What Risk Do Your Third-Party Vendors Pose From Chinese Cyberspies?

chinese_cyberwarfare

Earlier this morning I read an interesting article entitled “Chinese Cyberspies Are Hacking Into America’s Small Businesses.” I encourage you to read the entire article, but here’s the gist…

“A wide range of small businesses and institutions — from pizza restaurants and medical clinics to synagogues and universities — have been both victims and unwitting accomplices in sophisticated cyber espionage campaigns being carried out by hackers in China.”

It is one thing to hear how nation-states (eg. China, Russia, US, UK, Israel, Syria, Iran, etc.) are employing computers and computer networks to wage cyberwars against one another. However, figuring out how to use innocent, and otherwise unsuspecting, non-combatants takes everything to another level.

These days, it is viturally impossible for your organization to exist without making heavy use of the Internet; and the larger your enterprise, the more dependent you are. It is this dependency and participation within this greater network that exposes you to risks, once considered unimaginable, that now must be considered everyday concerns.

Thanks to the ability of the “bad-guys” to cover their respective tracks by masquerading as innocent bystanders (a.k.a. using human shields), it has never been more important for all of us to band together for the good of our collective security. Gone are the days when we could ignore the security policies of even our smallest third-party vendors, suppliers, or trading partners. With the ability to literally be attacked from anywhere, the only way we can protect ourselves is to demand that all of our partners, from the largest to the smallest, take responsibility themselves. As we have seen, no business / enterprise / organization is too big to become the unwitting attack vector, and it is likely the smallest will become the most attractive targets to exploit.

Are you doing everything you can, through your vendor risk management program, to help your partners help you by helping themselves? Information security risk needs to be a “top-of-mind” issue for you and all of your third-party partners. An easy way to get started is through the use of industry standard self-assessments, like ISO 27001/2. Protecting the security of your enterprise cannot be achieved through isolationism. If you are not doing so already, now is the time to ask all of your partners (large and small) to step-up and demonstrate how they are actively working to protect the systems, networks, and interconnected tools we all use.

An Introduction to Conflict Minerals & Compliance

conflict-minerals

Beginning in 2014, US companies that sell products that contain any of the four minerals that may be considered “conflict minerals” will be required to file annual reports with the SEC (Securities and Exchange Commission). Most of today’s automobiles and electronic devices likely include several different minerals, particularly four kinds: gold, columbite-tantalite, cassiterite, and wolframite. Where and how these minerals are mined determines whether or not they are classified as conflict minerals. There is huge potential impact on companies that use conflict minerals.

What Are Conflict Minerals

It is important to understand what conflict minerals are, and what exactly defines a mineral as being a conflict mineral. The four minerals, often referred to as the 3Ts & G, are columbite tantalite, cassiterite, wolframite, and gold. Electronic devices, automobiles, and many other popular products contain these minerals. Conflict minerals are mined under conditions of human rights abuses and armed conflict. They are mined in the Democratic Republic of Congo and surrounding regions to finance the ongoing armed conflict. Armed groups force civilian workers to mine these minerals under extremely harsh conditions, often leading to many serious injuries and fatalities. Groups will often enter villages and towns and either kidnap or force these people to work at gunpoint. Threats of harm against family members happen frequently, leaving civilians with almost no choice but to work for the groups in order to protect their families. A large number of the laborers are children. Around 75% of armed groups revenue is derived from the sale of conflict minerals, which funds their violent efforts. It is estimated there have been more than five million deaths in the ongoing fighting taking place in the Democratic Republic of Congo (DRC). The minerals are shipped out of country through middlemen to factories and processing plants. Because of this, the United States Conflict Mineral Laws apply to eight other countries: Rwanda, Angola, Central African Republic, Uganda, Zambia, Sudan, Burundi, and Tanzania.

Conflict Minerals and the Law

Legislation proposed in 2009 would have required companies to disclose use of conflict minerals in their products failed in Congress. In 2010, language added to the Dodd-Frank Wall Street Reform and Consumer Protection Act was passed. Under Section 1502 of the act, companies will now be required to disclose the use of conflict minerals. On August 22, 2012, the Securities and Exchange Commission created a rule stating that all companies deeming these minerals “necessary to the functionality or production of a product” to file an annual disclosure statement. The new form (Form SD) must be filed annually by May 31st beginning in 2014. It is estimated that ~6,000 SEC issuers will be required to provide new disclosures, which in turn forces the evaluation of ~275,000 private companies that are part of the issuers supply chains. Penalties for non-compliance range from Section 18 liability under the Exchange Act of 1934, to backlash from human rights activists. Under Section 18, companies not in compliance are subject to private lawsuits by investors for misleading or false statements. Companies will not be held liable if they are able to show that they did, in fact, do their due diligence when stating they do not use conflict minerals. It is important for companies and businesses to understand this does not allow them to use this as a loophole as they will have to prove they did everything possible to determine whether or not they were or are using conflict minerals. Mining companies are excluded from the SEC’s rule unless they partake in manufacturing as well. Minerals sourced from recycled products or scrap is not part of the SEC’s regulation, and does not need to be reported even if those minerals did originate from the DRC region.

Best Practices

Estimates forecast the compliance costs for the new filings can range from $3 billion to $16 billion. Enterprises must, at a minimum, follow best practices to maintain compliance.

  • Establish clear internal policies;
  • Assess the potential risks in their supply chains;
  • Develop responses to identified risks and events;
  • Conduct third-party audits of refiners practices;
  • Report on an annual basis.

In the case of mergers or acquisitions of other companies, a transition period will be allowed to determine if the newly acquired business uses conflict minerals or not. Those who do not demonstrate adequate due diligence are subject to investigations by the SEC. A survey was conducted of 900 executives on whether they are taking action now for the upcoming deadline. A third of respondents stated that they are still unsure whether or not they technically need to report. Two-thirds have either not begun the process of assessing their supply chain or are in the very early stages. Under five percent of the respondents said that they have already done the proper due diligence and are prepared for the May 2014 deadline.

In 2014 when filings being and become public, reactions are expected to vary widely. Some consumers and investors will have no concern with reports of the use of conflict minerals, while others will take the matter much more seriously. Non-governmental organizations and human rights activists are expected to draw great attention to those who are using, and plan to continue using conflict minerals. Manufacturers who brand themselves as eco-friendly could face a fallout of loyal consumers who purchase their products based on the fact that they assume any materials used in production were free of conflict minerals.

The financial impact could be devastating. Some companies could see share prices fall dramatically, or the reports sway potential new investors from purchasing stock.

Are you ready for May 31, 2014?

With the deadline for filings less than a year away, companies still have time to identify risks in their supply chain and take action now to reduce any potential economic impact. The SEC rule does not apply to any minerals acquired and inventoried prior to January 31, 2013. Everything after this date must be a part of the filing on May 31, 2014.

If businesses do not prepare adequately, they may face damage to their brand and a loss of revenue. Accurate information is critically important when doing due diligence and obtaining information from 3rd party vendors and suppliers. The consequences from inaccurate information can be very expensive. Just over ten percent of companies surveyed intend to be entirely conflict mineral-free in the near future, while a third say that they will require any suppliers they use to do the same.

Those who are unsure how best to obtain accurate information from their 3rd party vendors and suppliers are encouraged to seek the assistance of service providers who can provide the tools necessary to gather information quickly, effectively, and accurately. It is critical that all enterprises are able to demonstrate they are, in fact, doing everything possible to uncover the source of the minerals being used in their products. Those found not in compliance run the risk of being exposed as making false statements, whether or not they actually were. The May 31, 2014 deadline must not be taken lightly, especially for those who may have hundreds or thousands of different suppliers. The decisions made today may end up costing companies dearly as the initial 2014 reporting deadline approaches.

The more you do, the more you can do!

Image of dirty hands with a seedling

Yes. I am highly qualified to build an entire business from the ground up. I know a great deal about the entire business lifecycle (cradle-to-grave).

  • I’ve raised over $9M in venture capital.
  • I’ve sold enterprise hardware & software to organizations around the world.
  • I have been media trained and am a published author.
  • I lecture to MBA students, and I’ve written patents.

However, please do not “miss the forest because of the trees.” My success and accomplishments have been achieved not on the backs of others, but by my belief that teams (as in sports), when properly motivated, have the capacity to exceed even my wildest dreams. I don’t just hire people to make my dreams & visions come true, I ask people to join me on the journey, offering to lift them up on my shoulders. I choose to see people and opportunities as they can be, not (necessarily) as they are today. This type of optimistic thinking allows me to achieve and accomplish much more than most, however, it does set me up, occasionally, for disappointment.

I am an “in-the-weeds,” get your “hands dirty” kind of guy. Just because I know a lot about a lot and have made it my business to ride the leading edge of the “bleeding” edge, does not mean I have forgotten how to create for today.

Things I’ve done, personally, over the last 18 months include:

  1. Architected a state-of-the-art web application.
  2. Built a business, as employee 0, from the ground up.
  3. Established and maintained an accounting system.
  4. Hired and motivated 21 brilliant people [18 engineers, 3 other].
  5. Conceived of, architected, and implemented (with a team) the highest quality, browser-only, transactional video as a services platform you’ve ever seen.
  6. Architected, implemented, deployed, and maintained an entire AWS (cloud) infrastructure.
  7. Lead and motivated a group of people far smarter than me.
  8. Written production-ready code in:
    1. Python
    2. Javascript
    3. PHP
    4. Java
  9. Designed and implemented production-ready relational and non-relational data models
    1. SQL (MySQL & Postgresql)
    2. NoSQL (DynamoDB & MongoDB)

Bottom line…

I am a guy who builds things on the Internet. Period.

The fact that I am able to build effective teams stems from the fact that I am, at heart, an engineer of things (businesses, software, etc.). People follow me because I lead by example. I believe engineers respect me, and follow me, not because I have a PhD (which I don’t) or because I’m some guru (which I’m not), but because they know that I actually know what I’m talking about because I actually write code to solve actual problems. Sales people follow me because I have successfully “sold” to over 700 enterprises. Marketing people follow me because I know how to effectively communicate a message of benefits, not simply features.

My best and brightest years are ahead. There is no way you can beat me, so why not get me to join you? In the words of Lucille Ball…

“If you want something done, ask a busy person to do it. The more you do, the more you can do.”