After the Russian invasion of Ukraine, the world of business will never be the same again. Deputy Attorney General (DAG) Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is of course Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate.
Over this five-part series, I will consider how business will never again be the same and how a confluence of events of events has changed business forever. I am joined in this exploration by Brandon Daniels, Chief Executive Officer (CEO) of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and environmental, social and governance (ESG). In Part 4, we continue to explore the changes wrought by the Russian invasion of Ukraine, in the realm of cybersecurity.
The Russian invasion of Ukraine gave everyone else an understanding of how serious cybersecurity really was from a defense perspective and not just from a corporate risk management perspective. According to Daniels, it drove home the clear message in cybersecurity that the United States is in a non-kinetic war with Russia and China. Over the past decade the theft of intellectual property (IP) through cybercrime has steadily increased but Russia and China are essentially “showering the US with attacks” and specifically Russia is attempting to compromise “US facilities and technologies since the crisis” began.
A second and equally important point on cybersecurity, is how interconnected it is to commerce. Countries such as Russia and China are clearly using both state and non-state businesses to further the ambitions of the state. These attacks have been particularly prevalent in supply chain where 80% of the largest cyber-attacks that have occurred, have been supply chain attacks. This means that you may have integrated some software into your organization through a vendor, but somewhere earlier in that software development, in that vendor’s purchasing of under underlying software capabilities, there was a malicious piece of software that was planted by a state-owned actor, a non-state actor or a criminal network. This interconnectedness between third party and supply chain, risk management and cyber risk management was made so much more explicit from the Russian invasion of Ukraine.
Daniels pointed out that companies may have “vendors that are owned one to two degrees away by Russian oligarchs and those Russian oligarchs might be using the fact that we use their software one to two degrees away as an entry point to steal classified information about what the US government is doing in” an area such as critical infrastructure. Once again, the nature of cybersecurity and its interconnectedness with third party and supplier risk management, was “another revelation that came out of this crisis and this conflict.”
One of the continuing themes from the Russian invasion of Ukraine is the interconnectedness of risks which will never be the same. Some of these we have previously explored such as supply chain, trade and economic sanctions and anti-bribery and anti-corruption. There are others such as crypto and ESG as well. This can all lead to a perception of complexity which could overwhelm risk management and other business professions thinking through how to manage these risks.
Daniels suggested an approach which assesses your vendors in their environment for four quadrants of risk: operational, foreign ownership, financial health and reputational risk. After you have established your risk appetite you will need to assess every vendor on an individual and singular basis. You should have a process where each vendor coming through your company’s pipeline follows an onboarding process that manages to your risk appetite and then monitors for risks that could pull a vendor above your risk threshold. If a vendor falls outside of your risk appetite for any of these key areas, you should review the use of that vendor in more detail.
There are other risk profiles you should consider. One is industry risk, which means what critical industries are you relying upon. Daniels noted that a cloud hosting company should be concerned with computing resources, bandwidth, power, or fiber optic resources. He said, “Don’t try to boil the ocean, just look at your critical industries and see where you might have issues that are coming up that could be problematic” for your industry.
Finally, another key risk area to consider is jurisdictional risk. This means reviewing the locations of your facilities. Daniels said, “I look at where my top or most critical products are being manufactured. Again, if I’m a cloud hosting company, it might be the microelectronics that I use to power computing resources, to determine where the concentration of manufacturing locations.” But the key is to take it in bite size chunks by company, industry, and jurisdiction, and then monitor so you can at least maintain a reactive posture on upcoming events. By doing so this enables your company to do continuous maturing and evolution thereby increasing complexity and efficacy to continuously improve that program to start to work towards proactive risk management.