5 minute read
COVID’s impact on cyber and operational risks vs. corporate resilience - by Fatema AlSaad
COVID’s impact on cyber and operational risks vs. corporate resilience
by Fatema AlSaad
Advertisement
“COVID-19 is a black swan”: a statement we have been hearing ever since COVID-19’s impact materialized after the first quarter of 2020. The impact of this pandemic on our lives, businesses and the way work is being conducted has been far beyond the world’s expectations. Unlike the 2008 Financial crisis, COVID-19 impacted all sectors and business models and increased most financial and non-financial risks. This article will focus on the impact on cyber risk and will discuss how proper corporate resilience can aid in meeting the challenges posed by the pandemic.
In an interview with the New Yorker conducted in April 2020, Nassim Nicholas Taleb, Distinguished Professor of Risk Engineering NYU Tandon School, published “The Black Swan”, proposed antifragility in systems, that is, an ability to benefit and grow from a certain class of random events, errors, and volatility. Professor Nassim said, “The great danger has always been too much connectivity”1 . Today, almost a year since his interview and more than a year into the pandemic, we have seen that the vulnerability of the world to a global crisis has actually increased due to the increasing global connectivity. COVID-19 that first erupted in Wuhan, China ultimately resulted in cybersecurity breaches worldwide.
As employees started working remotely, they started using technologies they are not used to. That has become the new normal. Cyber-attackers saw this as an opportunity to exploit the employees working from home and their interest in coronavirus related news. In fact, in Switzerland, one in seven survey respondents said that they had experienced a cyber-attack during the pandemic. According to swissinfo.ch, there were 350 reported cyber-attack cases in Switzerland in April 2020 as against the norm of 100-150 cases. Furthermore, in July 2020, the City of London Police reported that since January 2020, losses due to COVID-19 scams reached GBP 11 million. Hackers were also able to gain access to the different video conferencing services to steal the personal data of the users and obtain confidential information. This information is then being sold or made available to the public in order to damage the company’s reputation2 .
COVID-19 and cyber risk
1 / Bernard Avishai, 2020. “The Pandemic Isn’t a black swan but a portent of a more fragile global system”. The New Yorker (Daily Comment).
2 / Nabi, C., (N/A). “The Impact of COVID-19 on Cybersecurity”. Available on https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html.
operational risks
For banks, the changes to policy due to regulatory expectations from various regulatory agencies in EU and UE, with change in requirements to defer payments posed new challenges: customer service employees were not well informed about the technicalities and charges associated with these deferments. Not to mention that the IT systems were not well equipped to deal with such changes which caused numerous errors (double charging, wrongful loan installment deductions, etc.). This caused confusion and delays for the customers and negatively impacted the banks’ reputation.
Furthermore, companies limiting themselves to one or two vendors faced increased supplier risk and to avoid future third party or fourth party risks. Those businesses reliant to certain geographical locations - industries such as tourism - suffered tremendously.
The world knew about COVID-19 ever since its outbreak in Wuhan and spread in China. However, companies on the other side of the world did not start planning responses. In fact, the SARS outbreak in the early 2000s should have made the world more prepared for a pandemic outbreak. This highlighted the fact that most Boards of Directors would prefer not investing large amount of money in order to control major catastrophic risks with low probability of occurrence3. Companies with an environment that judge performances on the short term were the ones that suffered the most.
Business Continuation Plan (BCP) and Incident Response Plan (IRP) should be holistic, flexible, and constantly updated – without having to wait for quarterly or semiannual meetings or going through rigid processes. Unfortunately, for most organizations, both BCP and IRP proved to be inadequate or even nonexistent for dealing with a pandemic4 .
To maintain a resilient business, we need a system that senses what is happening in real time and allows us to take early actions before a risk escalation. Therefore, a more dynamic BCP and more of “sense and respond” Enterprise Risk Management (ERM) philosophy. The below figure shows the three aspects needed in this evolution5:
was your company resilient enough?
3 / Texeira T., Milanese S., Beard M., Salvador E. and Eagar R. (2020). “Risk: Strengthening business resilience after COVID-19”. PRISM/2/2020. 4 / Deo P., Raj G. and Perumal R. (2020). “How COVID-19 is Dramatically Changing Cybersecurity”. TATA Consultancy Services. 5 / Texeira T., Milanese S., Beard M., Salvador E. and Eagar R. (2020). “Risk: Strengthening business resilience after COVID-19”. PRISM/2/2020.
companies cultures and grey rhinos
COVID-19 should have been treated as a ‘grey rhino’ rather than a black swan: highly obvious and probable but neglected6. Most companies proved that they were ill equipped to deal with such probability. Focusing on building a firm with strong cultures while focusing on discipline in processes, controls and continuity plans as well as supporting this culture by adequate systems will promote resilience and ensure the firm’s survival with fewer challenges.
author
Fatema AlSaad
became a certified Professional Risk Manager in 2019. She holds a Master of Science in Risk Management from University of Southampton, UK. Fatema is currently holding a Senior Risk Manager position in the Bank of Bahrain and Kuwait which is the second largest local bank in The Kingdom of Bahrain. Fatema is handling many projects within her bank and department such as the IFRS9 Expected Credit Loss system, ICAAP and Stress Testing. She has worked in both Market Risk Unit and Credit Risk Unit gaining experiences in both aspects.
6 / Moore, S. (2020). “Recasting Operational Risk in COVID-19”. Available on https://www2.deloitte.com/au/en/blog/covid19-blog/2020/recasting-operational-risk-covid.html
