Navigating IT Outsourcing Challenges amid Russia-Ukraine Conflict

The IT industry in Ukraine is among its fastest-growing industries, growing nearly 51 times over the last 17 years, according to Ukrainian government data. One out of five Fortune 500 companies has outsourced services to Ukraine. With over 240,000 Ukrainian IT specialists across Kyiv, Kharkiv, Dnipro, Odesa, and Lviv, the industry fosters innovation in artificial intelligence, cybersecurity, natural language processing, nanotechnologies, fintech, gaming, and e-commerce. Not only have leading technology players such as IBM, Microsoft, Oracle, SAP, Google, and Samsung built R&D centers in the region, but some of the leading IT service providers such as Capgemini, Ciklum, DXC, EPAM, and Hitachi (GlobalLogic) also have sizeable operations in Ukraine.

Global technology companies are driven to set up shop in the region because of Ukraine’s large and established IT talent pool, favorable geographical location and time zone proximity to Europe, ability to provide staff on short notice, cost-competitive benefits, and tax incentives.

However, the IT industry has been hit hard, and work in Ukraine has come to a halt since Russia’s invasion on February 24, 2022. Moreover, most IT employees are men aged 18–60, and this demographic group has taken up arms to defend their nation. They are also not allowed to cross their national border. While enterprise customers empathize with their suppliers in Ukraine, this disruption has forced them to rethink their sourcing strategy and look for alternate suppliers.

In light of current events, enterprises should consider the following short-term actions to mitigate immediate risk:

1. 1. Set up a strategic monitoring and risk evaluation team to monitor current events in Ukraine.
   2. Evaluate the criticality of the processes and applications outsourced to Ukrainian IT companies.
   3. Transfer business-critical applications from Ukraine-based providers to other European providers in Poland, Romania, Hungary, and Bulgaria, or other low-cost locations across India and the Philippines.
   4. Avoid outsourcing to companies in regions with current political instability, such as Belarus and Russia. If there are existing operations in these two countries, immediately move them to the regions highlighted in the third point.
   5. Prepare for the cyber risk presented by the conflict in Ukraine. Introduce more comprehensive audits to inspect the level of compliance and service maturity. Also, revise vendor service-level agreements, operational-level agreements, and key performance indicators to focus on metrics that better reflect cybersecurity requirements.
   6. Review the “Force Majeure” clause in all contracts and analyse risks if performance is hindered, delayed, or prevented due to war. By invoking the Force Majeure clause, parties may relieve themselves from performing their obligations at the time of war.
   7. Obtain, if not already in place, insurance coverage, including cyber liability insurance covering data loss or security breaches, professional liability insurance including technology errors and omissions, privacy and cyber-risk (network security) liability insurance, and other insurance coverage needed in light of current events in Ukraine.

Longer term, business leaders should establish more robust relationships with outsourcing providers in all regions.

1. 1. Partner with IT service providers with a diversified geographical presence and robust business continuity plans, avoiding overdependence on one region.
   2. Evaluate your base country’s relationship with other countries and build long-term relationships with service providers in more politically stable regions.
   3. Set up a program to perform annual penetration testing, inspections, vulnerability assessments, and evaluations of the effectiveness of security measures such as multifactor authentication and encryption.
   4. Develop a formal technology disaster recovery policy that includes, at a minimum, immediate restoration of key systems and data, along with periodic testing of the plan to ensure that it will work in the event of a disaster.
   5. Maintain data centers that can be accessible from anywhere around the globe.
   6. Establish network, application, database, and platform security measures that include firewalls and intrusion detection/prevention systems that identify and block unauthorized activity with continuous monitoring of malicious activity and policy violations.

Ukraine has looked at IT outsourcing as an important source of revenue. The current conflict will have massive repercussions on its IT industry. From the perspective of enterprise customers, unfortunately, this conflict will force them to go back to the drawing board and lay out contingency plans. They will need to find a way forward with their Ukranian service providers that is empathetic but at the same time protects customers against disruption.

By Gaurav Dewan, Associate Research Director, Avasant and Amrita Keswani, Lead Analyst, Avasant