Auto inventory shortages are just one symptom of looming economic issues

Expect the Unexpected: Approaching Raw Material Shortages, Labor Issues, and Freight Increases and Delays in 2022

I. Introduction

AUTHORS 
Ann Marie Uetz | auetz@foley.com 
Vanessa Miller | vmiller@foley.com 
Nicholas Ellis | nellis@foley.com 

In 2022, automotive suppliers face many of the same issues that have bedeviled the industry throughout 2021, as well as a host of all-new challenges. Unfortunately, as with many aspects of pre-pandemic life, the relative stability in the global supply chain that the automotive industry enjoyed for many years is unlikely to be restored any time soon. Suppliers must be agile and adapt to these new and continuing challenges.

This article highlights several key areas of focus for suppliers looking ahead, including seeking greater flexibility and risk sharing in pricing, warehousing/inventory, and managing freight costs. Among other strategies, suppliers should consider updating many of their traditional operational and contracting practices in order to enhance flexibility in a more unpredictable world. While the changing landscape presents challenges, it also presents opportunities for growth. The suppliers that best adapt will be the companies that are positioned best to thrive going forward.

II. The State of the Automotive Supply Chain as We Enter 2022

For many automotive suppliers, 2021 was a year defined by shortages, increased costs and other unprecedented supply chain challenges. The lockdowns of 2020 quickly gave way to shortages of many raw materials and components, as supply could not keep up with surging demand. While the global shortage of semiconductors may be the most publicized of these issues, many suppliers also faced difficulty in obtaining other materials, including steel, resin, and foam. In keeping with the law of supply and demand, these shortages quickly turned into rapidly escalating costs for many suppliers, with hefty price increases that were not contemplated in suppliers’ quotations, and in many cases they were not expressly covered by their supply contracts.

In addition to difficulty obtaining materials, automotive suppliers faced significant operational and logistical hurdles. Suppliers encountered and continue to face difficulties in obtaining sufficient labor to keep their plants running at full capacity. Suppliers also had to contend with myriad logistical challenges, including port delays, the Suez Canal blockage, a dearth of containers, a scarcity of truck drivers, and massively increased costs for shipping. The cost of shipping containers from Asia to the United States soared, reaching in excess of a 500% increase from just a year earlier.1 Suppliers also faced surging costs for labor. Under the burden of these significant challenges, the automotive supply chain exchanged a fresh wave of force majeure declarations and notices of commercial impracticability.  Unlike the case in 2020, when most of the automotive industry shut down in unison, such declarations often were the subject of significant disputes as parties wrangled over responsibility for costs and tried to maintain operations.

Compounding these difficulties, many suppliers’ efforts to manage their supply chain were further complicated by the actions of their OEM customers. Faced with shortages, many OEMs reacted by ramping up their releases to unrealistic levels far in excess of the original EDI projections, leaving suppliers trying to divine what were the “real” quantities that ultimately would be needed. OEMs also reacted to the shortage of semiconductors (and other inputs) with unpredictable rolling shutdowns of production. Many suppliers experienced situations in which they had undertaken significant efforts, including potentially expediting shipments in order to meet releases and forecasts for a certain volume, only to see their OEM cancel or reduce releases at the last minute. These issues often left suppliers holding significant inventory and materials without payments from their customers to provide the cash flow needed to pay their own sub-suppliers. Production shutdowns further exacerbated ongoing labor problems. As suppliers were forced to furlough their work force, they could not be sure how many of their workers would return once production resumed.

Unfortunately, 2022 is projected to be another difficult year for automotive suppliers. Many analysts predict that the semiconductor shortage and other supply chain disruptions will continue into at least 2023, even if there are some signs of gradual improvement.2 Such disruptions and shortages are likely to continue to drive costs up. Furthermore, the full impact of the Omicron variant of COVID-19 (and potentially other variants) is not yet known. While there appears to be little appetite for a return to a lockdown in the United States, lockdowns remain a possibility in many other countries. In particular, China has hewed closely to a “zero-COVID” strategy and recently re-imposed lockdowns in a number of cities. A more widespread outbreak in China, or other significant manufacturing locations, poses a risk of further significant disruption in the automotive industry.

III. Strategies for Approaching the Changing Circumstances in the Global Supply Chain

For most of the last two years, many automotive suppliers have operated in some form of crisis management mode as they waited for the return to “normal.” However, it is rapidly becoming apparent (to the extent it was not already apparent) that there will not be a return to the conditions that existed before the pandemic any time soon. COVID-19 will be with us, in one form or another, for the foreseeable future. The era of minimal inflation that has prevailed in much of the world for the last decade appears to be over. For these, and a variety of other reasons, companies likely face a period of greater instability and volatility in the global supply chain. So how can companies shift out of crisis management mode and adapt their business practices to survive, and even thrive, in the new environment?  This article presents three key strategies that suppliers should consider, from the contracting stage through operations.

  1. Focus on pricing provisions and parameters triggering pricing relief. For many years, the standard in the automotive industry has been long-term contracts at a fixed price (or, in some cases, requiring that the supplier provide annual price reductions). In many cases, these contracts locked the supplier into an indeterminate “life of the part”/“life of the program,” leaving the supplier subject to the whims of its OEM customer for years and through an extended service period as well. Provisions allowing a supplier to request a price increase were a rare commodity, with the exception of contracts for certain raw material-intensive components. Suppliers and OEMs alike, having lived through repeated cycles of spikes and declines in raw material pricing, recognized that long-term fixed price contracts for such components often proved to be untenable and utilized various forms of indexing or other flexible pricing for such components. In the current environment, with inflation and significant price volatility, suppliers (and OEMs) are rethinking the traditional structure for component contracts. Long-term contracts at a fixed, or even declining, price may no longer be practical. As has been the case in the past with raw material-intensive components, suppliers should focus (and wise OEMs will cooperate) in implementing greater pricing flexibility into their contracts to account for changing costs, whether through some form of defined indexing, a periodic opportunity to renegotiate and market test, or other creative approaches.

     Warehousing and inventory banks. For decades

  1. Warehousing and inventory banks. For decades the traditional model in the automotive industry has been lean, just-in-time (JIT) inventory management, as suppliers and OEMs alike maintain only minimal levels of inventory. This is an incredibly efficient model — as long as everything is running smoothly and on-time. However, as the pandemic and supply chain issues have laid bare over the last two years, once all of the proverbial “fat” has been stripped out of the system, there is nothing left to cushion a blow. Suppliers and OEMs both must weigh the potential benefits of lean inventory against the risks posed by a supply chain that is far less stable and predictable than it was two years ago. Many companies have incurred significant costs for expedited freight, overtime, shutdowns, and other expenses that have far outstripped any savings and efficiencies realized from trying to maintain a lean inventory. As a result, OEMs and suppliers alike are looking at ways to mitigate these risks. In addition to looking at reshoring and shortening supply chains (which primarily are long-term strategies with little capacity for short-term relief), many companies are rethinking their inventory models and moving to implement warehousing and larger inventory banks as a shield against shortages and disruptions. While this approach can be an effective strategy, it is not without its own added costs. Suppliers must think carefully when implementing such a strategy (either on their own initiative or at the request of their customers) to ensure that the costs are properly apportioned and accounted for.
  2. Shifting risk for freight. For many suppliers, freight costs have taken on outsized significance over the course of the last two years, both due to increased need for expedited freight and rapidly increasing costs (and delays) for ordinary shipping. Traditionally the OEMs treated most shipping costs, including costs for expedited freight (even in cases of force majeure and commercial impracticability) and costs to ship components from lower-tier suppliers, as something for which their suppliers were responsible. However, many suppliers are questioning this structure and pushing back. Numerous suppliers have struggled with increased costs for shipping, particularly those needing to obtain components from Asia. As discussed above with respect to pricing and costs more generally, suppliers should look for ways in which to share some of the burdens and risks of these costs with their customers. Many suppliers also have struggled with a need for frequent (and for some periods, near-constant) expedited freight in order to compensate for delays in the supply chain. As most suppliers know, costs for expedited freight can rapidly become exorbitant and threaten to surpass a supplier’s profit margins on a program for an entire year or even longer. In recent years, suppliers and OEMs have treated costs for expedited freight as a zero-sum game, with OEMs demanding that their suppliers pay the entire costs for expedited orders and suppliers often balking and refusing to pay such costs (even if otherwise obligated to do so under the applicable contract/law). Given that the challenges in the supply chain show no sign of alleviation soon, companies should consider possible new approaches in which the suppliers and OEMs share some of the risk for expedited freight arising out of issues that are outside of their control.

IV. Strategies for Distressed Suppliers and Opportunities for Growth

While many suppliers will certainly forge a path forward, others will face demands from their customers for support in the form of price increases, acceleration of receivables, and even exit agreements and demands to find a new source of supply. This presents some possible additional costs for many suppliers, but it presents as well some possible acquisition opportunities for other suppliers who are looking to grow their business.

  1. Support for financially or operationally troubled suppliers. In many cases, suppliers seek to pass increased costs on to their customers, and the end-customer OEM often resists absorbing these increased costs. In cases where a customer provides financial or other support to a sub-tier supplier, the following terms help to protect each side so that parts can continue to flow through the supply chain:
    1. The supplier’s commitment to continue producing the parts for the customer;
    2. If applicable, the lender’s commitment to continue lending to the supplier so that it continues to operate and produce the parts for the customer;
    3. The customer’s commitment to continue paying, limit its right of setoff, and/or establish new payment terms;
    4. Establish milestones to gauge the supplier’s performance;
    5. Identify and acknowledge ownership of tooling;
    6. Where applicable, provide for the customer’s right to access the supplier’s facilities;
    7. Include provisions to help “preference-proof” the agreement in the event of a bankruptcy filing.
  2. Acquisition opportunities. As some automotive suppliers face financial or operational headwinds, investors (including some automotive suppliers) are also focused on opportunities to acquire promising businesses that may face near-term financial and operational challenges at lower valuations than were available prior to the pandemic. While these deals may appear to be hard to come by, shrewd investors will be well served by considering out-of-court acquisitions of distressed companies. For more information on the fundamental considerations to help guide investors to a successful deal, see deal, see “Possible Silver Lining: Targeted Acquisitions – Financial and Operational Distress in the Supply Chain Presents Opportunities for Growth” article on Page 30.
CONCLUSION 
The global supply chain has changed and suppliers must adapt to the new circumstances. The challenges faced by suppliers in 2021 are likely to continue into 2022. If 2021 taught the industry anything, it is to expect the unexpected and apply the “lessons learned” to navigate challenges going forward. These challenges will require suppliers to reevaluate many of their contracting and operations, including their approach to managing the risks inherent in pricing, warehousing/inventory, and freight costs. More volatility in the supply chain requires that contracts be more flexible in order to allow for a bend-but-don’t-break approach to resolving challenges as they arise.

2 

Back to the Table of Contents

Video

Putting Brakes on Cybersecurity Threats: Practical Strategies to Mitigate Cybersecurity Risk

AUTHORS 
Jen Urban | jurban@foley.com 
Aaron Tantleff | atantleff@foley.com 
Avi Ginsberg | aginsberg@foley.com 

What would you do if you woke up tomorrow and your company’s IT systems were completely locked down? What if you could not use phones, check emails, or receive orders? What if you could not operate machinery or pay payroll? What if the sensitive, personal, and proprietary information your company stores was suddenly unavailable and potentially for sale on the black market? What loss would your company sustain each hour it was offline? What would you do if your company was the subject of a regulatory investigation? What would you do if the media exposed that your company was shut down due to a cyber attack? What would you tell the board or your shareholders? Unfortunately, this is the reality many companies suddenly face today when they become the victim of a ransomware attack.

In addition to being the victim of an attack by a threat actor, these companies may become the target of lawsuits alleging a variety of harms, including failure to deliver on contractual promises, exposure of sensitive information, and/or violation of various laws due to the company’s allegedly negligent cybersecurity practices. Many of these lawsuits result in large settlements for plaintiffs, as reasonable cybersecurity practices are now the standard of care expected of all businesses and many are not adequately prepared. The practical strategies in this article can help ensure your business is on the path to preparing for and safeguarding against a ransomware attack and other cybersecurity risks.

Ransomware: A Substantial Threat to the Automotive Supply Chain

Ransomware attacks frequently made headlines in 2021 and had a substantial impact on many U.S. companies. In the first six months of last year alone, ransomware attacks on U.S. companies were up 148% from 20201. These attacks were responsible for impacting the availability of gasoline up and down the East Coast, disrupting multiple meatpacking plants, and as the year came to a close, causing a cream cheese shortage (which frustrated many holiday bakers). While there are numerous cybersecurity threats affecting companies, such as phishing attacks and software vulnerabilities, these threats are now being utilized as a vector to infiltrate company systems and launch ransomware attacks.

The automotive supply chain is a prime target for ransomware attacks. The cyber criminals that perpetrate these attacks (threat actors) are smart, organized, and creative. They frequently research their victims and target the companies they believe will be most likely and able to pay a ransom. Increasingly, they are targeting industries and companies that they believe will be substantially affected by downtime. The historically just-in-time nature of many parts of the automotive supply chain makes it a prime target for these attacks, as threat actors know such companies cannot afford to be offline for several days or weeks and are more likely to pay a ransom to get back up and running as quickly as possible.

The U.S. Federal Government and many other governments are increasing efforts to combat ransomware, including issuing statements and guidance for the public and private sectors. Unfortunately, due to rapidly evolving technologies, changing global payment systems, and countries that harbor cyber criminals, this pervasive threat is extremely difficult to eradicate. This means it is vitally important for all companies in the automotive supply chain to understand how a ransomware attack could impact their operations, take steps to minimize the chances of an attack occurring, and make changes to minimize the potential damage should an attack occur.

Costs of a Ransomware Attack

Ransomware attacks can be devastating. Many companies in the automotive supply chain cannot operate without computers — they control key machinery, keep track of production and orders, and operate safety systems, such as clean air systems, necessary for production. Yet in a matter of minutes ransomware can lock down computer systems, making them inoperable and rendering important information inaccessible. Further, confidential information may be stolen and, in some cases, published online or sold on digital black markets. Companies are then faced with a tough decision: pay a ransom to unlock their computer systems and prevent confidential information from being leaked or try to erase and restore systems from backups.

The obvious impacts of a ransomware attack are the costs and risks associated with production downtime and the cost of a ransom payment. Companies may be wholly or partially unable to operate while systems are locked down by ransomware. Ransom amounts typically range from several hundreds of thousands to millions of dollars, and even after payment it can take days to fully restore computer systems. In addition to these costs and risks, there are many less-obvious costs:

  • Restoring Computer Systems. Restoring computer systems can be costly. Even if the ransom is paid, trained professionals may need to be hired in order to properly use the specialized software provided by the attackers to restore systems to their pre-attack working state. In addition, companies that suffer a ransomware attack typically hire a computer forensics vendor to determine exactly how their systems were infiltrated and what actions the attackers took while inside, so they can be remediated to prevent additional attacks in the future. (If you leave the back door open, you will likely be attacked again!)
  • Legal Compliance. Depending on the systems and information impacted by ransomware, a company may be required to comply with various state data breach notification requirements, department of defense notification requirements, and other applicable laws. In addition, before paying or making a promise to pay a ransom, companies must conduct diligence to ensure payment is not prohibited by U.S. sanctions. The cost of legal compliance is highly fact-specific and can range from a few thousand dollars to hundreds of thousands, depending on the implicated laws and requirements.
  • Subsequent Litigation. If certain personal information, such as certain information contained in a typical employee human resources file, is exfiltrated during a ransomware attack, there may be lawsuits filed against the company. Resolving such suits can be costly.
  • Contractual Violations. Production delays due to a ransomware attack frequently result in violation of contractual requirements as companies are unable to meet obligations to their customers. Depending on the terms agreed upon, a company may be liable to its customers for the customer’s lost profits due to the delays, a multiple of the cost of the product, or the cost for customers to temporarily find a new supplier if one is available. There may be additional liability if the unavailability of inputs or component parts causes a ripple effect resulting in delays downstream.
  • Reputation Impact. Delays in production can make a supplier appear unreliable, potentially resulting in customer distrust and loss of future business. In addition, after infecting a company with ransomware, threat actors may contact the company’s customers or business partners to inform them of the ransomware attack in an effort to increase pressure and extort a larger ransom payment, resulting in additional reputational damage.

Practical Cybersecurity Strategies to Mitigate Ransomware and Other Cyber Risks

Ransomware is one of several common cybersecurity risks companies face today. Risks such as theft of intellectual property, insider threats, and business email compromises — in which a threat actor gains access to company email account(s) and uses that access to perform malicious actions such as misdirecting funds, changing order terms or recipients, or stealing sensitive information — are increasingly common. By employing these practical cybersecurity strategies, companies can mitigate risks associated with ransomware as well as many other types of cybersecurity risks.

  1. Keep computers and hardware patched and up to date. Attackers frequently use vulnerabilities in software to infiltrate company computer systems and launch ransomware attacks. Many of these attacks are avoidable by regularly installing updates and patches that fix security flaws. It is important to keep all network and internet-connected devices up to date, including computers, smart phones, tablets, routers, firewalls, and “smart” technology, including sensors, lightbulbs, and hubs. In addition, industry standard antivirus software should be used on all computers and kept up to date.
  2. Plan ahead. Your company should have an up-to-date incident response plan covering all types of cybersecurity incidents. Due to the large uptick in ransomware, many companies also find it helpful to have a ransomware-specific policy in place. These documents help to ensure an orderly and efficient response to a cybersecurity incident, which can substantially reduce legal risk and other costs. Legal counsel can assist with drafting or revising these plans and policies to ensure they meet current industry standards and regulatory guidance.
  3. Do not allow personal devices to connect to company networks. If your company provides internet access to employees or customers, create an isolated guest WiFi network for them to use. Do not allow them to connect to the same network used by company computer systems.
  4. Regularly train employees on cybersecurity risks. Ensure training covers topics such as ransomware, phishing, spear phishing, social engineering, and forged emails. Employees are frequently the “weakest link” in company security, and untrained employees are more likely to fall for targeted attacks.
  5. Practice responding to an incident. One of the best ways to improve your company’s response readiness is to regularly practice responding to an incident. Tabletop, or mock, incident response exercises help a company to identify weaknesses in its response plans and prepare incident response team members ahead of a ransomware attack or other cybersecurity incident. This way, if the company is affected by a ransomware attack, critical mistakes can be avoided and incident response team members will be prepared for their duties despite the chaos. Experienced cybersecurity counsel can assist with designing and conducting tabletop incident response exercises.
  6. Require all employees to use multifactor authentication. Employees should be required to use multifactor authentication on all accounts provided by the company, including computer, email, and VPN accounts.
  7. Limit employee access. Each employee computer account should be configured with the minimum amount of access required. Do not give employees “administrator” access unless they are trained IT professionals who require such access. Do not allow general employee accounts to install unapproved software or make changes to system settings. Do not allow employee accounts general access to file shares or servers unless such access is needed. Restrict file share access to specific folders where possible. Less access means more difficulty for an attacker if they obtain and try to use an employee’s login credentials.
  8. Allow remote login only for employees that need it. Ensure only specific employees with a need for remote access can log into VPN or remote desktop services.
  9. Regularly backup systems and store backups separately. Backups should be kept on a different system (on a different network or offline), or stored with a secure cloud backup provider, to prevent ransomware or other malicious code from impacting the availability of backups.
  10. Segment your network. Consider moving critical systems to a separate network from the general network used for email, order processing, etc. This helps to prevent ransomware and other malicious code from spreading to critical systems and may help avoid a total business shutdown in the event of a ransomware attack.
  11. Use email filtering software. Software that filters out malicious links and phishing attacks is an excellent first line of defense and can make it more difficult for attackers to reach employees and infiltrate systems.
  12. Ensure IT has an adequate and properly utilized budget. Upgrading software and hardware can be costly, but generally it is substantially cheaper than a ransomware attack. Ensure your company’s IT team has an adequate budget for cybersecurity and that they proactively utilize it to improve your company’s cybersecurity defenses. Ask them if your organization follows the IT guidance in this section and how they have prepared for a ransomware attack or other cybersecurity incident.

——————————————————–

1 2021 SonicWall Cyber Threat Report, Mid-Year Update

Back to the Table of Contents

Tags

Leave a Comment