If you are a company doing business in Mexico, these have not been easy times. A converged economic, security, and health crisis has disrupted business operations and upended the country’s workforce. Splintering drug cartels continue to proliferate and adapt their tactics, techniques, and procedures (TTPs) to the pandemic. The U.S.-Mexico border, one of the largest and most important economic corridors in the world, has been politicized continuously over the last four years, with periodic threats of closure.
This makes sound risk management principles all the more important, now anchored by U.S. Customs and Border Protection’s (CBP) move to establish and implement expanded security requirements throughout 2020 under the Customs-Trade Partnership Against Terrorism (C-TPAT) program.
The C-TPAT Evolution
C-TPAT dates back to the aftermath of September 11, 2001, when the government realized it could not handle the myriad challenges it faced alone. Taking a page from literature at the time around community policing, the program attempted to establish a similar mechanism and replicate the benefits. Though a voluntary partnership, the number of participants in C-TPAT has now reached over 11,500, making it one of the most successful private/public sector exchanges in history.
While the threats have evolved since those days, that ethic of collaboration is very much still in play. Over the past several years, drug cartels have continued to exploit the legitimate supply chains of U.S. companies to transport contraband across the border by air, land, and sea. They have proved challenging and adaptive adversaries, and the U.S. government has rightfully recognized that you cannot expect industry – whose primary responsibility is to build and sell a product, not fight criminals – to carry the full burden.The program brings with it numerous economic benefits, including Free and Secure Trade (FAST) Lane access, reduced inspections, and an assigned supply chain security specialist from within CBP. But in return, the government expects adherence to a set of minimum-security criteria that justifies the expediting of cargo deemed lower risk. This includes many important elements of any supply chain security program: basic physical security deterrents, seal processes, business partner oversight, and access control procedures. But after several years of consulting with industry, these criteria have now expanded to include entire categories previously not contemplated in the supply chain security equation.
Cybersecurity requirements, including written policies, protective controls for hardware and software, and patch and password management, are all essential components in the aftermath of events like NotPetya and its impact on companies like Maersk. Pest contamination, long a concern of the U.S. Government interested in agricultural security and the threat of invasive species, is now an important component of freight inspections within C-TPAT.
Over the past decade, this evolving set of criteria has led to numerous consequences – companies being downgraded or ousted entirely from the program after failing to comply with these requirements. These events occur only in the most egregious cases, but many large companies have been on the receiving end of such verdicts. The sudden removal of C-TPAT benefits brings serious operational challenges and reputational consequences to an organization.
How to Make the System Work
In our experience working with many of these companies on both sides of the relationship, there are several success factors worth highlighting as chief security officers, general counsels, customs and trade officers, and other supply chain security personnel assess current exposure alongside compliance with more rigorous government requirements.
First, companies should lean on the government as a partner as much as appropriate. Instinctually, the private sector often tries to hide the ball and limit how much it discloses to the government around sensitive security matters, worried it may lead to punishment or legal exposure down the line. This is short-sighted. The relationship with CBP works best when there are open and honest communication channels. The government has access to threat intelligence and TTP trendlines that private firms do not. It can provide guidance around a unique identified vulnerability or the perceived effectiveness of a contemplated countermeasure, but only if it is part of the conversation in advance. The worst outcome is having key findings come to light after a seizure has occurred.
Second, firms must enact solid supply chain risk management principles that are rooted in the new minimum-security requirements put forth by CBP in 2020. Understandably, new requirements pushed by the government are often seen as cumbersome and overly prescriptive. However, the 90+ requirements now in place are some of the most comprehensive converged security standards available today, serving as a solid benchmark and set of best practices well beyond C-TPAT program compliance. Given the broader scope of the standards, compliance is now more of a cross-functional exercise, bringing together multiple departments within an enterprise in a unified point of view. Importantly, the criteria are risk-based, rooted in the understanding that companies must focus on risk mitigation and not risk elimination. Ultimately, this is about fostering a supply chain that increases the necessary resource expenditures by criminal enterprises, forcing them to gravitate someplace else.
Third, companies must elevate the current thinking on supply chain security to include reputational risk considerations. Beyond ships, border crossings, and railcars, there have been numerous examples in recent years of illegal narcotics showing up in downstream supply chain nodes on U.S. soil – think automobile trunks at car dealerships, produce shipments at grocery stores, and other consumer products. Incidents like these can quickly escalate from an analyst’s desk to the boardroom. Ensuring these supply chain risks are socialized and understood at an executive level is essential to ensure proper preventative measures are being resourced and actioned.
In the aftermath of September 11, a group of companies dubbed the “Magnificent Seven” by former CBP Commissioner Robert Bonner came together in solidarity as the founding members of C-TPAT. These included the likes of Ford, General Motors, Target, Motorola, Chrysler, Sara Lee, and BP – companies emblematic of the United States. These firms took steps to ensure compliance, but also to lead and do the right thing. Two decades later and faced with a new array of threats, current members would do well to adopt a similar forward-looking, adaptive, collaborative approach.