Unless you were the rare company architected in a way that the shelter-in-place, stay-at-home and proclamations shutting down the premises of “non-essential” businesses didn’t affect you, you likely had to immediately re-think how you would operate and implement a plan.
In some cases, dozens or hundreds of laptop computers had to be acquired overnight for suddenly homebound workers. Significant upgrades in internet bandwidth and telecommunications hardware to accommodate remote access by hundreds or thousands of employees may require quick-start-up relationships with new vendors able to support the company’s needs. Given a choice between not operating or cutting corners on protocols for checking both internal and vendor security, it’s understandable that maintaining operations with remote workers was defined by management as their most basic responsibility.
But to think that being operational means that all the standards the company has in place to protect its cybersecurity can be ignored is most likely a shortcut to eventual disaster. If a company that’s providing – for example – cloud storage can’t produce a certificate affirming its actual security status (such as a SOC Type 2 report) and doesn’t have any certifications relating to its security operations, there is a risk. In a normal environment, it would be important to make a formal determination regarding the advisability of accepting the risk. But given the exigencies of the COVID pandemic, the risk may already have been accepted. What shouldn’t be accepted is not understanding exactly what the risk you’ve accepted is.
Understanding risk is something that should be the immediate concern of the compliance officer and the general counsel in conjunction with the chief information security officer (CISO). The company should insist on copies of test reports and security status attestations. It’s vital to know – and know quickly – if a vendor does penetration tests and whether it is operating a security operations center (or outsourcing it to a monitoring service provider.) One thing is certain – if a vendor’s failure in security results in an incident, whether that is loss of service due to overloading of the vendor’s system or a data compromise through the actions of cybercriminals, the responsibility will ultimately rest with you and not knowing the vendor’s security posture will not play well with a jury in future litigation.
What this means is that unless you were able to shift to COVID-19 compatible operations without changing your hardware, software, vendors and processes, your existing risk assessment document should be considered obsolete.
You need to review your risk assessment if you have one, and to create one if you don’t. You need to assess your risk for the changes you’ve made in the COVID-19 environment.
If you’ve had to move to remote work, or changed your systems architecture, vendors, business processes or compliance procedures, your risks have changed. Some may have been mitigated. Others may have grown. Still others may be completely new, and not previously a part of your risk profile.
To understand how your risk has changed, you must be able to assess what has changed. To do this, you need to recognize that it is unlikely in all but the smallest of enterprises for one person to have all the answers. For example, in a mid- to large-size business or government agency, you may need to have the viewpoints of multiple people, including:
By putting together the collective intelligence of this group, you should be able to draft a definitive list of what has changed due to COVID-19. (Of course, if you didn’t have a risk assessment, you need to make a more complete list of all of your operations, changed and unchanged.)
Once you have the list, the group working with your risk manager (or perhaps your insurance broker) must identify the changes made, operationally, architecturally or procedurally, and assess their effect on your level of risk. You need to document that, and determine whether there are changes (for example in how software is configured, how logging and backup are handled or how compliance should be overseeing the changes) that should be initiated to mitigate the changed risk. In some instances, an organization may determine that they have no reasonable alternative but to accept an increased degree of risk, at least in the short term.
Also remember that if you have cyber-related insurance, you may have an obligation under your contract of insurance to notify the carrier if your risks change. Failure to do this may mean that your claim may be challenged and not paid.
There is no magic methodology for re-assessing your risk. Each organization has to decide what works best. But understand that failure to carry out the re-assessment is shortsighted and could underlie a civil claim that the company did not take reasonable actions in reaction to the COVID-19 crisis.
When companies require an objective and independent assessment of value, they look to Kroll.
Heightened regulatory concerns and vigilance, together with increased investor scrutiny, have led to increased demand for independent expert advice.
Kroll's team of internationally recognized transfer pricing advisors provide the technical expertise and industry experience necessary to ensure understandable, implementable and supportable results.
Kroll is a leading provider of goodwill, intangible and long-lived asset impairment testing.
The replacement of London Inter-Bank Offered Rate (LIBOR) is a multiyear transformation, and the impact will be a seismic shift in core operations, vendor relationships and loan products.