Thu, Apr 30, 2020

Rethink Your Risk Assessment During COVID -19

Unless you were the rare company architected in a way that the shelter-in-place, stay-at-home and proclamations shutting down the premises of “non-essential” businesses didn’t affect you, you likely had to immediately re-think how you would operate and implement a plan. 

In some cases, dozens or hundreds of laptop computers had to be acquired overnight for suddenly homebound workers. Significant upgrades in internet bandwidth and telecommunications hardware to accommodate remote access by hundreds or thousands of employees may require quick-start-up relationships with new vendors able to support the company’s needs. Given a choice between not operating or cutting corners on protocols for checking both internal and vendor security, it’s understandable that maintaining operations with remote workers was defined by management as their most basic responsibility.

But to think that being operational means that all the standards the company has in place to protect its cybersecurity can be ignored is most likely a shortcut to eventual disaster. If a company that’s providing – for example – cloud storage can’t produce a certificate affirming its actual security status (such as a SOC Type 2 report) and doesn’t have any certifications relating to its security operations, there is a risk. In a normal environment, it would be important to make a formal determination regarding the advisability of accepting the risk. But given the exigencies of the COVID pandemic, the risk may already have been accepted. What shouldn’t be accepted is not understanding exactly what the risk you’ve accepted is.

Understanding risk is something that should be the immediate concern of the compliance officer and the general counsel in conjunction with the chief information security officer (CISO). The company should insist on copies of test reports and security status attestations. It’s vital to know – and know quickly – if a vendor does penetration tests and whether it is operating a security operations center (or outsourcing it to a monitoring service provider.) One thing is certain – if a vendor’s failure in security results in an incident, whether that is loss of service due to overloading of the vendor’s system or a data compromise through the actions of cybercriminals, the responsibility will ultimately rest with you and not knowing the vendor’s security posture will not play well with a jury in future litigation.

What this means is that unless you were able to shift to COVID-19 compatible operations without changing your hardware, software, vendors and processes, your existing risk assessment document should be considered obsolete.

Time to Reassess Your Risk Assessment

You need to review your risk assessment if you have one, and to create one if you don’t. You need to assess your risk for the changes you’ve made in the COVID-19 environment. 

If you’ve had to move to remote work, or changed your systems architecture, vendors, business processes or compliance procedures, your risks have changed. Some may have been mitigated. Others may have grown. Still others may be completely new, and not previously a part of your risk profile.

To understand how your risk has changed, you must be able to assess what has changed. To do this, you need to recognize that it is unlikely in all but the smallest of enterprises for one person to have all the answers. For example, in a mid- to large-size business or government agency, you may need to have the viewpoints of multiple people, including:

  • Information Technology
    The IT function is likely to have been called on to make changes quickly and with limited time. They may have had to engage new vendors, contractors or others to help. They are probably the primary source for understanding the changes in technology implemented to meet the demands of the COVID-19 working environment. 
  • General Counsel
    Hopefully, changes in procedures and vendors were reviewed by counsel before they were implemented. If they weren’t, you need counsel’s assessment of the risks from a legal and regulatory standpoint. In any case, labor counsel may need to review any new work arrangements to assure compliance with appropriate laws regarding pay for at-home work. 
  • Procurement
    Accounting units that are responsible for paying bills often have procedures (as do procurement units) to validate and approve new vendors/contracts. They would be in a good position to know what they were and were not asked to approve. 
  • Human Resources/Labor Relations
    The ways that people work may be subject to review by human resource or labor relations specialists. This is particularly true in a collective bargaining environment, but can also be important if there is a potential for initiating negative actions against anyone not complying with added or changed work guidelines.
  • Compliance
    Ultimately, the compliance function must assure that appropriate testing of added or updated work processes is in effect. Having them on the working group assures that they will be in a position to know what changes have been made and to assess the extent to which they were involved in reviewing compliance standards.

By putting together the collective intelligence of this group, you should be able to draft a definitive list of what has changed due to COVID-19. (Of course, if you didn’t have a risk assessment, you need to make a more complete list of all of your operations, changed and unchanged.)

Once you have the list, the group working with your risk manager (or perhaps your insurance broker) must identify the changes made, operationally, architecturally or procedurally, and assess their effect on your level of risk. You need to document that, and determine whether there are changes (for example in how software is configured, how logging and backup are handled or how compliance should be overseeing the changes) that should be initiated to mitigate the changed risk. In some instances, an organization may determine that they have no reasonable alternative but to accept an increased degree of risk, at least in the short term. 

Also remember that if you have cyber-related insurance, you may have an obligation under your contract of insurance to notify the carrier if your risks change. Failure to do this may mean that your claim may be challenged and not paid. 

There is no magic methodology for re-assessing your risk. Each organization has to decide what works best. But understand that failure to carry out the re-assessment is shortsighted and could underlie a civil claim that the company did not take reasonable actions in reaction to the COVID-19 crisis.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.