Supply Chains Are The Next Subject of Cyberattacks

The cyberthreat landscape is evolving as threat actors develop new tactics to keep up with increasingly sophisticated corporate IT environments. In particular, threat actors are increasingly exploiting supply chain vulnerabilities to reach downstream targets.

The effects of supply chain cyberattacks are far-reaching, and can affect downstream organizations. The effects can also last long after the attack was first deployed. According to an Identity Theft Resource Center report, “more than 10 million people were impacted by supply chain attacks targeting 1,743 entities that had access to multiple organizations’ data” in 2022. Based upon an IBM analysis, the cost of a data breach averaged $4.45 million in 2023.

What is a supply chain cyberattack?

Supply chain cyberattacks are a type of cyberattack in which a threat actor targets a business offering third-party services to other companies. The threat actor will then leverage its access to the target to reach and cause damage to the business’s customers. Supply chain cyberattacks may be perpetrated in different ways.

  • Software-Enabled Attack: This occurs when a threat actor uses an existing software vulnerability to compromise the systems and data of organizations running the software containing the vulnerability. For example, Apache Log4j is an open source code used by developers in software to add a function for maintaining records of system activity. In November 2021, there were public reports of a Log4j remote execution code vulnerability that allowed threat actors to infiltrate target software running on outdated Log4j code versions. As a result, threat actors gained access to the systems, networks, and data of many organizations in the public and private sectors that used software containing the vulnerable Log4j version. Although security upgrades (i.e., patches) have since been issued to address the Log4j vulnerability, many software and apps are still running with outdated (i.e., unpatched) versions of Log4j.
  • Software Supply Chain Attack: This is the most common type of supply chain cyberattack, and occurs when a threat actor infiltrates and compromises software with malicious code either before the software is provided to consumers or by deploying malicious software updates masquerading as legitimate patches. All users of the compromised software are affected by this type of attack. For example, Blackbaud, Inc., a software company providing cloud hosting services to for-profit and non-profit entities across multiple industries, was ground zero for a software supply chain cyberattack after a threat actor deployed ransomware in its systems that had downstream effects on Blackbaud’s customers, including 45,000 companies. Similarly in May 2023, Progress Software’s MOVEit file-transfer tool was targeted with a ransomware attack, which allowed threat actors to steal data from customers that used the MOVEit app, including government agencies and businesses worldwide.

Continue Reading

Supply Chain Disruptions: Drafting Contract Clauses to Mitigate Risks, Navigate a Breach, Avoid Litigation”

SPB’s Alexis Chandler will be participating in a CLE webinar on April 2, 2024 from 1pm-2:30pm EDT titled “Supply Chain Disruptions: Drafting Contract Clauses to Mitigate Risks, Navigate a Breach, Avoid Litigation.”  The panel will discuss the following:

  • What are the recent trends in supply chain litigation?
  • What should supply chain contracts include regarding the timing of deliverables in light of global or other disruptions?
  • How can a force majeure provision be drafted to provide an enforceable defense?
  • When should companies abandon commercial negotiations and pursue litigation when suppliers default?
  • What are the latest trends in relation to ESG and supply chain risk management?

Squire has ten complimentary passes for the webinar.  If you would like to attend, please contact Kristi Vitaz ( by 5pm today, April 1, 2024.  As a bonus, you will receive CLE credit!

You may also register for the webinar here.

White House Issues Executive Order to Strengthen Cybersecurity at US Ports

This is an legal insight prepared by D. Michael Kaye, Sarah K. Rathke, Bridget McGovern, Michael J. Wray, Shea Leitch, John P. Flynn, Darien Flowers, and Michelle Story. Please contact one of the authors with any questions.

On February 21, 2024, the White House issued an executive order implementing various measures to bolster the security of US ports by expanding the US Coast Guard’s authority to regulate maritime cybersecurity, requiring the reporting of cyber incidents and investing in the US port critical infrastructure.

Read the full insight here.

Forced Labor Legal Developments in Europe: EU Council and Parliament Negotiate Final Text for Proposed Regulation

This is a legal insight prepared by colleagues Ludmilla L. Kasulke, D. Michael Kaye, Thomas Delille, Christina Economides, Amjad Wakil, María Vara Pitarch. Please contact the authors with any questions.

While many have focused in recent months on the US enforcement of the forced labor import ban (19 U.S.C. 1307) and the Uyghur Forced Labor Prevention Act (UFLPA) (Public Law No. 117-78), the EU is working on its own set of regulations prohibiting products made with forced labor from entering the EU market.

Read the full insight here.

FMC Announces Hearing on Shipping Conditions in the Red Sea

As Yemen’s Houthi rebels have increased attacks against vessels sailing through the Red Sea and the Gulf of Aden, global trade stakeholders have responded. It has been announced in the media that oil majors and large global shipping lines are suspending shipping operations in the Red Sea.

In light of the current geopolitical climate, the Federal Maritime Commission (FMC) announced that it will hold an informal public hearing on February 7, 2024, to examine how conditions in the Red Sea and Gulf of Aden regions are impacting commercial shipping and global supply chains. The hearing will allow stakeholders in the supply chain to communicate with the FMC on how operations have been disrupted by attacks on commercial shipping emanating from Yemen, steps taken in response to these events, and the resulting effects.

The full insight was prepared by colleagues Michael Wray (Houston), Michael Kaye (DC), John J. Reilly (NY), Darrien Flowers (DC), John P. Flynn (DC), and Jack Kingston (DC).

Council On Supply Chain Resilience Tasked With Strengthening Domestic Supply Chains And Limiting Reliance On Foreign Medical Supplies

November 27, 2023 marked the inaugural meeting of the White House Council on Supply Chain Resilience, a cabinet-level council focused on building and advancing the success of America’s critical supply chains.  The meeting commenced the Biden-Harris Administration’s initiative to provide American citizens with domestic access to medicine and vaccines that have previously been inconsistently available.

Continue Reading

Canada’s Fighting Against Forced Labour and Child Labour in Supply Chains Act Goes Into Effect Soon

On May 11, 2023, Canada passed the Fighting Against Forced Labour and Child Labour in Supply Chains Act(Bill S-211), which will take effect on January 1, 2024 (the “Act”).

The purpose of this Act is to implement Canada’s international commitment to fighting forced and child labor through reporting obligations on (a) government institutions[1] producing, purchasing, or distributing goods in Canada or elsewhere; and (b) entities[2] producing goods in Canada or elsewhere or importing goods produced outside of Canada.

Continue Reading

Countdown to Compliance With European Union’s Deforestation Regulation

Companies are preparing to comply with the European Union’s new deforestation regulation (EUDR).

On June 29, 2023, the European Parliament and Council formally adopted the EUDR.  The EUDR goes into effect on December 30, 2024 for large companies (operators and traders)[1] and June 30, 2025 for micro and small exporters.[2]

Continue Reading

White House Finalizes Long-awaited Build America, Buy America (BABA) Guidance

On November 15, 2021, President Biden signed into law the Infrastructure Investment and Jobs Act (IIJA) (P.L. 117-58), which includes the Build America, Buy America Act (BABA) requiring infrastructure projects receiving IIJA funding and other federal financial assistance to utilize certain domestically produced materials, including iron or steel products, manufactured products, and construction materials.  On August 23, 2023, the Office of Management and Budget (OMB) published final guidance to federal awarding agencies on BABA’s requirements in the Federal Register.  Squire recently wrote an article about the final guidance, which you can read here.  

Michigan Supreme Court Upholds UCC Statute of Frauds Rule Requiring Quantity Terms To Be In Writing

The Michigan Supreme Court issued an Opinion on July 11, 2023 in MSSC, Inc. v. Airboss Flexible Products Co., reversing a Court of Appeals opinion holding that blanket purchase orders were enforceable under the UCC Statute of Frauds.

In short, the Michigan Supreme Court upheld the longstanding Statute of Frauds rule that contracts must contain a written quantity term to be binding, including its conclusions that:

  1. The parties’ blanket purchase order, terms and conditions, and other writings lacked a written quantity term.
  2. The term, “blanket,” does not constitute a quantity term within the meaning of the Statute of Frauds, overturning Great Northern Packaging, 154 Mich App 777; 399 NW 2d 408 (1986), “to the extent that it conflicts with the holding.”
  3. Since there was not a quantity term in the MSSC and Airboss documents at issue, the parties’ agreement did not comply with the UCC Statute of Frauds, which requires a quantity term to be included in the written contract to be enforceable, and therefore, it was error for the lower courts to use parol evidence to determine the intent of the parties.
  4. Without a quantity term, and without being a requirements contract under MCL 440.2306(1), the parties entered into a “release-by-release” contract that was binding against the supplier only to the extent of releases issued by the buyer and accepted by the supplier.

Continue Reading