator. The median score of 66 equates to only a “medium” level of cybersecurity protection.
  • At the firm level, U.S. and European companies are on a par, with both having a median score of 62/100. U.S. electric utility and energy companies score four points higher on average than their European counterparts, while in healthcare (pharma) the reverse is true. Again, all scores indicate medium levels of risk, which suggests plenty of room for improvement in cybersecurity practices.
  • The weakest areas of firm-level cybersecurity are in software-as-a-service bill of materials (SaaSBOM) vulnerabilities (average score 35/100), advanced persistent threat (APT) group activities (43/100), and compliance with public cybersecurity standards and frameworks (47/100) – a key element in the new legislation. There is also a big variation of scores between companies in web application security, web encryption, network filtering, e-mail security, and software patching.
  • At the country level, European firms score two points higher on average than those in the U.S. (82/100 against 80/100, indicating low cyber risk). The U.S. is rated significantly higher for its digital infrastructure (92 vs 65), and somewhat higher for cyber governance, resilience, and international collaboration. European countries score 20 points better on average on the risk of data access and manipulation in their business environment and as a geographic target for cyber attacks.

Transparency and Collaboration Vital to Manage Critical Infrastructure Cybersecurity

Cyber risk scores for critical infrastructure firms and their key suppliers, together with the new American and European legislation, are set to bring a new level of openness to cybersecurity.

Last week, during a webinar hosted by Interos, data partners BitSight and Equifax welcomed this development.

Commenting on the new SEC rules, Derek Vadala, chief risk officer of BitSight and a former chief information security officer at Moody’s, said the rules would bring much-needed transparency and culture change to the industry.

While it will take time for companies to understand what the new rules require, those companies that are more open about how they manage cyber risks today – for example, by publishing annual reports – are in a better position than those that do the bare minimum, Vadala argued.

The credit reference agency Equifax is also following this approach. It has published a cyber strategy and roadmap report for the past three years. According to Zach Tisher, its vice president of security risk, strategy and communications, “Security should not be a trade secret.”

As well as more open disclosure, Tisher argued that:

  • Employers need to bake cybersecurity into employees’ compensation plans to incentivize and reward good behavior.
  • Training must move away from the one-hour annual compliance session and be tailored better to staff needs.
  • Point-in-time questionnaires sent to suppliers and third parties aren’t sufficient; instead, real-time monitoring of cybersecurity controls is necessary.
  • Better collaboration with partners and vendors is vital to manage growing supply chain threats and requirements.

Third-party risk management has been the biggest trend in cybersecurity during the past couple of years, Tisher noted. “Supply chain is a top threat vector and it’s increasing all the time.”

This means that companies need to focus their cyber risk management efforts as far upstream as their sixth parties (tier-4 suppliers), he added.

Western Firms at Risk of Indirectly Supplying the Russian War Machine

By Geraint John

North American and European companies have been urged to ensure that they are not inadvertently supporting Russia’s war effort in Ukraine by facilitating trade through third-party intermediaries.

A year on from its invasion, the U.S. government and the European Union (E.U.) are concerned that Russia is evading stringent sanctions and export controls by importing vital products through neighboring and “friendly” countries.

Earlier this month, the U.S. Departments of Commerce, Treasury, and Justice issued a joint compliance note asking multinational firms to “exercise heightened caution” and be “vigilant in their compliance efforts” to avoid items such as advanced semiconductors and other electronic components ending up in Russian hands.

The E.U., meanwhile, says it is investigating a surge in exports from European companies to customers in countries such as Armenia, Kazakhstan, and Kyrgyzstan, which have increased their trade with Russia since sanctions were introduced in March 2022. It is also reportedly planning to ask these countries to enhance their trade monitoring.

A new Interos white paper notes that the number of restrictions on Russian entities – around 2,500 currently active with more than 1,100 imposed in 2022 alone – are “unprecedented in their scale, scope, and breadth.”

Russia Import Restrictions Are Being Circumvented by “Friendly” Countries

Analysis of official trade data by three economists at the European Bank for Reconstruction and Development (EBRD) found “evidence suggestive of intermediated trade via neighboring economies being used to circumvent the sanctions.”

While E.U. and U.K. exports to Russia “dropped sharply” after the imposition of sanctions, exports to Armenia, Kazakhstan, and Kyrgyzstan (the CCA3) – part of the Eurasian Customs Union alongside Russia and Belarus – increased by between 15% and 90%.

Shipments to CCA3 countries covering almost 2,000 sanctioned products, including armaments, chemicals, dual-use technologies, and sensitive machinery, rose by an additional 30% relative to other goods, according to the EBRD. U.S. exports to Russia and the CCA3 followed a similar pattern last year, albeit at lower volumes.

At the same time, Armenia, Kyrgyzstan and Georgia all recorded “significant increases” in exports to Russia (see chart). This, says the EBRD paper, suggests that new supply chains have been set up to channel sanctioned products to Russia from these countries, “not necessarily with the knowledge of the Western exporter.”

But direct sales to Russia also remain a concern. This week, PBS News accused a major American machine-tool manufacturer of flouting export controls by supplying a Russian distributor with vital spare parts, which could be used for military purposes, for months after those controls were imposed last year.

Exports to Russia From Armenia, Kyrgyzstan, and Georgia – January 2020-August 2022

Separate analysis by the Silverado Policy Accelerator, a U.S. non-profit organization, published in January argued that former Soviet states “have become key transshipment points for goods that are ultimately sent to Russia.”

It also noted that Russia had significantly increased its imports from non-sanctioning countries such as China and Turkey. These included semiconductors (see chart), machinery, and heavy trucks, as well as consumer goods such as smartphones and domestic appliances.

Exports of Integrated Circuits to Russia From China and Hong Kong – January-November 2022

In recent months, U.S. officials have called on China, Turkey, South Africa, and the United Arab Emirates ( UAE), among other countries, not to help Russia evade its sanctions.

Together with their E.U. and U.K. counterparts they are also reported to have visited the UAE to express concern that it is becoming a key shipment hub for electronic components and other sensitive products being re-exported to Russia.

The E.U. recently imposed sanctions on a Dubai-based subsidiary of the Russian state-owned shipping company Sovcomflot, a key player in supporting the country’s energy revenues, as part of a new package of measures.

Russian Interests and Indirect Business Relationships

Russian ownership of foreign entities is one potential type of supply conduit of sanctioned goods into the country.

Interos’ global relationship platform highlights 166 entities based in the UAE that are wholly or partially owned by Russian interests.

Similar numbers are located in both Armenia and Hong Kong, according to the data, although these are dwarfed by the thousands of entities registered in European countries such as the Czech Republic, U.K., Germany, Latvia, Bulgaria, and Italy.

Another source of supply is links between Western firms and intermediaries in countries accused of supplying Russia’s war effort. Our analysis here reveals:

  • Almost 700 relationships between Russian end customers and 170-plus distinct suppliers in China, Turkey, India, Uzbekistan, and other Central Asian countries.
  • More than 8,100 relationships between these suppliers and over 1,750 distinct Western firms in the U.S., Canada, E.U., and U.K.

What this shows is that the global network to support deliberate or inadvertent illicit trade with Russia – so-called “supply chain washing” – is extensive and the risks of breaching sanctions and export controls are high.

“Red Flags” to Watch Out For

In their “tri-seal compliance note” published on 2 March, the U.S. Department of Commerce (DOC), Department of the Treasury and Department of Justice (DOJ) urged companies to be on the lookout for “warning signs of potential sanctions or export violations.”

It listed 13 common “red flags” to watch for, including:

  • The use of shell companies to obscure ownership, origin, and funding sources
  • A reluctance by customers to share information on product end-use
  • Last-minute changes to shipping instructions
  • The use of residential addresses and personal e-mail accounts
  • Transactions with entities that have little or no web presence
  • Routing of products through transshipment points in China, Turkey, Armenia, and other countries that have boosted trade with Russia.

The note emphasizes that the DOJ “has pursued criminal charges against those who it alleges are using front companies and intermediate transshipment points to evade Russia-related U.S. sanctions and export controls”.

Separately, the DOC’s Bureau of Industry and Security has published a compendium of its investigations into sanctions busting in several countries, including Russia, to illustrate the legal and financial penalties that can result from non-compliance.

A group of E.U. countries, including France and Germany, has also recently been pushing for tougher action against companies found to be circumventing sanctions and aiding Russia’s war effort.

A Call to Action to Uphold Russia Import Restrictions

In the light of these warnings and developments, procurement, supply chain, and business leaders at Western companies should:

  • Screen both existing and new customers using the latest U.S., E.U. and other restrictions lists – information that is updated regularly on Interos’ Resilience platform.
  • Understand the direct and indirect relationships their organizations have with firms in high-risk intermediary countries for sensitive and sanctioned products.
  • Ensure that their due diligence and risk management programs empower staff to report any concerns and potential breaches of sanctions rules in a timely manner.

Although Russia has clearly been able to obtain many products from alternative sources in the year since Western sanctions were massively stepped up, there is little doubt it is paying a high price (literally) for Vladimir Putin’s actions.

Stories about microchips being removed from washing machines and other consumer products to supply its military machine suggest that its ability to weather the ever-growing list of restrictions has been limited so far.

However, as the war drags on further into its second year, alternate supply chains may begin to pick up more of the slack – hence the current focus and call to action by U.S. and European governments directed at companies around the world.

Escalating Restrictions & Sanctions Threaten to Fragment Global Trade and Supply Chains

By Geraint John

Restrictions on global free trade and supply chain relationships are flying around like Chinese “spy” balloons over North America were just a few weeks ago.

Last month, China slapped sanctions on U.S. defense giants Lockheed Martin and Raytheon, ostensibly because of their arms sales to Taiwan. But the move was widely interpreted as retaliation for the U.S. government’s decision a few days earlier to blacklist six Chinese companies it accuses of being involved in China’s surveillance-balloon program.

So far this month, the American military has shot down one high-altitude Chinese balloon and three unidentified objects over U.S. and Canadian airspace. China denies U.S. government claims that the balloon was spying on sensitive installations. Their government claims it was used purely for weather monitoring.

Regardless of whose version is true, these tit-for-tit sanctions are part of an escalating technology war between the U.S. and its allies and China that threatens to blow apart the international trading system as we know it.

Global Trade Restrictions Have Increased Sharply

As with geopolitical tensions, trade restrictions on goods, services and foreign investment have increased sharply in recent years. From 2018, when the Trump administration imposed tariffs of up to 25% on many Chinese imports, to December 2022, the number of worldwide restrictions more than doubled to around 2,500, according to data from the International Monetary Fund and Global Trade Alert.

A new Interos white paper reveals that Russia displaced China as the most targeted country for restrictions last year, following its invasion of Ukraine. More than 1,100 restrictions were imposed on Russian entities in 2022 – almost six times more than China.

Russia is also well ahead of Iran and China in terms of the total number of restrictions imposed by other nations since 1981 (see chart).

Chart Showing the top recipients of Global sanctions and restrictions. Russia leads significantly, with Iran and China in a close heat for second place. Syria is fourth and North Korea is fifth.

On the opposite side, the U.S. dwarfs other countries in the number of restrictions it issues (around 8,000 during the past 40 years). And it has dozens of restricted entity lists across different government departments and industry sectors.

Prominent examples include:

  • The Department of Commerce’s Entity List, which sets out export licensing requirements for hundreds of foreign-owned businesses.
  • Sections 889 and 5949 of the National Defense Authorization Act banning the use of certain Chinese products and services for military purposes.
  • The Department of Homeland Security’s UFLPA Entity List for the Uyghur Forced Labor Prevention Act, which bars imports of tainted products from the Xinjiang region of China.

Keeping up to date with the ever-expanding list of prohibited firms and ensuring your organization doesn’t fall foul of new trade rules has become a more complex task. Which is why restrictions risk is one of the six risk factors captured and updated continually in Interos’ Resilience platform.

Implications for Global Supply Chains in Light of Trade Sanctions Against China

Standing back from the detail of these multiple lists and regulations, it’s important to consider the broader implications of the spiraling number of restrictions on international supply chains.

During the past couple of years, the U.S. has implemented progressively tighter and more far-reaching rules around the sourcing of Chinese components and sales of American semiconductors and chip-making equipment to Huawei and other Chinese tech firms.

This is having a dramatic impact on the ability of these companies to scale up production and manufacture products.

Last month, China’s semiconductor industry body issued a strongly worded statement condemning action by the U.S., Japan, and the Netherlands to deny its members vital equipment.

Such measures would “destroy the global semiconductor ecosystem”, it claimed.

Trade Restrictions on China Signal Broader Supply Chain Trend

While complaining loudly and portraying itself as the defender of free trade and globalization – as it did at the World Economic Forum’s meeting of political and business leaders in Davos in January — China is also flexing its trade-restriction muscles.

It has, for example, threatened to stop the export of solar panel manufacturing equipment to the U.S. China dominates the supply chain for this crucial clean-energy technology and could — in a mirror image of its own semiconductor woes — impede American efforts to beef up its domestic solar industry.

Although trade between China and the U.S. grew strongly last year, economists and other critics argue that protectionism, “decoupling,” and politically led moves towards “friend-shoring” (or “ally-shoring”) could have negative consequences for the global economy and supply chains in the years ahead.

These include higher prices, lower efficiency, less innovation, wasted public money through ineffective subsidies and industrial policies, and diminished levels of resilience.

As FT columnist Martin Wolf cautioned in a piece on the “new interventionism” last month: “Fragmentation is very easy to start. But it will be hard to control and even harder to reverse.”


Get more information on trade restrictions, sanctions, regulatory changes and their impact on the global supply chain by reading our latest white paper – the Red Tape Revolution.