New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Russia-Ukraine War: 8 Questions to Ask Your Vendors

Use this free questionnaire to determine your organization’s third-party risk exposure to the Russian invasion of Ukraine.
By:
Scott Lang
,
VP, Product Marketing
February 25, 2022
Share:
Blog ukraine third party cyber attack 0222

Russia’s invasion of Ukraine has elicited a unified response by NATO and its allies, with member nations imposing sanctions on Russia as punishment. Considering that some of the most severe third-party cyber-attacks – such as SolarWinds, Colonial Pipeline and JBS Foods – have been traced to Russia, the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned businesses and governments to be vigilant against potential ransomware attacks originating from Russia in retaliation for imposing these sanctions.

Below are example questions that you can use to assess the risk facing your third parties (e.g., vendors, partners, suppliers, etc.) related to the conflict. Prevalent has compiled these questions into a multiple-choice Ukraine Conflict Geo-Political Third-Party Impact Assessment, which you can use to determine the business continuity implications of having suppliers in the Ukraine region. If you have suppliers potentially impacted by this event, this assessment is a good starting point to determine your exposure. It is also available to our customers as part of the Prevalent platform's questionnaire library.

8 Questions to Determine Your Third-Party Exposure to the War in Ukraine

Prevalent has curated an 8-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties are affected by the conflict, and what their mitigation plans are.

Questions Potential Responses

1) Is the organization located in the region of Ukraine and surrounding areas?

Help text: This assessment relates to the ongoing crisis in the Ukraine region, and how organizations have risk-assessed and taken action to protect themselves and their interests, including employees and other stakeholders, services and systems. “Surrounding areas” refers to countries bordering Ukraine.

Please select ONE of the following:

a) The organization is located in the region or
surrounding areas of Ukraine.

b) The organization is NOT located in the region or
surrounding areas of Ukraine.

2) Does the organization use vendors that are located in the region of Ukraine and surrounding areas?

Please select ONE of the following:

a) Yes, the organization does use vendors that are
located in the region or surrounding areas of
Ukraine.

b) No, the organization does use vendors, who are
not located in the region or surrounding areas of
Ukraine.

3) Following emerging events, has the organization conducted a risk assessment to determine the level of impact caused to its employees, stakeholders, services and systems?

Please select ONE of the following:

a) Yes, a risk assessment has been conducted to
determine the level of impact caused to our
organization.

b) No, a risk assessment has not been conducted
to determine the level of impact caused to our
organization.

4) If “Yes” to question #3: What is the level of impact caused to the organization and its employees, stakeholders, systems and services?

Help text: Consideration should be given to where the impact has occurred, alongside the level of impact.

Please select ONE of the following:

a) Significant impact to the organization and its employees, stakeholders, systems and services.

(Significant impact is defined as: The events have caused safety risks to our employees. Systems or services have stopped working due to security issues. Loss of confidentiality or integrity of data.)

b) High level of impact to the organization and its employees, stakeholders, systems and services.

(High impact is defined as: There is a high degree of safety risks to employees. Some systems or services have periodically stopped. There is some loss of confidentiality or integrity of data.)

c) Low level of impact to the organization and its employees, stakeholders, systems and services.

(Low impact is defined as: No impact to employees or stakeholders, minimal or no disruption to service availability. No loss of confidentiality or integrity of data.)

d) No impact to the organization and its employees, stakeholders, systems and services.

5) Does the organization have a documented continuity or recovery plan in place?

Please select ONE of the following:

a) Yes, a documented continuity or recovery plan is in place.

b) No, a documented continuity or recovery plan is not in place.

6) If “Yes” to question #5: Has the organization been required to activate its continuity or recovery plans?

Please select ONE of the following:

a) The organization has activated its continuity and/or recovery plan.

b) The organization has NOT been required to activate its continuity and/or recovery plan.

7) If “Yes” to question #5: Has the organization updated its continuity or recovery plans to identify and address geopolitical risks and events, and has a Business Impact Assessment been
conducted to identify recovery efforts?

Please select ALL that apply:

a) Business impact assessments have been
conducted, and captured geopolitical risks that
could or have impacted the organization.

b) Based on geopolitical risks and events, the
organization has identified its prioritized order of
recovery.

c) Recovery Time Objectives (RTO) and Recovery
Point Objectives (RPO) are established based
on the business impact assessment.

8) Who is designated as the point of contact who can answer additional queries?

Please state the key contact for managing information on event or continuity management.

Name:

Title:

Email:

Phone:

8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Test Your Incident Response Plan Before the Next Third-Party Cyber-Attack

Many organizations struggle to get timely information about security incidents impacting their supply chains. Delays between a vendor incident and your own risk identification, analysis and mitigation will leave your organization exposed to operational disruptions. Prevalent can help.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain incidents by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance. Don’t get caught flat-footed by a third-party cyber-attack you know is coming. Contact us today to learn more or schedule a demo.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo