Risk Assessments

 View Only
Venminder Venmonitor Demo
Back to discussions
Expand all | Collapse all

Identifying Nth party supply chain impacts in Ukraine or surrounding regions

  • 1.  Identifying Nth party supply chain impacts in Ukraine or surrounding regions

    Posted 03-01-2022 10:45 AM
    I'm sure all of us are watching the events unfolding in Ukraine with great interest. First and foremost hoping peace prevails quickly and keeping the people in the region in our thoughts. 

    In our day jobs, we're also wondering what the impacts will be to business. We have been searching several risk, payment, sourcing and info sec tools for links to the impacted area in an attempt to risk assess impacts to operations. While we think the impact to third parties is low, we don't know what we don't know about 4th, 5th and beyond.  I'm curious what others are doing related to Nth party impacts and subcontractors? Have any of you gone out with additional questionairres to critical third parties? to all third parties?  And how did you come up with the criteria to scope. Along those lines, are your organizations developing any kind of holding statement to use when customers or regulators start to ask how you've been preparing?

    Appreciate any input you can provide.


  • 2.  RE: Identifying Nth party supply chain impacts in Ukraine or surrounding regions

    Posted 03-08-2022 10:44 AM

    From the questionnaires perspective for 3rd and Nth parties, here is a questionnaire we've pulled together for our clients to use. We're aware of a subset of our clients who've sent out the below or a version of their own.

    • Suggested scope: critical vendors and their 4th parties (if known)
    • Suggested vendor operating locations: Ukraine and Russia to start but more can be identified as impact expands or cyber attacks are confirmed
    • Suggested Question Set:

    1. Does your organization have a Business Continuity / Resiliency planning in place to respond to and recover from current country conflict events (Yes, No)
      • Has it been tested in the past 90 days months? (Yes, No)
      • Have you tested :
        • business continuity
        • disaster recovery
        • emergency response plans
    2. Do you have Cyber and Information Security controls in place? (Y/N)
      • Have critical-risk patches and updates have been applied to systems and software to ensure known vulnerabilities are mitigated?
      • Have you performed a data restoration test from backups within the past 30 days? (Y/N)
    3. Is there currently an impact to any of your organization's locations? (Yes, No, and Comments)
      • If responded yes, describe which recovery strategies your organization has activated and the effectiveness. (Comments)
      • Does the location currently impacted directly support our contracted products/services? (Yes, No, and Comments)
    4. Have steps been taken to address any potential impacts associated to third-parties that support your operations (customer fourth parties)? (Yes, No)
      • Please describe your efforts to determine whether your vendors operate from, or rely on resources within Russia or the Ukraine to deliver services in scope of our agreement
      • What is being done to ensure our fourth-parties can continue to support the contractual obligations to you as a customer (Comments)
      • Has your third party tested incident response plans within the past 90 days with scenarios relevant to the Russia / Ukraine conflict to ensure a timely and appropriate response? (i.e. ransomware, DDoS, data destruction)
    We're always interested in hearing what others are doing around questionnaires and the other important aspects as brought up in the original post.

    Original Message