The current war in Ukraine should be considered a trigger to proactively reach out via questionnaire to your vendors as part of ongoing monitoring, a third-party risk management best practice. The objective is to identify vendors currently impacted or with pending/potential impact, in order to support organizational risk decision-making.
Considerations for Third-Party Risk Professionals
Recommended vendor scope: Critical vendors and/or high-risk rated vendors
Suggested vendor operating locations: Ukraine, Russia and Poland should be the primary focus as there are confirmed impacts via the war, sanctions and cyber events. While the physical and direct operational impacts are localized, there could be expanding supply chain impacts based on fuel implications, and most notably the unknown cyber threats as the conflict continues and sanctions are implemented. Consider additional locations as impact expands or cyber-attacks are confirmed. If you are unsure of vendor locations, in particular what locations support the contracted products/services you utilize, then it's best to take the approach of sending it to all your vendors you identify in your scope.
Best practices to consider:
- Customer contracts typically provide a “custom right to audit”, but smaller organizations may need to review their terms before this formal approach is pursued. Utilize lines of communication established by your vendor owners if there are any unknowns.
- This is not a business-as-usual due-diligence effort. Avoid sending your large questionnaire or out-of-the-box question set. Questions should be purpose-built.
- Consider simple yes/no responses for the primary questions to ensure you have an accurate picture and can quickly review the responses (especially if you plan to send to many vendors). Additional follow-up should be done to closely monitor for changes.
- Internal customer controls such as cyber/infosec (patching, data restoration testing and penetration testing) and business continuity plans (alternate vendors, or internal vendor absorption) should be tested or implemented either as a preventative or a reactive action based on responses received.
Sample Vendor Questionnaire for Event-Based Monitoring
Below is a question set designed to use for direct outreach to vendors to understand where products and services might be impacted. It has been made available to current Venminder customers as a pre-built external questionnaire ready to be utilized or further customized.
- Is your organization wholly or partially operating from Russia, Ukraine or surrounding regions?
- Is there currently an impact to any of your organization’s locations?
- Describe which recovery strategies your organization has activated.
- Does the location currently impacted directly support our contracted products/services?
- Has your organization conducted a risk assessment to determine the potential impact the geopolitical conflict may have on your organization?
- What is the risk level as it sits today with your organization?
- Does your organization have financial or credit exposure related to the Russia / Ukraine region that may impact operations?
- Do you have any customers concentrated in the affected regions?
- Do you have any cash / revenue tied up in the affected regions?
- Does your organization have a business continuity / resiliency planning in place to respond to and recover from current country conflict events
- Has it been tested in the past 90 days?
- Have you tested:
- Business Continuity
- Disaster Recovery
- Crisis Management / Incident / Emergency Response
- Do you have cyber and information security controls in place?
- Has your organization conducted a review of its cybersecurity insurance policies and how these events may impact the liabilities that may arise?
- Have critical-risk patches and updates have been applied to systems and software to ensure known vulnerabilities are mitigated?
- Have you performed a data restoration test from backups within the past 30 days?
- Have steps been taken to address any potential impacts associated to third parties that support your operations (our fourth parties)?
- What is being done to ensure our fourth parties can continue to support the contractual obligations to you as a customer?
- Do any of your vendors wholly or partially operate from Russia, Ukraine or surrounding ranges?
- Please describe your efforts to determine whether your vendors operate from, or rely on resources within Russia or the Ukraine.
- Have they tested incident response plans within the past 90 days with scenarios relevant to the Russia / Ukraine conflict to ensure a timely and appropriate response? (i.e. ransomware, DDoS, data destruction)
- Do you have a list of potential replacement vendors that could augment or step in to replace these affected vendors in the regions impacted by the geopolitical events?
- Have your vendors conducted a review of their cybersecurity insurance policies and how these events may impact the liabilities that may arise?