Ukraine and Third Party Risk Management

The conflict in Ukraine, sanctions impacts and related cyber and operational risks have caused firms to critically review their third- and fourth-party risk exposure and engage in urgent third-party outreach in recent weeks.

Firms have been invoking their incident management and business continuity plans, working to refresh and extend their understanding of their potentially impacted third and fourth parties, reviewing the business continuity of relevant business functions. In line with operational resilience expectations, firms have also seen how those third and fourth party risks impact the delivery of their own services to customers, clients and counterparties.

Immediate impacts include non-availability of many Ukraine-based team members working for third/fourth party organizations and consequential product/service disruption. Restrictions to trading with sanctioned entities or impacts from sanctions-related financial volatility are all of significant concern to firms currently reviewing their supply chains. Firms have also focused on validating cybersecurity controls and refreshing employee awareness campaigns in response to elevated risks from cyber-attacks targeting financial institutions or their critical third parties.

Ukraine Conflict: A Coordinated, Cross-Industry Response
In previous events which challenged business continuity or information security, such as Superstorm Sandy, SARS, and Hurricane Katrina, financial services firms conducted their vendor outreach independent of one another. Vendors were deluged with due diligence requests. In part because each company was asking for different information, the quality of vendor response was uneven and the outreach process inefficient and subject to delays.

The past two years have seen growing use of the KY3P® Significant Event Notification and Tracking (SENT) system with successful outreach campaigns including COVID-19, Solarwinds and Log4Shell. In response to the Ukraine conflict the group of large financial services organizations agreed and adopted a series of standard questions to help coordinate a cross-industry response. Hundreds of vendors have been engaged by SENT users in due diligence.

In contrast to the decentralized approach to assessing vendor resilience in the past, all communications are secure and audited on the platform and vendors can share their questionnaire answers efficiently with any number of customers requesting the information, including attaching any corporate statement they have on the subject.

SENT is part of the KY3P® (Know Your Third Party) solution from S&P Global Market Intelligence.

KY3P customers can also efficiently monitor and receive alerts for a range of third party operational health and news sources about their vendors, including negative news, financial stability, sanctions and screening, location and ESG risk, and cyber health.

The Economics & Country Risk team at S&P Global Market Intelligence provides the country level risk scores in KY3P. For more information on Economics & Country Risk visit ihsmarkit.com/ecr

For more information about KY3P® visit ihsmarkit.com/products/ky3p

S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.