Immediate Gains Immediate Vault Immediate Access

Cyberrisk Management Tips for Businesses Amid the Russia-Ukraine War

A wide range of risks are trickling down from Russia’s assault on Ukraine, from sanctions compliance to supply chain disruption to business interruption. Cyberrisk has also drawn considerable concern and the threat landscape continues to evolve rapidly, though the details of increased cyberattack activity are not yet fully known and may be largely unfolding below the surface right now. Attacks attributed to Russia have been launched against a range of targets in Ukraine, including new destructive malware campaigns, targeted information-gathering against a range of civilian and government targets, and attacks on critical infrastructure.

Concerns about escalating cyber activity around the crisis are a vivid reminder of the importance of knowing your threat model and adjusting your risk management priorities accordingly. According to experts ranging from independent cybersecurity professionals to officials at the Cybersecurity and Infrastructure Security Agency (CISA), organizations at greatest risk right now include critical infrastructure, banks and other financial services firms, and of course key service providers in Ukraine or Russia.

Spill-over to other businesses is more likely with cyber conflict, however, particularly given Russia is one of the most advanced and aggressive nation-state cyber threat actors—remember the crippling global attack known as NotPetya that upended supply chains in 2017 resulted from a Russian cyberattack on Ukraine. That is not to say that there is necessarily cause for panic, simply that the effects of cyber conflict can be unexpected, widespread and potentially severe.

At this point, for most companies that are not in a high-risk position as a direct result of the war, the best course of action for risk professionals is to focus on ensuring your company has an updated and detailed incident response plan on hand and distributing it to relevant members of the organization, reviewing and potentially strengthening your general cybersecurity posture, and reminding employees about cyber hygiene.

For example, given the tragic events and breaking developments around the conflict, many may be glued to news or social media. Unfortunately malicious actors are known to take advantage of such situations by posting phishing links on social media with alleged news updates or email scams that purport to collect charity donations. Remind employees about these perils and offer refreshers on how to spot phishing scams and the need to exercise caution with links in emails or on social media.

“In addition to taking a fresh look at plans and other policies within an organization’s cybersecurity risk framework, businesses should consider a few common-sense tips to prepare for a potential cyber incident,” advised Annmarie Giblin, partner at Hinshaw & Culbertson and leader of the firm’s data privacy and cybersecurity practice. Giblin recommended risk professionals take the following steps to boost cyberrisk management efforts right now:

  1. Print out a hard copy of any necessary polices and plans, like the cyber incident response plan, the business’ cyber insurance policy and a contact list for the organization, so you have them available in the event you cannot access your system and need to communicate with employees through alternative methods.
  2. Remind your employees about common cyber scams and reiterate that there will be no retaliation for reporting a cybersecurity mistake, such as clicking on a bad link.
  3. Have key members of the executive team and incident response team set up a secure but alternate method of communication, such as sharing phone numbers or creating a different off system email address to communicate in the event the business’ systems are not available or not trusted.
  4. Keep track of the latest threats and get the research over to your IT team so they can update your firewall, and/or contact the business’ security services provider and make sure they are aware of and addressing these new malware strains.
  5. Evaluate and if possible, test your business continuity plans. Organizations should be asking themselves, “What does the work day look like without access to the business’ systems?” and “How can we still work without any technology support?”

Cyber insurance firm Coalition has put together a guide to basic cybersecurity measures to help organizations—policyholders and otherwise—proactively manage cyberrisk and reduce the likelihood of a cybersecurity incident. The guide provides 10 key steps to help improve cyberrisk management, highlighting the basics of each mitigation measure, tips on how to implement, and even some vendor suggestions for credible options, if desired. Coalition notes this may be particularly helpful for small and mid-sized businesses that do not necessarily have dedicated in-house information security experts, but it could also be worth a look for any risk professional who wants an overview of mitigations that should be in place or ways to fill those gaps. Check it out here: https://info.coalitioninc.com/rs/566-KWJ-784/images/DLC-2020-12-2021-Coalition-Cybersecurity-Guide.pdf

For more resources on cyberrisk management best practices, cyber incident response, cyber insurance considerations, and more, check out Risk Management Magazine’s extensive cyber coverage here. Some of the highlights below can help address key concerns that you—or your board—may have right now, and offer actionable strategies to strengthen your cyberrisk readiness and boost employee cyber hygiene:

Managing Sanctions Risk from Russia’s War on Ukraine

Since Russia began attacking Ukraine on February 24, thousands of people have been killed and over a million people have had to flee their homes, presenting one of the largest refugee crises Europe has ever experienced. In addition to the tragic human losses, the Russian invasion of Ukraine has triggered wide-ranging economic impacts. Among them, the European Union, United Kingdom, United States, Canada, Japan and others have enacted sweeping financial sanctions on Russia in an effort to pressure President Vladimir Putin to end the conflict. These sanctions have targeted Russia’s financial system and its international financial connections by restricting transactions between Russian banks and those in other countries, most notably through the SWIFT global financial network.

The economic impacts of these sanctions will likely affect many industries around the world, whether organizations deal with Russia directly or indirectly through third countries. In a briefing yesterday, global risk consultancy Control Risks discussed some of the risk management considerations and steps companies need to take as the sanctions landscape continues to evolve. According to panelist Henry Smith, partner and head of business intelligence and due diligence in EMEA at Control Risks, there are five key areas risk professionals should focus on to address the risk facing their companies as a result of these sanctions:

  1. What are your nexuses to Russia (including outside Russia)? Organizations need to look at their touchpoints with Russia, including investors and shareholders, lenders and banks, direct and indirect clients, contractual counterparties, and goods and services sourced directly or indirectly from Russia.
  2. Which sanctions apply to your organization? The applicability of sanctions will vary based on your sector, the nationality of the people within the organization, and the currencies you use. It is helpful to note that, currently, there is greater consensus among various sanctions regimes so you may not have to parse through conflicting degrees of severity—consistent sanctions against Russia are being imposed, at least across most Western countries.
  3. What risks are you exposed to? Conduct a risk assessment around which sanctions you are exposed to and whether there are any business activities, relationships or practices you need to end or change in some way. This involves regularly screening Russian counterparties against sanctions lists and undertaking detailed analysis of higher-risk relationships.
  4. How do you respond? Review the implications of any decisions on employees and on contractual obligations, both with direct and third-party clients. Consider any impact winding down activities in one area may have on other business areas. Be sure to engage with regulators, enforcement agencies, banks and insurers for guidance.
  5. What do you do as sanctions regimes evolve? Sanctions will change in response to security and political developments over the coming weeks and months, so it is important to stay informed of any communications from authorities. Review and read guidance from regulators, enforcement agencies, banks and insurers, and benchmark with industry peers to make sure you can still operate effectively.

Overall, when deciding whether to continue doing business with Russia, companies will need to consider both reputational and ESG-based perspectives as well as practical issues around your ability to do business, such as maintaining the working capital required to continue operations and ensuring that goods and services can still move through the supply chain.

Experts expect that the Russia-Ukraine crisis will have a long-term impact on the global economy and many effects of these sanctions may not be felt for weeks or months. Companies will need to remain vigilant in order to stay ahead of the risks.

Supply Chain Stability and COVID-19 Vaccine Delivery

As COVID-19 vaccines are rolled out around the world, effective risk management coupled with predictive analytics can help ensure supply chain stability to quickly and safely deliver them. Pharmaceutical companies and stakeholders around the world are scaling their vaccine roll-out, and concerns are emerging around logistical challenges of how to manage quick global distribution. One thing is clear: the entire supply chain’s stability needs to be monitored carefully, as a single fracture can have catastrophic effects on distribution of this time-sensitive vaccine.

Pfizer has designed an innovative logistical method to control vaccine distribution from manufacturing to local cold-storage facility. Much has been written about vaccine producers’ heroic efforts to secure upstream components such as glass vials, stoppers, and crucial vaccine ingredients, as well as the distribution packaging, including dry ice capacity, specially manufactured cold-boxes for vials, airfreight logistics and more. But very little has been reported on the downstream, or on-the-ground distribution of the vaccines around the world. As the vaccine touches down in states across the United States and countries around the world, the real distribution challenges begin.

As in every industry, risk originates in many places along the supply chain. Geopolitical risk, fraud, and third-party financial risk all must be understood if the vaccine is to reach the greatest number of people in the shortest amount of time. While some believe responsibility for distribution lies solely with individual localities, they are forgetting that the entire supply chain and logistics industry has a moral imperative to ensure that the vaccine is properly and fairly distributed.

Even with the best planning, plenty can go wrong, including:

Geopolitical Risk: If history has taught us anything, it is that some in power will manipulate the distribution of life-saving relief to their political advantage. Examples include the United Kingdom’s blockades of food to Ireland and India, Sierra Leone military juntas interfering with United Nations food relief, and Somali intelligence officers kidnapping the World Food Program’s local chief, among others. Closer to home, President Donald Trump tried to manipulate the distribution of PPE away from states that did not support his politics. Once life-saving vaccines arrive in local facilities, it will be a monumental task to distribute them fairly, and in a manner that does not give more power to local officials who seek to use them to further entrench corruption.

Financial Risk: Many organizations can stumble while rolling out distribution programs. Without proper chains of custody, fast financing, and quick due-diligence on third-party logistics suppliers, even the most well-oiled machines could fail to deliver the vaccine in a successful manner. The scale of vaccine demand is massive. Shortages are already present for raw inputs, and for critical infrastructure components. To meet these unique challenges, access to fair financing and payments should be guaranteed to all participants in the supply chain (i.e. no 90-day contracts for truck drivers who are moving the vaccines.)

Geolocation: Risks like natural and manmade disasters, lack of last-mile distribution, and poor infrastructure can all cause a single point of failure. The technology exists to ensure that vaccines are sent to the most geographically ideal local distribution hubs, and predictive forecasting should be employed to ensure the most timely deliveries.

Since risk can originate anywhere along the supply chain, everyone involved in the logistical aspect of vaccine storage and distribution needs to assess the existing systems to calculate and correlate risk. Leveraging technology is the best way to gain visibility. Rather than rely on gut instincts to determine supplier and partner risk, those in charge should use data to make decisions and consider implementing automated intelligence technology to actively predict and correlate how a change in geopolitical risk will affect the financial health of suppliers. Proactive planning is not only crucial for continuing rollout of vaccines for the current pandemic, it is also paramount in being prepared for the next pandemic.

Black Lives Matter: Taking Action on Diversity and Inclusion

As protesters across the United States call out systemic racism and police violence against Black people, and Pride Month honoring the LGBTQ+ community begins, diversity and inclusion issues are—and should be—drawing headlines and dominating conversations around the world.

RIMS CEO Mary Roth and 2020 President Laura Langone released a statement Friday saying:

“To the Black members of our community, we cannot fully appreciate how pained you must be by not only this most recent act—but by all acts that reflect bigotry and hatred in our nations’ communities. What we can do is accept the responsibility to ensure that RIMS community reflects something different. Let us be clear: RIMS does not tolerate any form of racism or discrimination in our global community. And we will always look for ways to improve.”

The editors of Risk Management and the Risk Management Monitor echo this message and stand with our Black colleagues, RIMS members and the Black community at large.

As we all look to support, advocate, learn and do better, we have compiled a list of resources to help, including industry advocacy groups for Black risk and insurance professionals, as well as resources for strengthening your organization’s policies, procedures and diversity and inclusion programs. You can also review selections from our previous coverage of diversity and inclusion below:

Industry Advocacy Groups and Research

National African American Insurance Association (NAAIA)

International Association of Black Actuaries

REPORT: The Journey of African American Insurance Professionals, from Marsh and NAAIA

For public sector risk professionals:

The Government Alliance on Race and Equity (GARE)

National Forum for Black Public Administrators

From ICMA, the association for professional city and county managers: WEBINAR: Sharpening the Focus on Social Equity to Make Strategic Budget Decisions

ARTICLE: Silence Is Complicity: Can White America Demonstrate that Black Lives Matter?

Diversity and Inclusion Resources

Global Diversity and Inclusion Benchmarks, Standards for Organizations Around the World, from the Centre for Global Inclusion

The Diversity & Inclusion Revolution, Eight Powerful Truths, from Deloitte

Corporate Equality Index, from the Human Rights Campaign

Previous Risk Management Coverage on Bias, Diversity and Inclusion

Beyond Pride: Building Strong Diversity and Inclusion Programs

Pale, Stale & Male: Does Board Diversity Matter?

The Benefits of Diversity & Inclusion Initiatives

Getting Serious About ESG Risks

Why Cultivating and Maintaining a Diverse Workforce Is Important

Activists Against Insurers