Regulations

 View Only

  • 1.  Potentinal Issues with Russia and Ukraine

    This message was posted by a user wishing to remain anonymous
    Posted 02-22-2022 09:50 AM
    This message was posted by a user wishing to remain anonymous

    ​​​With the potential conflict with Russia and the Ukraine, has anyone had any thoughts about how the sanctions could affect your 3rd parties in your company? Could the sanctions affect banks, perhaps developers that are in the Ukraine or any other facets of your 3rd parties?.​


  • 2.  RE: Potentinal Issues with Russia and Ukraine

    Posted 02-24-2022 04:48 PM

    From a "What should we be asking our Ukrainian vendors" perspective, I would start with questions around the following. 

    Clients with vendors in Ukraine/Russia/Affected Areas (Affected Areas) should assess whether those vendors:

    • Store, process, or transmit data within/through the Affected Areas.
    • Have offline backups to mitigate against ransomware attacks.
      • Recent testing of the restoration of backups.
    • Have business continuity, disaster recovery, and emergency response plans and whether any have been activated at this time.
      • Recent testing of relevant plan scenarios.
    • Have incident response plans to ensure proper handling of an incident.
      • Recent testing of incident response plans.
      • Specific plans around how to treat a ransomware attack. To pay or not to pay?
      • Specific plans around distributed denial of service (DDoS) attacks as already seen in Ukraine this week.
    • Have ensured all patches and updates have been applied to systems and software to ensure known vulnerabilities are mitigated.
    • Ensure authentication attempts are restricted to a small number of failed attempts.
    • Have implemented multi-factor authentication where possible.
    • Have implemented phishing training and notified their employees of the increased likelihood of phishing attacks.
    • Have assessed VPNs and other connections which may connect to vendors/partners within the Affected Area. 
      • Temporarily disable or further restrict and/or monitor the types of traffic traversing the VPN.
    This is of course just a small list of more immediately relevant areas to assess. I'd like to hear what others are doing about vendors which may be impacted.


  • 3.  RE: Potentinal Issues with Russia and Ukraine

    Posted 02-24-2022 05:22 PM

    It is unlikely that the US or the EU would sanction Ukraine, as they are not the aggressor in this emerging conflict. That is not to say there aren't Russian firms doing business in Ukraine or elsewhere that could be sanctioned. Furthermore, many US-based firms utilize Russian-based technology developers, engineers, and services that may or may not be impacted. However, most sanctions are limited because they are targeted to specific organizations, individuals, financial institutions, or instruments.

    Russia is already subject to existing sanctions. To learn more about existing sanctions, you can read U.S. Sanctions on Russia ( https://sgp.fas.org/crs/row/R45415.pdf), a congressional paper published in January 2022.

    Sanctions are one of the geopolitical risks to consider when working with offshore vendors. The critical thing to remember is that reviewing your vendor list against sanctions lists should be routine, not something that only happens during onboarding. And having a business continuity plan for geopolitically -sensitive vendors is a must.

    I hope that is helpful. But, I would love to hear thoughts from other members,


    Original Message