Tariffs: A hidden threat to corporate and supply chain security

You may ask: “What do security breaches have to do with tariffs?” The answer is “a lot more than you may think.” 

Tariffs, sanctions, and other rapid government changes can cause catastrophic impacts to businesses and government agencies if we don’t pay attention. Some very often missed but extremely important topics are how a tariff or other governmental actions can impact the supply chain of companies, increase attacks on critical infrastructure (e.g., hospitals, power grid, transportation network), and significantly increase exposure to a cyberattack or breach. 

The nation-state sponsored attack on the Viasat KA-SAT satellite during the Russian-Ukraine War is a recent instance of this, which resulted in a rapid shift of technology overnight. The satellite technology, utilized by the Ukrainian military for communication, was targeted to disrupt their network. The attack successfully achieved its goal, causing significant chaos. 

Preparing for rapid changes and their impact: Strategies and solutions 

During a period of disruption and uncertainty, it is critical to identify the challenges and impacts while swiftly safeguarding the business. Below are key challenges and effects leaders should consider, along with strategies for effective preparation. 

Shift of suppliers overnight  

Whether dealing with a shift in direction of the business or unexpected government changes, the business may have to switch a number of suppliers overnight. The most important item would be to understand which suppliers and service providers exist and identify the ones that will need to be switched to a backup supplier or service provider. In this turbulent time, organizations should not limit themselves to surface-level questions such as, “Are we ready to quickly switch suppliers?” or “Do we have supplier backups?” 

Organizations should ask more critical and compelling questions such as How confident do we feel about the cybersecurity and privacy risks of our backup suppliers and service providers? Will we need additional regulatory and compliance investment based on the location of the backup supplier and service provider? How strong are our cybersecurity detection capabilities because attacks are likely to increase?” 

If organizations are required to change their suppliers overnight, they can immediately assess new suppliers through third-party cybersecurity risk monitoring platforms (e.g., BitSight, Security Scorecard). In the medium to short term, critical questions should be raised, added into a comprehensive supplier risk questionnaire, and incorporated into third-party risk management processes to inform both enterprise risk and contingency planning. 

Impact on cybersecurity budgets  

Tariffs may drive organizations to seek cost-saving opportunities to reallocate funds elsewhere. However, if cybersecurity budgets are reduced without a clear understanding of where cuts are being made within the cybersecurity program, the organization’s cybersecurity posture can leave the business open to severe consequences. Cutting costs in the wrong places could result in increased vulnerability to cyberattacks, data breaches, and ransomware, which directly impacts the bottom-line and may potentially cripple business growth.  

Organizations can identify cost-saving opportunities in the cybersecurity program but should strongly consider partnering with skilled experts who have the knowledge to maximize efficiency while maintaining strong cybersecurity. Understanding your business’ security posture is key to finding the sweet spot, as is possessing deep knowledge of cybersecurity program structures, tools, technologies, and operating models. 

Increased economic friction = Increase in cyber conflict 

Tariffs cause frustration across the globe. These events may mobilize nation-state backed cyber attackers to use their most lethal weapons and unleash the most severe attacks on corporations and critical infrastructure that keep businesses and our lives running smoothly. This has been a recurring feature of the Russia-Ukraine conflict, where multiple attacks affecting availability of critical services have occurred, including banking and transportation industries. Government actions can fuel cyber conflict and expose organizations to heightened security risks. Even beyond this threat, trade wars may resurrect or entice cyber activism groups to perform attacks against organizations raising prices on goods and services.  

In light of this, organizations should move to re-evaluate the way cybersecurity assessments are performed. Conducting more rapid and recurring cybersecurity diagnostics allow businesses to leverage real-time insights. Once insights are captured, organizations should develop a “Five-Point Maturity Plan” to promptly tackle changes in government action and formulate an effective and efficient response. Leaders should point their teams to look beyond traditional external evaluations and review internal controls and impacts to reduce risks of disruption that may be carried out by determined threat actors (e.g., disgruntled insiders, data exfiltration, and more).   

Increased cybersecurity compliance pressure  

Tariffs also give rise to increased foreign scrutiny across the board. In response to the tariffs levied against them, governments may probe deeper into the cybersecurity and privacy compliance posture of businesses operating outside their borders, as a retaliatory response. Companies should be vigilant in maintaining their cybersecurity and control structure to combat uncertainty in this space, as it could result in significant impacts to business maintenance and growth. 

Organizations should conduct “Disruption Training” to address potential government actions that may impact the business. This tabletop training can be used to provide insights into how different departments across the company will respond, which includes impacts on global Cybersecurity compliance requirements. 

Companies need to be cognizant of how to adapt their cybersecurity programs as tariffs reshape risks and compliance needs. Threats can manifest as direct impacts to organizations’ supply chains and spend, but also in indirect ways such as strained environments creating softer targets and compliance pressure.  

Now more than ever, companies need to be proactive in their approach to cybersecurity as greater uncertainty reshapes the global business environment. Business leaders who take a proactive stance on cybersecurity processes, safeguarding operations, and building resilient third-party partnerships will position their business to weather an increasingly disrupted world and continue their growth trajectory.

About the authors:

The authors all have significant experience in cybersecurity strategy and technology implementation. Dean Weber is a director at AlixPartners. Edward Chua is a senior vice president at AlixPartners. Beth Musumeci is head of AlixPartners’ cybersecurity and data privacy practice. Megha Kalsi is a partner at AlixPartners. Edward Watabe is a senior vice president in the performance and technology practice at AlixPartners.

SC
MR