Unless you were the rare company architected in a way that the shelter-in-place, stay-at-home and proclamations shutting down the premises of “non-essential” businesses didn’t affect you, you likely had to immediately re-think how you would operate and implement a plan.
In some cases, dozens or hundreds of laptop computers had to be acquired overnight for suddenly homebound workers. Significant upgrades in internet bandwidth and telecommunications hardware to accommodate remote access by hundreds or thousands of employees may require quick-start-up relationships with new vendors able to support the company’s needs. Given a choice between not operating or cutting corners on protocols for checking both internal and vendor security, it’s understandable that maintaining operations with remote workers was defined by management as their most basic responsibility.
But to think that being operational means that all the standards the company has in place to protect its cybersecurity can be ignored is most likely a shortcut to eventual disaster. If a company that’s providing – for example – cloud storage can’t produce a certificate affirming its actual security status (such as a SOC Type 2 report) and doesn’t have any certifications relating to its security operations, there is a risk. In a normal environment, it would be important to make a formal determination regarding the advisability of accepting the risk. But given the exigencies of the COVID pandemic, the risk may already have been accepted. What shouldn’t be accepted is not understanding exactly what the risk you’ve accepted is.
Understanding risk is something that should be the immediate concern of the compliance officer and the general counsel in conjunction with the chief information security officer (CISO). The company should insist on copies of test reports and security status attestations. It’s vital to know – and know quickly – if a vendor does penetration tests and whether it is operating a security operations center (or outsourcing it to a monitoring service provider.) One thing is certain – if a vendor’s failure in security results in an incident, whether that is loss of service due to overloading of the vendor’s system or a data compromise through the actions of cybercriminals, the responsibility will ultimately rest with you and not knowing the vendor’s security posture will not play well with a jury in future litigation.
What this means is that unless you were able to shift to COVID-19 compatible operations without changing your hardware, software, vendors and processes, your existing risk assessment document should be considered obsolete.
Time to Reassess Your Risk Assessment
You need to review your risk assessment if you have one, and to create one if you don’t. You need to assess your risk for the changes you’ve made in the COVID-19 environment.
If you’ve had to move to remote work, or changed your systems architecture, vendors, business processes or compliance procedures, your risks have changed. Some may have been mitigated. Others may have grown. Still others may be completely new, and not previously a part of your risk profile.
To understand how your risk has changed, you must be able to assess what has changed. To do this, you need to recognize that it is unlikely in all but the smallest of enterprises for one person to have all the answers. For example, in a mid- to large-size business or government agency, you may need to have the viewpoints of multiple people, including:
- Information Technology
The IT function is likely to have been called on to make changes quickly and with limited time. They may have had to engage new vendors, contractors or others to help. They are probably the primary source for understanding the changes in technology implemented to meet the demands of the COVID-19 working environment.
- General Counsel
Hopefully, changes in procedures and vendors were reviewed by counsel before they were implemented. If they weren’t, you need counsel’s assessment of the risks from a legal and regulatory standpoint. In any case, labor counsel may need to review any new work arrangements to assure compliance with appropriate laws regarding pay for at-home work.
Accounting units that are responsible for paying bills often have procedures (as do procurement units) to validate and approve new vendors/contracts. They would be in a good position to know what they were and were not asked to approve.
- Human Resources/Labor Relations
The ways that people work may be subject to review by human resource or labor relations specialists. This is particularly true in a collective bargaining environment, but can also be important if there is a potential for initiating negative actions against anyone not complying with added or changed work guidelines.
Ultimately, the compliance function must assure that appropriate testing of added or updated work processes is in effect. Having them on the working group assures that they will be in a position to know what changes have been made and to assess the extent to which they were involved in reviewing compliance standards.
By putting together the collective intelligence of this group, you should be able to draft a definitive list of what has changed due to COVID-19. (Of course, if you didn’t have a risk assessment, you need to make a more complete list of all of your operations, changed and unchanged.)
Once you have the list, the group working with your risk manager (or perhaps your insurance broker) must identify the changes made, operationally, architecturally or procedurally, and assess their effect on your level of risk. You need to document that, and determine whether there are changes (for example in how software is configured, how logging and backup are handled or how compliance should be overseeing the changes) that should be initiated to mitigate the changed risk. In some instances, an organization may determine that they have no reasonable alternative but to accept an increased degree of risk, at least in the short term.
Also remember that if you have cyber-related insurance, you may have an obligation under your contract of insurance to notify the carrier if your risks change. Failure to do this may mean that your claim may be challenged and not paid.
There is no magic methodology for re-assessing your risk. Each organization has to decide what works best. But understand that failure to carry out the re-assessment is shortsighted and could underlie a civil claim that the company did not take reasonable actions in reaction to the COVID-19 crisis.