Here’s How To Update Your Risk Management Posture Given The War In Ukraine
Risk management leaders in Europe and worldwide are either already experiencing impacts from the war in Ukraine and the sanctions imposed on Russian and Belarusian actors — or they soon will. If you haven’t already, here are the risk-management-related steps to take right now. (Note: You can find the cybersecurity-related actions to take in this companion blog post.)
- Build plans to maintain resilience for business units exposed to the conflict zone. What would you do if your main hyperscaler cloud provider could no longer provide services to business units based in or near the conflict zone or was subject to sanctions or direct damage to their business operations there? Forrester clients with operations in Belarus, Russia, or Ukraine may face precisely this scenario. Risk managers, CISOs, and IT leaders need to urgently review their dependencies on key IT suppliers in the region and quickly assess their ability to switch suppliers if the need arises. Review business continuity plans, supply chain arrangements, and local or global alternatives, and make sure that specific executives are empowered to make those decisions quickly if necessary.
- Update your employees on the heightened risk. Help your employees help you. Make sure there is companywide awareness of potential attacks and what form these attacks may take. Be factual and brief in your messaging to avoid inciting unnecessary fear. Show empathy in your messaging, particularly if you have employees who may be personally impacted by the event. Make sure your employees are prepared for potential phishing attacks. This is not the time to increase your employees’ stress with unnecessary phishing simulations, as any thoughtless phishing campaign now will erode your brand and goodwill.
- Be prepared for more supply chain disruption. Just when it looked like the global supply chain woes might be easing, the war in Ukraine has dealt another blow to the system. Firms should prepare for shortages, supply disruptions, and sanctions to destabilize supply chains for at least 24 months. Given that Russia supplies more than a third of Europe’s natural gas and is the world’s second-largest oil exporter and that Germany has already halted approval of the Nord Stream 2 pipeline, you’re likely already bracing for higher fuel prices and possible shortages. And given that the EU has closed its airspace to all Russian flights and FedEx and UPS have (as of this writing) halted shipments to both Russia and Ukraine, you should also expect increases in the cost of and disruption to both travel and freight transport. Further, the war in Ukraine will also exacerbate the chip shortage: Xenon and neon gas are both critical for semiconductor manufacturing, and Ukraine produces about 70% of the global total of both gases. The list goes on: Russia and Ukraine together account for 25% of the world’s wheat exports.
- Start mapping your tier one and downstream supply chain now. Whether a physical event occurs or not, cyberattacks have already begun against Ukrainian financial and government services. Make no mistake: Even firms that don’t have (or don’t know they have) critical suppliers in the region will be caught in the crosshairs of digital and, if it comes to it, physical warfare. Firms should immediately start mapping the ecosystem of relationships with operations, assets, data, or dependencies on the region (think fuel, metals, industrial gases, maize, and wheat). More than 3,300 US and European firms have tier-one suppliers in Russia, and more than 650 US and European firms have tier-one suppliers in Ukraine. If you haven’t already, start mapping your tier-one, tier-two, and tier-three suppliers to assess the potential impact to the downstream supply chain. Brace yourself for another wave of cyberattacks on your suppliers, and have your contingency plans ready.
Here’s What To Do Next
After you’ve completed the above steps, here’s your next checklist to follow:
- Watch for quickly changing sanctions that will require changes to your third-party ecosystem. Routine sanctions screenings for “go; no-go” decisions on whether to work with a customer, partner, vendor, or supplier just got more complicated. The US has already put a sanction on new investment, trade, and finance in the Donetsk People’s Republic and the Luhansk People’s Republic regions of Ukraine. As of this writing, Australia, the European Union, Japan, New Zealand, Switzerland, Taiwan, the UK, and the US have imposed sanctions targeting Russia’s financial system, trade, and access to semiconductors, cut off access to new Swiss bank accounts for sanctioned firms and individuals, and ejected several Russian banks from SWIFT (thus cutting them off from the global financial system). Assume there will be further sanctions; be proactive by screening third parties, including partners, foreign affiliates, and customers, for ties to Russia, Russian oligarchs, Ukraine’s separatist states, and Belarus.
- Take a close look at the terms and conditions of your cyber insurance policy. Property and liability policies typically have a war exclusion. Standalone cyber insurance policies may also have language related to coverage when an attack is considered cyberterrorism. Since at least 2020, cyber insurance carriers have been refusing to pay claims related to attacks attributed to state-sponsored actors. Most notably, Lloyd’s of London added broad language to its policies and those of its syndicates, excluding coverage for cyberattacks considered a direct or indirect result of an act of war or cyber operation. What your policy explicitly covers matters. Increasingly, the days of “silent cyber,” where a policy doesn’t specifically address cyber and is silent on the exposure, are behind us. Work with your legal team or outside counsel to seek clarity from your cyber insurance broker or your carrier’s claims management contact.
- Rehearse your disaster recovery (DR) and high availability (HA) plans. Given the diverse network topologies you’re using (because you’ve likely got a mix of on-premises, public cloud, and hybrid infrastructure), it is important to not only have a DR playbook in place, but also to understand how you’ll implement that workflow. Verify with your IT colleagues that you’ve actually been executing the key elements of your DR plan (e.g., frequent backups, circuit cutovers and reroutes, etc.), and, if not, understand what it will take to dust the plan off and make it a reality. HA plans can go a long way to mitigate loss of functionality, but only if they are actively maintained and updated. If your HA deployment is a hot/cold, then ensure that the cold side has been cared for and won’t prove to be useless shelfware when you need it.
- Move geopolitical instability up your enterprise risk management agenda. Based on externalities and characterized by how slowly they build but how quickly they materialize, “geopolitical fluctuations” was ranked number two on Forrester’s The Top Systemic Risks, 2021, but had slipped to sixth place for the systemic risk with the greatest potential impact to firms in 2022. You need a new geopolitical risk assessment and impact analysis that incorporates the war in Ukraine and all its downstream effects.
Note: Senior Analyst Heath Mullins also contributed to this blog post.