CRO Outlook
Monday, November 25, 2024
By Brenda Boultwood
The adage “truth is stranger than fiction” certainly applies to recent geopolitical risk events. Indeed, some real-world happenings have been more surprising and suspenseful than any spy movie.
Brenda Boultwood
To illustrate this point, consider the recent attacks executed by the Mossad, an Israeli intelligence organization, on Hezbollah militants. As risk managers, we must ask ourselves, if the Mossad can infiltrate Hezbollah pagers and walkie-talkies and hide explosives in battery packs, which gadgets are safe? And what does this tell us about the need for more diligent third-party risk management?
Before answering these questions, let’s break down the key details of Mossad-Hezbollah incidents.
In July 2024, following the killing of senior Hezbollah commanders in targeted Israeli airstrikes, Reuters reported that the militant group began “using some low-tech strategies” (including pagers, coded messages and landline phones) to “try to evade its foe's sophisticated surveillance technology.”
That strategy, however, eventually backfired spectacularly. This September, two successive attacks on the Hezbollah were attributed to Unit 8200 of the Mossad. On September 17, Hezbollah pagers exploded. The following day, Hezbollah walkie-talkies exploded.
The walkie-talkie explosions left 25 people dead and at least 650 injured, according to Lebanon's health ministry – a much higher fatality rate than the previous day's pager blasts, which killed 12 and wounded nearly 3,000. In total, the consecutive attacks killed 37 people, including at least two children, and injured more than 3,000 people. The batteries of the walkie-talkies were laced with a higher payload of explosive, leading to the higher fatality rates.
What’s telling and informative, from a financial risk management perspective, is how the Israeli intelligence agency executed its plan. Months before the September 17 detonations, the Mossad planted a small amount of explosives inside 5,000 Taiwan-made pagers ordered by Hezbollah. The agents who built the pagers reconstructed the battery to conceal a small but potent charge of plastic explosive and a novel detonator that was invisible to X-ray.
Both the pager device and the battery type did not actually exist on the market. To execute its plan, the Mossad created a marketing mirage, complete with agents posing as fake marketing and salespeople, promoting a custom pager model and battery pack.
Three years prior to the attacks, the Mossad had struck a licensing deal with a pager producer, with the intent of creating its own highly specialized pager for its undercover company. Mossad agents marketed the adapted product through webpages, online stores, promotional YouTube videos, and forum discussions. But these were all a ruse meant to lure the Hezbollah procurement manager to the product. Very attractive pricing helped seal the deal.
Immediately following the pager incident, Air France suspended flights between Tel Aviv and Beirut to Paris. In the future, moreover, airlines may be required to significantly enhance screening of electronic devices (phones, laptops, etc.) for plastic explosives and other incendiaries. That’s something that could certainly impact a company’s employees who are traveling abroad.
Whether there will be any additional lingering indirect effects of the Mossad-Hezbollah pager incident remains to be seen. Certainly, though, this could lead to increased security screening of a company’s visitors – including vendors who want to demonstrate products.
More directly, the Mossad-Hezbollah events could yield governance questions and force your organization to reconsider how it evaluates its third-party vendors. Indeed, the Mossad agents who tricked Hezbollah procurement officials provided an extremely valuable lesson: established third-party risk management (TPRM) processes must be supplemented with testing procedures to ensure that your organization is not dealing with any masked third parties.
Figure 1: Testing Your Third-Party Vendors
In short, you must take steps to confirm that your organization’s third-party vendors are who you think they are. As depicted in figure 1, the authenticity of the third-party marketing demonstrations and webpages must be tested and critically examined.
Comprehensive quality reviews, moreover, must be performed. Lastly, you’ll need to consider whether the pricing being offered is off-market and too good to be true.
The good new is that most financial institutions have been adhering to stricter third-party standards for nearly a decade. TPRM guidelines from the FFIEC and the OCC have been around since 2015. What’s more, additional third-party governance standards have been established through anti-money laundering (AML) laws, the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. At a very high level, the standard TPRM process looks something like this:
Figure 2: Today’s TPRM Best Practices
TPRM starts with your organization’s policy and standards for third-party due diligence. As potential vendors are identified in response to a procurement request, you must ask yourself whether your company's prospective third parties conform to its risk appetite. Determining whether they comply with all your company's risk management policies is another step.
After answering these questions, to further screen third parties you’re considering doing business with, you’ll need to perform comprehensive assessments of strategic, business, financial, operational and reputational risks. At this stage, you’ll also want to confirm the third-party meets your compliance and cybersecurity standards. (Your vendor inventory and categorization schema allow for portfolio analysis of your third parties.)
If a third-party vendor passes all these tests and you reach an agreement, you’ll then need to onboard them (which requires a legal and service-level agreement) and establish some type of dynamic monitoring.
When risk levels get too high and/or third-party performance becomes inadequate, offboarding may be required. This is often a tricky step requiring contractual review, data access, security checks, communication and continuity planning.
TPRM requires not only a deep understanding of your third parties, but also a broad check on the relationships your third-party vendor has with other vendors – aka “fourth” and “fifth” parties. How deep and broad you go in this process depends on your product and jurisdiction.
If you are a pharmaceutical company concerned about potential adversarial country export restrictions, you may want to go far enough to understand if any inputs of your third party or their suppliers are sourced in China. If you are a battery producer concerned about conflict minerals, you want to understand if any raw materials at any point in the supply chain are sourced in the Republic of Congo.
The impacts of an act of war are not only felt on the battlefield. Whether it’s an information war, a cyber war or a conflict heavy on supply-chain threats, drawing the line between civilian and military behaviors is growing increasingly difficult. Financial institutions therefore need to keep an even closer eye on third parties and upgrade their due diligence.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this article are her own and should not be attributed to the United States Naval Academy or the U.S. Department of Defense.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy.
•Bylaws •Code of Conduct •Privacy Notice •Terms of Use © 2024 Global Association of Risk Professionals