Supply Beacon Vol. 3 – Cyber Disclosure Requirements are Up, a Dyson Supplier is Down, and Rare-Earth Minerals are Uncertain

December 20, 2021
The Top 5 Supply Chain News Stories You Need to Know
The Supply Beacon is your monthly resilience digest, the 5-minute supply chain and security news drop you can’t afford to miss, delivered with insights from the experts at Interos. Know what you need to – fast.

OCC Issues New Disclosure Requirements for Cyber Breaches

Starting May 1, 2022, financial institutions will have to report major cyber security incidents to federal officials within 36 hours. The final rule establishes two primary requirements:

  1. Banks must now notify Federal Regulators of any cyber incidents no later than 36 hours after the they determine that a cyber incident has occurred.
  2. The final rule requires Banks to notify customers as soon as possible when a bank service provider experiences a cyber incident that has materially disrupted or degraded (or is reasonably likely to materially disrupt or degrade) covered services for four or more hours.

Interos Insight: This ruling, called the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” comes on the back of the TSA updating requirements for pipeline, rail, and air transport companies. Although the NDAA for FY 2022 failed to include mandatory reporting requirements for all critical infrastructure companies, bipartisan support for cyber security incident reporting will likely result in future legislation, as a stand-alone bill or possibly, as part of another legislative package. It’s clear that the government is looking to supply chain risk professionals in all industries to rigorously evaluate the cyber risk in their supply chain – and that the issue is only going to be taken more seriously over time.

CISA SBOM-A-RAMA

The Cybersecurity and Infrastructure Security Agency created a new Software Bill of Materials (SBOM) web page and hosted a two-day “SBOM-a-rama” focused on related education, technical issues and pulling together “the broader security and software community.” The SBOM concept “has emerged as a key building block in software security and software supply chain risk management.” Allan Friedman, who led the transparency initiative at the Commerce Department, is now at CISA to fully realize the SBOM’s potential. He said, “to operationalize SBOM means to make sure that we can integrate this into daily operation, into existing tools, and the final status of hooking it into the existing vulnerability and cyber security ecosystem.” Having already led the NTIA in its July issuance of “minimum elements of a software bill of materials,” (a step toward creating a potential federal benchmark and market standard) we can look to Mr. Friedman and the Agency as a source of information, guidance and an opportunity to partner.

Interos Insight: While a bill of materials has always been a regular part of supply chain management, this was not always the case for software. In fact, the idea really only got mainstream attention in May 2021, when the Biden administration issued an executive order citing SBOMs as a necessary measure to improve U.S. cyber security. The order requires the government’s critical software vendors to supply SBOMs for their products and employ automated tools to maintain trusted source code supply chains. The EO applies only to vendors that do business with the U.S. government; however, considering the increase in supply chain attacks, providing a compliant SBOM is likely to become a requirement for most businesses, particularly in regulated industries where a software supply chain failure could result in major consequences.

If you don’t already create SBOMs for your software, there’s never been a better time to start. Not only does knowing what entities are in your software supply chain help secure against vulnerabilities, but it also uncovers hidden licensing risks used in third party software or code. Interos can help partners establish automated mapping, enabling customers to invest in the right, trusted technology and catalogue the use of open source and third-party software to deliver a complete and accurate SBOM.

 

Dyson Dumps Malaysian Supplier ATA Over Labour Concerns

High-tech home appliance maker Dyson told Reuters it had cut ties with supplier ATA IMS following an audit of the Malaysian company’s labor practices and allegations by a whistleblower, sending ATA shares plunging.

ATA, which is already being investigated by the United States over forced labor allegations, confirmed Dyson has terminated its contracts and that it has been in talks with the customer over the audit findings. It had previously denied allegations of labor abuse.

Interos Insight: ESG risks as well as violations of other country-specific restricted lists are not always easy to determine. Companies sometimes look to obfuscate their practices and procuring from such organizations can leave you at risk to penalties, loss of business, and reputational damage. Interos’ database and ML algorithms helps to inform clients before they engage with an industry leading relationship map that continues to update relationships in your supply chain so you can focus on your business’ success.

New Plans to Boost Cyber Security of UK’s Digital Supply Chains

Several reports were released as part of the UK Government’s effort to protect the UK’s digital infrastructure and improve the cyber resilience of organization’s supply chains across the economy and society. These plans include new procurement rules to ensure the public sector buys services from firms with good cyber security. The plans also call for improved advice and guidance campaigns to help businesses manage security risks.

The move follows a consultation by the Department for Digital, Culture, Media, and Sport (DCMS) to enhance the security of digital supply chains and third-party IT services, which are used by firms for things such as data processing and running software.

The reports show that the majority of CEOs and directors of Britain’s top companies (91%, up from 84% in 2020) see cyber threats as a high or very high risk to their business, but nearly a third of leading firms are not acting on supply chain cyber security, with only 69% saying their organization actively manages supply chain cyber risks.

Interos Insight: The British Government is ahead of many NATO peers in enforcing cyber security measures. While there are already procedures to encourage firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect sensitive data, stricter legislation is almost assuredly soon to arrive. The poll also showed that 82% of respondents agreed legislation could be an effective solution. Although regulatory requirements differ across countries and industries, the trend toward greater disclosure and transparency is clear, and is generally bipartisan. Supply chain risk practitioners and industry leaders can use Interos’ AI driven software to assist in getting ahead of the curve and ensuring they are constantly in compliance and continually monitoring their supply chain with updated analytics.

 

China Set to Create New State-Owned Rare-Earths Giant

China has merged several rare-earth assets to create a mammoth state-owned rare-earths company to maintain its dominance in the global supply chain of the strategic metals as tensions deepen with the U.S. The new firm will be called China Rare-earth Group and will be based in resource-rich Jiangxi province in southern China. The combined group is designed to further strengthen Beijing’s pricing power and avoid infighting among Chinese firms, and to use that clout to undercut Western efforts to dominate critical technologies.

Interos Insight: China has long dominated the rare-earth industry. It is estimated that the country will soon account for approximately 70% of total global production of medium and heavy rare-earths and 40% of the total global rare-earth market. The nation also has an overwhelming monopoly on processing these minerals. Medium and heavy rare-earths such as dysprosium and terbium, are considered essential for the production of high-performance magnets, which are used in motors and other components of electric vehicles. The US has taken some steps to encourage more rare-earth production in Australia (the US Defense Department signed a technology investment agreement with Australia’s Lynas Rare Earths company which the Pentagon called “the largest rare-earth element mining and processing company outside of China”).

President Biden has also issued an executive order naming rare-earth minerals as one of four key areas in need of more robust policy options to reduce supply chain risks. Companies with any component in their supply chain that requires rare-earth materials will want to monitor developments here closely since the Chinese government’s restructuring gives them a clear and solid control over much of the supply chain – from production to exports. Additionally, since the previously “private” Chinese mining companies are now “civil-military” fusion contributors to the Chinese defense industrial base, it would not be impossible to imagine them and other companies in China’s critical mineral ecosystem winding up on Section 1260H of the NDAA2021.

That’s this month’s Supply Beacon. Looking to learn more about supply chain risk and operational resilience? Check out interos.ai. Got a suggestion for next month’s newsletter? Send us the scoop at [email protected] or tweet us at @InterosInc!

View next

Ensure Operational Resilience

Request Contact

Build operational resiliency into your extended supply chain:

  • 889 compliance – ensure market access
  • Data sharing with 3rd parties and beyond – protect reputation
  • Concentration risk – ensure business continuity
  • Cyber breaches – assess potential exposure
  • Unethical labor – avoid reputational harm
  • On-boarding and monitoring suppliers – save time and money