A poignant example of concentration risk is the congregation of software development and IT service firms located throughout Ukraine. Just a few days ago, this risk was most likely not on anyone’s radar.
The irony is major companies priding themselves on following robust risk management practices chose to conduct business in a country that has been in armed conflict for eight years. Some might say this is like building a data center at the end of a runway; it’s only a matter of time before something deleterious happens.
The Ukraine IT and software market has grown to over 300,000 developers, engineers, and support personnel working in over 4,000 software development and IT support companies. Virtually all Fortune 500 companies use services based in Ukraine, generating over US$5 billion worth of IT and software development services.
Ukraine’s Software Developers
Ukraine has developed a niche for providing some of the world’s best software developers sought after by financial institutions, e-commerce companies, software vendors, and cloud service providers. In its World Competitiveness report, the Institute for Management Development (IMD) listed Ukraine as number one in its top ten countries with the best programmers.
Ukraine has earned a reputation for offering companies highly educated, talented, certified, and bilingual IT workers for substantially less than western market rates. Were these reasons enough for companies including IBM, Google, Microsoft, and Oracle to open major research and development centers in Ukraine and overlook the risk?
The impact will be substantial to all these companies, but perhaps none will feel it quite like EPAM, an S&P 500 U.S.-based company focused on digital transformations with over 13,000 developers and engineers located in Ukraine.
Evaluating Third-Party Risk
Is the risk real? Let us not forget that in 2017 the ransomware Petya, planted by Russian hackers, was distributed through the Ukrainian accounting software M.E.Doc. Should companies be suspicious and concerned? I think yes. Many companies are still recovering from the Russian-based SolarWinds attack. The Russian cyber threat takes third-party risk to a whole new level. Fourth-party risk cannot be ignored as well, how many organizations use technology supported by Russian programmers?
Suppose Russia’s elite cyber warfare units were to get hold of Ukraine’s technology troves? Russia is a targeted sanction and export-restricted country, whereas Ukraine (non-disputed territories) has fewer restrictions.
Should Russia occupy or control Ukraine, it must be assumed they will have the ability to access previously unavailable technology. Companies doing business with Ukrainian companies must assume their technology will be compromised.
To find out if your company has direct or indirect exposure, consult The Manifest’s list of the Top 100 Software Development Companies in Ukraine.
CISOs should immediately:
- Conduct a risk exposure assessment of Ukrainian suppliers.
- Determine which IT projects are dependent on Ukrainian developers.
- Determine the impact of Ukraine-based outsourced IT services.
- Consider other methods of payment to Ukrainian suppliers.
- Determine which installed software products emanate from Ukraine.
- Assess the security of connectivity to Ukraine-based companies.
- Assume Russia will launch attacks against financial institutions in retribution for imposed sanctions, plan accordingly.
The Russo-Ukrainian crisis is an evolving situation, but CISOs and other cybersecurity professionals must not wait to take action. To learn more about how to prepare for potential security issues, please reach out to me at [email protected].