The rapid pace of digitalization poses new security risks for cross-border trade, an industry that relies heavily on electronic data and international money transfers, said Alaster Love, chief technology officer at Panacea Strategy.
“We know that on a cross-border basis, in Laredo and Nuevo Laredo, there’s lots of people who’ve already had issues with cybersecurity,” Love said. “We know that in Mexico, cyberattacks have happened on a larger scale.”
Over the past several months, almost a dozen cyberattacks have targeted firms working in the international supply chain industry.
In early October, Laredo, Texas-based customs broker and freight forwarder Daniel B. Hastings was the victim of an apparent ransomware attack. Hackers posted the firm’s files, including U.S. Customs and Border Protection (CBP) documents for shipments, on the dark web.
Texas-based trucking company Daseke Inc. also was the victim of a cyberattack in October, with hackers exposing the personal information of drivers and other potentially sensitive data on the dark web.
In 2017, Denmark-based Maersk was the victim of the infamous NotPetya cyberattack, which crippled the shipping container giant’s information technology system. The carrier has operations at five Mexican seaports, including the Port of Lázaro Cárdenas.
Love said cyberattacks can impact a business in several ways, including money (if a ransom is paid), loss of sensitive data and damage to a company’s reputation.
Panacea Strategy, founded in 2017, is a technology company focused on digital innovation and incubation for the logistics industry in Mexico. The company is based in Nuevo Laredo, Mexico, and also has offices in Mexico City and Laredo.
“Around 60% of the people that pay ransomware still do not receive all of the data that was compromised, so there’s loss of data,” Love said. “Most importantly, I think it’s a loss of reputation. Customs brokers are entrusted with protecting their data and their customers’ data.”
Love said firms that chose not to pay could find critical documents uploaded to the web for anyone to see.
“Ultimately, the bad guys say, ‘Well, you’re not going to pay, then I’m going to show you how serious we all are, which is we’re going to upload your customers’ documents that include their private information onto the web,’” Love said. “That’s a big problem. If you’re taking a U.S. Customs document, it’s got somebody’s importer number, it’s got phone numbers, email addresses, etc.”
In the case of Mexican customs brokers, a cyberattack could result in loss of freight payments, Love said.
“Mexican customs brokers have access to a lot more money than does a trucking company or a U.S. customs broker because they’re receiving duties on behalf of other people and then paying them forward,” Love said. “Their business at some point becomes a little bit more like banking.”
In 2019, CBP updated the minimum security requirements for its Customs Trade Partnership Against Terrorism (CTPAT) program. CTPAT is a voluntary supply chain security program through which members with documented risk alleviation procedures are subject to fewer border customs examinations and benefit from accelerated processing of cargo.
CTPAT’s new minimum security requirements, which must be implemented by the end of this year, include updates to its cybersecurity policy.
“CTPAT members must have comprehensive written cybersecurity policies and/or procedures to protect information technology (IT) systems. The written IT policy, at a minimum, must cover all of the individual cybersecurity criteria,” according to CBP guidelines.
“In working with any sort of government agency, there’s an interpretation and language. CTPAT’s language changed from ‘should’ to ‘must,’” Love said. “My interpretation of ‘must’ is that cybersecurity is a requisite. We’re actively working with organizations like the Laredo Licensed Customs Brokers Association. … When you go to recertify CTPAT, or revalidate, if you don’t have these minimum guidelines, your recertification could be denied.”
More articles by Noi Mahoney