The Coronavirus Pandemic has forced many businesses to reconsider their cyber and data privacy systems and policies. But how can firms best mitigate risk and manage compliance in this new operating environment?
For businesses across all sectors of the global economy, cybersecurity has become one of the biggest risk factors associated with the coronavirus (COVID-19) pandemic. As they try to continue operations without interruption, and protect their workers and employees, businesses increase their exposure to cyber attacks.
At a specially-convened Cyber Surgery for its clients, Grant Thornton UK’s experts discussed the specific types of threat that are emerging, as well as what actions businesses should be taking to reduce risk and maintain regulatory compliance during these extremely challenging times. The issues discussed, apply more widely around the globe.
The session, Risks And Regulatory Expectations: Responding To Evolving Circumstances, was presented in collaboration with multinational law practice Eversheds Sutherland.
Emerging cyber risks
The lockdown policies introduced into economies all over the world have forced millions of businesses to pivot quickly to more agile forms of working – with the large-scale adoption of home working technology.
Vijay Rathour, Partner and Head of the Digital Forensics Group at Grant Thornton UK, explains: “We have seen organisations carrying out a transformation, that may take six weeks under normal circumstances, in just a few days – and we are concerned about how the threats and threat actors are evolving to take advantage of this rapidly changing cybersecurity landscape.”
The attack surface for cyber criminals – the opportunities to break into businesses, for example, as well as to compromise individual workers – is constantly evolving, a situation that is creating unprecedented challenges for firms, both in terms of security and compliance.
“There has been a significant increase in cyber attacks in organisations like financial services and professional services firms – in fact, any business that controls sensitive or valuable data,” explains Rathour.
“But what we are also seeing is that even many larger organisations, despite having comprehensive business continuity plans, have never, in fact, tested these plans in anger” which increases vulnerability and presents opportunities for cyber criminals.
Rathour says that although some organisations have said they are going through a compliance pause as they implement new systems, regulators have not formally relaxed their expectations or requirements. Businesses should therefore ensure any temporary solutions implemented at the start of the lockdown should be clearly documented and explained for the benefit of regulators.
Another important factor from both an operational and a regulatory perspective is being able to demonstrate that any security policies have been tested in a robust fashion.
“What we have seen recently is that regulators are becoming increasingly interested in the detail of cyber solutions and whether they are operationally effective,” says Arthur. “While a year ago, regulators might have been happy with high-level information about solutions, there is a lot more emphasis now about exactly what technology is in place and whether it has been shown to be operationally effective – and this emphasis is only going to be heightened as a result of the current crisis.”
The cybersecurity challenges presented by the coronavirus (COVID-19) pandemic and new ways of working are significant for businesses, regardless of the sector in which they operate. For more information and guidance about the steps your organisation should be taking to mitigate risks and deal with threats, please contact James Arthur or Vijay Rathour.