The dynamic spread of COVID-19 and the uncertain developments ahead are causing all of us a hard time. As well as its effect on people, the coronavirus is rapidly disrupting business and consumer activity in the affected areas and beyond.
With more risks arising – such as cyberattacks, data transfer confidentiality issues, concerns about the resilience of primary service providers, project delays, or struggles with maintaining service and supply levels – it is important to take the right actions to organise your business as well as possible.
For this purpose, we have created an overview, with key questions for you to consider and suggested activities for you to conduct.
The impacts of COVID-19 are being strongly felt in the areas of IA and cybersecurity.
The necessary changes in working practices and organisational arrangements in response to COVID-19 will introduce a range of new or enhanced risk areas, and they will also have the potential to disrupt existing systems of internal controls in significant ways. In turn, this will create a need for agile IA functions to better enable the continuity of services by means of remote working – minimising the impacts on, and maximising the value of, the IA activities that are conducted by management and teams across the organisation. IA must stand with the business to provide the support that it needs to deliver its services in a safe, secure, and trusted way.
With remote working, greater dependency on technology, and online interactivity comes the increased risk of cyber threats. As more information and data is transmitted online, and fewer on-site support systems are readily available, the IT management must be ready to provide the safeguards and support that are required in order to ensure that cybersecurity, data protection, and IT operations controls are not compromised, especially when they are particularly vulnerable to external threats in this period.
As the duration of the present circumstances remains unknown, a number of critical areas will need special attention.
Risk Management functions – in either the business or control functions – are at the heart of current crisis management efforts. Boards of Directors, management, regulators, clients, and other stakeholders expect up-to-date information about the risks that companies are exposed to, as well as the effectiveness of the measures that have been taken. The timely reporting of risk information is critical for enabling timely decision-making, as this has been an issue in past crises.
At the same time, Risk Management organisations have also been impacted by the crisis. You may be experiencing restrictions in terms of remote working, with reduced workforces, and technical disruptions or increased work volumes. We recommend identifying and ring-fencing the services that are critical to protecting your organisation and meeting your regulatory expectations.
Organisations in regulated industries need to follow their regulatory requirements and honour the commitments that they have made, even when they have been impacted by COVID-19. At the same time, compliance organisations have also been impacted, and they may also be experiencing restrictions in terms of remote working, with reduced workforces, as well as facing technical disruptions or increased work volumes.
Organisations were already struggling with the complex regulatory environment, and spending a huge amount on compliance, yet compliance failures still remained commonplace – now is the time to be looking for cost-saving opportunities and being more open to technology-led solutions.
Organisations that are typically dependent on the ability of their vendors and suppliers to deliver in compliance with their requirements are likely to be impacted, as third-party providers may be dealing with remote working arrangements, supply chain interruptions, distribution delays, service-level instabilities, and many other potential developments.
It may not be possible to receive the required levels of critical information in order to support third-party compliance, with the standard tools, software, and processes remaining in place. These may prove to be inefficient or insufficient in terms of providing the depth, scope, and frequency of information that is likely to be necessary.
As the duration of the present circumstances remains unknown, organisations should focus their scrutiny of third-party compliance on critical points of failure.
The PwC Cybersecurity team has been closely monitoring the evolving COVID-19, and taking part in a number of conversations with clients from various industries.
A lot of companies are now allowing their employees to work remotely, from home, so they have therefore increased or set up the required IT infrastructure. Unfortunately, these circumstances, which are a consequence of the coronavirus, also present a good opportunity for hackers to attack your IT infrastructure.
Our observations have revealed that the following services may be interrupted as a result of COVID-19 – this overview suggests how you might manage your IT infrastructure and how you might avoid being harmed by a hacker attack:
The impact of the current uncertainty on business is complex. The dynamic spread of COVID-19 and the uncertainty of the developments ahead are causing all of us a hard time.
For most organisations, the existing working schedule has been designed to focus on the key risk areas of risk and the accompanying system of internal controls, in a Business as Usual (BAU) scenario.
As the duration of the present circumstances is still unknown, organisations should focus their attention on their business continuity plans, and identify opportunities for recovery.
Yu Loong Goh
Director, IT Risk Assurance Services, PwC Vietnam
Tel: +84 28 3823 0796, Ext. 1007