Looking Back on 2021: Cyber, ESG, and the Road to 2022
December 20th, 2021
2021 has been a truly eventful year, with disruptions and headlines that are reshaping the way we look at risk and the resilience of our companies. Cyberattacks, regulatory updates, complex supplier relations, new threats, and more have proved that there is no going back, and, in many cases, this year has proved to be a reset in how we manage crisis, lead teams, and react to disruptions.
While there is a wide range of events that have made news headlines this year, Aravo has chosen several themes and incidents that helped shape how we view third-party risk, cybersecurity, and new programs in 2021.
The Shadow of SolarWinds is Long-Reaching
In one of the largest cybersecurity breaches in recent memory, major US information technology firm, SolarWinds, experienced a cyberattack by foreign hackers throughout 2020, and its impacts have still been seen this year. It was not long before another major cybersecurity incident occurred in May of 2021 as Colonial Pipelines informed the public that it had experienced a major ransomware attack and had halted all systems. As a key supplier of 45% of the East Coast’s gasoline, this halt in operations led to panic, gas price increases, and an acknowledgment of the vulnerability of aging infrastructure, an issue that will need to be addressed in years to come.
And the hits kept coming. This month’s announcement of the ransomware attack on Kronos highlighted the fact that incidents like this will become the new normal. This attack, which has caused massive outages for their HR platforms, shows us that there is a need for enhanced cybersecurity and resilience as we move into 2022.
The vulnerabilities that digital supply chains can present have not gone under the radar. In a reaction to these large-scale cyberattacks, the Biden administration released an Executive Order requiring technology vendors who work with the federal government to release software bill of materials (SBOMs) which document all of the components and materials that are included in software products’ codebases. The goal is to elevate cybersecurity initiatives and protect critical infrastructure that companies of all sizes rely on.
Regulators are also paying more attention to the cyber activities and security of third parties, and companies can be held responsible for cybersecurity incidents that occur due to vendors. In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) has published “Key Practices in Cyber Supply Chain Risk Management which provides recommendations to help organizations ensure resilience by building robust cyber supply chain risk management (C-SCRM).
What This Means for 2022
These enhanced threats and attacks such as the one at SolarWinds and Kronos have shown us that we can’t just monitor the activities of our third parties, but of their third parties as well. This is where viewing third-party vendors as a digital supply chain can help companies decide if the vendors that they’re looking to contract with are secure, but also help technology companies improve their cyber resiliency.
Log4j Shows Things Are Not Slowing Down
While things may be winding down before the holidays, cyber headlines certainly have not. Just a few days ago, a new vulnerability was found in Apache Log4j (also known as Log4Shell), one of the most-utilized open-source Java logging libraries. With this vulnerability comes the ability to conduct remote code execution (RCE), allowing a hacker to execute a code remotely over the internet, WAN, or LAN. This means that devices and systems utilizing Apache Log4j (including many third-party apps) are affected by this vulnerability.
While cybersecurity experts reacted swiftly to the discovery of these vulnerabilities, one of the patches was incomplete, allowing potential hackers to craft “malicious input data.” As multiple groups are already using these vulnerabilities, John Bambenek, principal threat hunter at Netenrich has advised users to disable JNDI functionality.
While one of the first indicators came from Minecraft, it was soon realized that the vulnerability could impact billions of devices, and CISA Director, Jen Easterly stated that this vulnerability “poses a severe risk.” Furthermore, it is becoming clear that many companies may not even know that they use the Java library, and therefore could be unprepared to react to any potential malicious actions.
What This Means for 2022
Incidents like the vulnerability discovered for Log4j underscore the risks that Open-Source Software (OSS) can present to companies who use them. With millions of products and servers using Log4j, the need to better manage these types of programs and risks has skyrocketed to agendas. Just as companies need to look at their third-party vendors and entire value chains, so too should they evaluate the risks associated with their OSS, in order to keep up with the level of usage and the vulnerabilities that arise.
As the Pandemic Continues, So Too Does Components Shortages
When the COVID-19 pandemic first started, it was clear that global supply chains would face massive disruptions. The pandemic center, Wuhan China, is the headquarters for many mechanical and electronic components suppliers and lockdowns created significant delays, shortages, and the market capacity shrunk quickly. As we entered 2021 these disruptions spread and OEMs could not manufacture the needed products.
The pandemic halted many critical factory operations, causing massive downstream implications. During the height of lockdowns, the lead time for semiconductor chips doubled to 36 weeks, severely disrupting what demand there was. On the home front, lumber shortages have caused a decrease in the building of new homes in 2021, another example of how far-reaching these issues are.
The Impact on Businesses
According to Aravo’s research, 75% of businesses reported experiencing a supply chain disruption related to the pandemic. With the average cost of a single supply chain disruption to many organizations being $100 million, these issues can be devastating. Despite the severe consequences, 51% of organizations are not assessing the business continuity risk of their vendors. This lack of foresight and understanding plays a huge role in disruptions to manufacturing and supply chains. This is further exacerbated by the fact that 62% of organizations are not assessing the financial viability of their third parties and 52% are not assessing the operational risks of their third parties.
What This Means for 2022
While global supply chain disruptions (as seen with the pandemic) cannot be entirely avoided, there are steps companies can take to build as much resilience as possible. Gaining a thorough understanding of your supply chains, including third, fourth, and nth parties is critical to staying on top of potential risks, making timely, data-driven decisions, and taking mitigation actions. Of equal importance is avoiding concentration risk within your vendor landscape, and performing enhanced screening and due diligence on vendors.
In addition, shifting away from Just in Time to Just in Case strategies will help to avoid some of the disruptive events seen this year. Under this system, parts, supplies, and components are consistently maintained in inventory, reducing backorder and supplier reliability issues. JIC strategies build organizational resilience through having contingency plans, and a better understanding of how the supplier landscape affects overall operations.
ESG is Skyrocketing on Agendas
Environmental, Social, Governance (ESG) initiatives have gained huge traction in 2021, and businesses of all sizes are having to re-think agendas and implement programs to meet these needs. ESG has moved up regulator and board priority over the last several years and there is currently a range of global legislation already in effect that acknowledges the importance of ESG and places accountability on the actions of companies and their third parties.
In addition to compliance concerns regarding ESG, companies have ethical considerations, as well, when it comes to what happens along their value chains and within their companies. In Risk & Resilience’s inaugural issue, Social Entrepreneur and CEO of Freedom Seal Global, Rani Hong, expressed,
“Companies need to start taking concrete steps today- it’s about progress, not perfection. Let’s tell the world we’re committed to this issue and to building a better world for our children.”
The 2021 Impacts:
In a speech presented on June 28, 2021, the U.S. Securities and Exchange Commission’s (SEC) Commissioner, Allison Herren Lee, emphasized the importance of board and executive buy-in for Environmental, Social, Governance (ESG) initiatives and stressed that regulators also expect boards to implement ESG and have oversight obligations related to ESG hazards including identification, assessment, mitigation, and disclosure of these risks. These expectations come from both federal and state levels.
Commissioner Lee explains, “Under the federal securities laws, the board plays a critical and mandatory role in the existing corporate disclosure process. This increasingly requires directors to think about and consider the impact of climate change and other ESG matters on the financial statements and other corporate disclosures.”
What This Means for 2022:
If ESG is not top of mind for companies’ TPRM and Supply Chain programs, it should be. As regulators and governments continue to focus on the sustainability and human rights impacts that companies pose, more compliance concerns will rise as well. There are multiple examples on the horizon for 2022 and beyond already, including Europe’s ESG for Due Diligence for Supply Chains and Germany’s Due Diligence Act.
Unlike some laws in effect that seek to shine a light on modern slavery and human trafficking in supply chains, many new acts are not just a reporting and transparency requirement. These newer acts are trending to action. Organizations need to conduct the appropriate risk-based approach to due diligence and address issues, or face penalties. If your company meets the requirements of upcoming ESG guidance, you may need to closely examine the impacts of your operations, your third parties’ operations, and each step in your supply chain
Looking Forward into 2022
These 2021 events and other headlines we have not included show that the way we look at risk, and the ways we need to boost resilience are evolving. As stressful as it can seem to look back at major disruptive events, they also present key opportunities to how we manage risk, giving us the impetus to question the status quo, take proactive measures, and implement new programs and ways of thinking. Taking a holistic approach to managing risk will be key to getting your arms around the complex risk landscape we’ve seen this year, which will only continue to evolve in 2022.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.