After the Russian invasion of Ukraine, the business world will never be the same. Deputy Attorney General (DAG) Lisa Monaco recently stated that “the global geopolitical landscape is more difficult and complex than ever. The most striking example is of course Russia’s invasion of Ukraine. It is “nothing less than a fundamental challenge to the international norms, sovereignty and rule of law that underpin our society”. This is all the more true in the current economic climate.
In this five-part series, I’ll examine how business will never be the same again, and how a confluence of events of events changed business forever. I am accompanied in this exploration by Brandon Daniels, President and Chief Executive Officer (CEO) of Require. We will explore irrevocable changes in the supply chain, trade and economic sanctions, anti-corruption, cybersecurity and environment, social and governance (ESG). In part 4, we continue to explore the changes brought about by the Russian invasion of Ukraine, in the area of cybersecurity.
The Russian invasion of Ukraine made everyone else realize how serious cybersecurity was from a defense perspective and not just from a business risk management perspective. According to Daniels, this sent the clear cybersecurity message that the United States is in a non-kinetic war with Russia and China. Intellectual property (IP) theft through cybercrime has steadily increased over the past decade, but Russia and China are “flooding the United States with attacks” and specifically Russia attempts to compromise “American facilities and technologies since the beginning of the crisis”.
A second equally important point about cybersecurity is its interconnection with commerce. Countries like Russia and China clearly use state and non-state enterprises to advance state ambitions. These attacks have been particularly prevalent in the supply chain where 80% of the largest cyberattacks that have occurred have been supply chain attacks. This means that you may have integrated some software into your organization through a vendor, but somewhere earlier in the development of that software, in that vendor’s purchase of underlying software capabilities, there there was malware that was planted by a state-owned actor. , a non-state actor or a criminal network. This interconnection between third parties and supply chain, risk management and cyber risk management has been made much more explicit since the Russian invasion of Ukraine.
Daniels pointed out that companies may have “vendors that are one or two degrees away from the Russian oligarchs and those Russian oligarchs could use the fact that we’re using their software one or two degrees away as an entry point to steal classified information about what the US government is doing in “an area such as critical infrastructure. Again, the nature of cybersecurity and its interconnection with third-party and vendor risk management has been” another revelation that came out of this crisis and this conflict”.
One of the recurring themes of the Russian invasion of Ukraine is the interconnectedness of risks that will never be the same. We have already explored some of them such as the supply chain, trade and economic sanctions and the fight against bribery and corruption. There are others like crypto and ESG. All of this can lead to a perception of complexity that could overwhelm risk management and other business professions thinking about how to manage those risks.
Daniels suggested an approach that assesses your suppliers in their environment for four quadrants of risk: operational, foreign ownership, financial health, and reputational risk. After establishing your risk appetite, you will need to evaluate each vendor on an individual, singular basis. You need to have a process where every supplier entering your company’s pipeline goes through an onboarding process that manages your risk appetite and then monitors risks that might pull a supplier above your risk threshold. If a provider does not match your risk appetite in any of these key areas, you should further investigate the use of that provider.
There are other risk profiles you should consider. One is industry risk, which means what critical industries do you rely on. Daniels noted that a cloud hosting company should be concerned about computing resources, bandwidth, power, or fiber resources. He said, “Don’t try to boil the ocean, just look at your critical industries and see where you might have issues that might be problematic” for your industry.
Finally, another key risk area to consider is jurisdictional risk. This means reviewing the locations of your facilities. Daniels said, “I look at where my most important or critical products are made. Again, if I’m a cloud hosting company, it could be the microelectronics that I use to power computing resources, to determine where manufacturing site concentration is concentrated. But the key is to take it in small chunks by company, industry, and jurisdiction, and then monitor so you can at least maintain a reactive posture on upcoming events. In doing so, it allows your business to continually mature and evolve, increasing complexity and efficiency to continually improve this program to begin working towards proactive risk management.