In order to help combat the rise in consumer credit card and personal information theft—and to better reflect the modern-day supply chain—U.S. Customs and Border Protection (CBP) is adding a new cybersecurity category to its Customs-Trade Partnership Against Terrorist (CTPAT) security guidelines.
“Cyber attacks are exposing consumer credit card information, personal data and, in some cases, store accounts, including the shopper’s valid username and passwords,” Richer told Sourcing Journal. “So the effect is far-reaching and of great concern both to consumers and company branding.”
Small businesses are particularly vulnerable, Richer noted, with 60 percent unable to sustain their business following an attack.
Under the updated criteria, “importers are now required to reconsider their role in protecting information in their organizations and what it means to safeguard data in a digital world,” Richer said, adding, “whether of the end consumer or information related to their intellectual property rights, investors and other stakeholders.”
Carlos E. Ochoa, brand chief of CBP, said the new cybersecurity requirements are meant to be “common sense industry standards,” such as the preference that businesses use pass phrases instead of passwords, and the use of two-factor authentication when possible.
According to Ochoa, imports increased 88 percent from 2002 to 2016, and the origins of these imports have also changed, with more companies sourcing raw materials with higher-risk countries.
CTPAT is a voluntary partnership program, established in response to the events of 9/11, for private companies to examine and correct their security vulnerabilities in exchange for such benefits as fewer CBP examinations, reduced wait times and access to expedited lanes. Participation also opens the door for companies to participate in the Trade Compliance Program and thus become what’s known as a Trusted Trader. Trusted Trader status unlocks additional benefits that include access to the new CTPAT Defender program, in which CBP will notify companies of potential identify theft or other suspicious activity occurring in their supply chains.
Among other changes include a new structure for the Minimum Security Guidelines—now called the Minimum Security Criteria—that organizes the conditions into “musts” and “shoulds,” intended to eliminate second-guessing regarding the differences between requirements and recommendations. Also added with the intent to bring greater clarity are glossary terms, pictures and graphics, as well as an ID number structure that will enable the CBP to collect statistical data.
A new recommendation surrounding forced labor recommends that organizations “have a documented social compliance program in place that, at a minimum, addresses how the company ensures goods imported into the United States were not mined, produced or manufactured, wholly or in part, with prohibited forms of labor, i.e., forced, imprisoned, indentured or indentured child labor.”
According to Richer, the textile industry has a clear advantage as they’ve already embraced the social compliance program and presently have strategies in place to reduce situations where forced labor might occur.
The criteria will be implemented this year, with validations on new criteria beginning in early 2020.