What impact is coronavirus having on cyber risk profiles?

  • 20 April 2020

The question on the lips of many risk managers right now is, 'How is coronavirus (Covid-19) affecting my cyber risk profile'? Coronavirus has disrupted business as usual, and financial insitutions have had to react quickly to a range of government restrictions and measures and their knock-on effects on standard working practices.

Since the outbreak of the pandemic, ORX has been working closely with the financial firms who make up our membership. One of the key areas in which we've been able to support them is by facilitating discussions between banks and insurers around the globe. Our members have had the opportunity to talk about the virus and share their strategies.

Here are some of the key points from our recent discussions on coronavirus and cyber and information security risk (CISR) – including highlights from the virtual roundtable held for participants of our ever-developing cyber programme.

How is coronavirus virus changing cyber risk profiles?

Financial firms have had to manage a raft of measures and changes brought in by governments to protect their citizens. Most notably, lockdowns, which have been implemented quickly and for unknown durations.  The sheer volume of staff working from home exceeded many organisations’ business continuity planning assumptions.

On top of this, organisations are facing increasing numbers of cyber attacks, and operational risk teams not only need to think about how their organisation can respond, but also how prepared their third and fourth party suppliers are to face these threats.

All this being said, our discussions with the ORX membership have shown that they are responding robustly and that key operations appear to be stable and working well. As organisations begin adjusting to the new operating environment, they are all considering how the situation is affecting their cyber risk profile. From our ongoing discussions with our members and the cyber risk programme group, three main impacts have stood out so far.

Impact 1: Increase in threat activity

Many organisations have noted an increase in malicious activity and cyber-related fraud, both on themselves and on their customers, since the coronavirus pandemic struck. The attacks on institutions are usually being carried out through malware or social engineering campaigns, while customers are especially vulnerable to phishing.

With the financial and psychological stress caused by coronavirus expected to go on long after lockdowns are lifted, we don't anticipate seeing this number of attempted attacks decrease in the near future. To combat this, some of our members have suggested that marketing and cyber awareness campaigns could help.  As we would expect, fraud detection and controls monitoring will be particularly vital during this time, especially around essential services.

Impact 2: Vulnerabilities of remote working

The social distancing restrictions introduced in most countries have forced institutions to respond rapidly. Firms have had to quickly transition staff to remote working arrangements, which brings with it the potential to create new risks and expose unforeseen vulnerabilities in existing cyber and information security controls.

Key operating areas, such as payments and trading, are now taking place in employees homes. However, the controls for these are primarily designed for an office-based working. Our discussions have made it clear that many organisations are currently focussing on maintaining cyber controls and continuity of function in the coming weeks. 

Possible changes in staff behaviour should not be ignored either. While employees have thus far been diligent, some of our members have pointed out that there is a risk that continued home working may begin to drive different behaviours and lax attitudes to basic information security hygiene.

Ensuring sensitive data is secure in this new operating environment is another challenge, with there being some reports of regulatory interest in how GDPR compliance was being monitored while staff are working from home. A further difficulty faced by firms is in maintaining effective oversight of both staff and third parties, which will be harder from a remote working environment.

Impact 3: Third-party cyber risks

The disruption caused by coronavirus has intensified focus on third party risk. Operational risk functions are remaining vigilant about how this may cause weaknesses in supply chains, including considering the resilience of fourth parties. Where third parties need to access an organisation's systems remotely, some firms are shipping hardware to them specifically for that purpose.

Concentration risk is a particular area of focus for many of our members, especially in regard to third-party suppliers. One of the main concerns we're hearing is that it is often difficult to see these concentrations. Given the volume of outsourced operations based there, and the lack of infrastructure to support remote working, India is a key point of focus for some of our members.

Continuing to evaluate the impact of coronavirus

Throughout the coronavirus crisis, we are working closely with all our members to support them through this situation where we can. ORX Membership brings many benefits, inlcuding access to research, data and resources, but one of the main advantages of being an ORX member is becoming part of a global community at the forefront of managing operational risk. This is especially important during a time such as this.

Through regular calls, working groups and other virtual opportunities for collaboration we are bringing our members together to discuss the challenges of coronavirus and how to manage these specifically from an operational risk perspective. We will carry on discussing coronavirus and cyber risk, as well as looking at other impacts and how to transition to a post-coronavirus environment.

If you'd like the chance to be involved, find out more about ORX Membership.

ORX cyber programme

See how we're supporting financial institutions in managing and measuring cyber and information security risk.

Cyber risk management programme