Continued Developments in International Measures Against Russia

Regulatory developments

Considering the continued regulatory developments from Western governments and international community relating to Russia’s actions towards Ukraine, we recommend firms take measures to ensure compliance and consistency with their regulatory obligations. Some of these include: 

• Confirm with your AML/Sanctions vendor, or KYC and Customer Diligence third-party, that rapidly evolving international sanctions measures against Russia, including designated prohibited persons and entities, are continuously taken into account and checked against your list of clients, investors and/or customers.  

• Review company ownership, joint ventures and affiliations to ensure compliance with relevant sanctions. 

• Find assurance from your banking institutions that international sanctions and prohibited Russian institutions, like Sberbank and VTB, are unable to open accounts and process transactions.   

• For investors in public listed securities, to the extent that assets within your strategy include Russian company-issued equity or debt, review these investments in light of sanction measures. Take into consideration a prohibition on transacting new securities issued on or after March 22, 2022 from several Russian firms, including Gazprom and Rustelecom.  

• Investors in private markets should risk assess the exposure of their portfolio companies’ business in Russia and Russian-recognized territories in Ukraine. Of particular relevance are measures taken by the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), which imposed several categories of export restrictions to Russia. 

OFAC sanctions and U.S., UK, and EU government measures relating to the Russia-Ukraine conflict are complex, and have different effective dates and licenses providing exemptions. Firms should ensure all relevant sanctions are being incorporated by vendors and make appropriate alternative plans should those sanctions not be included. Although the international community has been united in its condemnation of Russia’s actions, each jurisdiction has been implementing sanctions across various individuals and entities.  

Cyber concerns

There is concern that the sanctions imposed may lead Russia to seek retaliatory action via an increase in cyber-attacks targeting industries and businesses worldwide. With globally connected financial systems and supply chains, it is important that firms, especially those with business ties in the region, are aware of the possibility of this conflict spreading beyond the physical borders of Ukraine and Russia and into organizations’ networks. 

We recommend firms remain on high alert and take the following steps to prepare and secure their organization. Below summarizes the guidance put forward by the UK’s National Cyber Security Centre (NCSC) and the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA)  on immediate action steps organizations should take to insulate their firms from escalating cyber attacks surrounding the conflict in Ukraine. 

Secure access controls  

• Ensure staff are using strong and unique passwords that are not shared across other, non-business systems.  

• Carefully review any accounts that have privileged or administrative access and remove old, unused, or unrecognized accounts. Ensure accounts that have privileged access or other rights are carefully managed and, where possible, use multi-factor authentication (MFA). Privilege can refer to system administration, but also to access to sensitive resources or information, so ensure resources are also adequately protected.  

• Validate that all remote access to the organization’s network and privileged or administrative access requires MFA.  

• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.  

Regularly patch  

• Ensure your users’ desktops, laptops, and mobile devices are all patched, including third-party software such as browsers and office productivity suites. If possible, turn on automatic updates. Prioritize updates that address known exploited vulnerabilities identified by CISA. CISA also published a digital catalog of free tools dedicated to providing critical infrastructure owners ways to combat cyber threats amidst rising tensions.  

• Ensure your internet-facing services are all patched for known security vulnerabilities.  

• Ensure, where possible, that your key business systems are all patched. Where there are unpatched vulnerabilities, ensure that other mitigations are in place.  

Test your backups  

• Confirm that your backups are running correctly. Perform test restorations from your backups to ensure the restoration process is understood and familiar.  

• Check that there is an offline copy of your backup - and that it is always recent enough to be useful if an attack results in loss of data or system configuration.  

• Ensure machine state and any critical external credentials (such as private keys and access tokens) are also backed up, not just data.  

Logging and monitoring  

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.  

• Understand what logging you have in place, where logs are stored and for how long logs are retained. If possible, ensure that your logs are kept for at least one month.   

• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.  

Network security  

• Monitor, isolate, and/or block, if possible, traffic from entities with ties to Ukraine or Russia. If possible, enable geo-fencing.  

• Ensure antivirus software is installed and regularly confirm that it is active on all systems and that signatures are updating correctly.  

• Check your firewall rules are as expected – specifically check for temporary rules that may have been left in place beyond their expected lifetime.  

• Check that records of your external internet-facing footprint are correct and up-to-date. This includes things like which IP addresses your systems use on the internet or which domain names belong to your organization. Ensure that domain registration data is held securely in accounts supported by multi-factor authentication.  

• Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.  

Incident response planning  

• Identify critical systems and services (banking, power/utilities, communications) and draft contingency plans specific to them to bolster operational resilience.  

• Verify that your incident response plan is up-to-date and includes:  

  • Designated crisis-response team with clear roles/responsibilities from members across the organization, including technology, communications, legal, and business continuity.  

  • How to respond to an event out of normal office hours and/or when business systems are down.  

• Conduct a tabletop exercise to ensure all participants understand their roles during an incident.  

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyber-attack; ensure that backups are isolated from network connections.  

• If using industrial control systems or operational technology, conduct a test of manual controls to ensure critical functions remain operable if the organization’s network is unavailable or untrusted.  

Educate  

• Ensure that other teams in your organization understand the situation and the heightened threat.  

• Make sure everyone in your organization knows how to report suspected security events and why reporting during a period of heightened threat is so important. 

Evaluate your firm’s ties to Ukraine   

• Evaluate your business connections to Ukraine, including clients, vendors, and outsourced software development contracts.   

• For vendors with connections to Ukraine, assess their business continuity plans to ensure they are taking the necessary steps to mitigate their risks. Likewise, consider how to isolate these connections from your networks to mitigate risk in the event of an attack. 

Further Resources 

For more information about how the Russian-Ukrainian conflict may affect your firm, please reference our previous articles:

• How Developing Sanctions Affect U.S. Asset Managers
• FCA Reminds Firms of their Financial Sanctions Obligations in the Light of New UK Measures Against Russia
• Firms Encouraged to Remain Vigilant Due to Heightened Cybersecurity Concerns Over the Current Situation in Ukraine
   

Questions

If you have any questions about these action items, please reach out to your ACA consultant or contact us here.