The Cost of Supply Chain Security—$250M in Sales
By: Craig Kennedy
On February 16th, Applied Materials announced its first quarter 2023 earnings, and in the Q2 Business Outlook section reported a “negative estimated impact of $250 million dollars related to a cybersecurity event recently announced by one of our suppliers.”
Who is the Affected Supplier?
While Applied Materials didn’t identify the supplier, it appears to be referring to MKS Instruments which announced a major ransomware event earlier in the month.
MKS stated in its own announcement that the ransomware event has had a material impact in its ability to process orders, ship products and provide service to customers in the Company’s Vacuum Solutions and Photonics Solutions Divisions.
In addition to Applied Materials, MKS Instruments is also a supplier to Intel, Samsung, and TSMC, to name a few. We may not have seen the last of the impact of this breach.
The impact to MKS Instruments seems to have been pretty severe in that it delayed its own earnings call until later this month to give them time to assess the impact on earnings moving forward.
Currently, parts of MKS Instruments website are still impacted, its homepage stating “Unfortunately, www.mks.com is experiencing an unscheduled outage.”
Related to ESXiArgs Ransomware Attack?
My previous blog in the Aragon Research Digital Operations blog series covered a massive ransomware attack impacting thousands of unpatched VMWare ESXi servers across the globe.
This VMWare ESXi attack began on February 2nd and MKS Instruments announced they were a victim of a ransomware attack on February 3rd, so I’m suspecting they were one of the thousands of victims caught up in this wide-ranging attack.
If this is indeed related, the hard part to swallow is that VMWare released a patch for the vulnerability that was exploited almost two years ago. Read my earlier blog for all the gory details.
How Secure Is Your Supply Chain?
Enterprises need to fully assess the security, availability, and processing integrity capabilities of all critical up-stream suppliers. Can your suppliers provide appropriate Independently audited certifications like SOC and ISO as this needs to be a part of the supplier selection process.
It’s not adequate to just ensure that protections are in place to keep intellectual property and data isolated between companies. Each up-stream supplier must be assessed to identify the business continuity risk to your company should they become the victim of an attack.
Bottom Line
Enterprises need to proactively understand and assess the stability of its suppliers. Require audited certifications and attestations wherever appropriate from your suppliers. As demonstrated from the Applied Materials experience, a breach within the supply-chain can easily cost a cool quarter of a billion dollars.
For more coverage on cybersecurity, catch analyst Craig Kennedy’s LIVE webinar for FREE.
Thursday, March 30, 2023 at 10 AM PT / 1 PM ET!
Register Here
This blog is a part of the Digital Operations blog series by Aragon Research’s Sr. Director of Research, Craig Kennedy.
Missed an installment? Catch up here!
