Emerging COVID-19 related operational risk update and response guidance

The effects of the COVID-19 pandemic are unfolding at a scale and pace unseen in modern times, sweeping across the globe causing panic, speculation, volatility and uncertainty. Four hours seems like a long time between updates on infection rates, deaths, containment and evolving government response initiatives.

Social distancing efforts are in full force (albeit a bit patchy in real time uptake), resulting in unprecedented containment measures involving the “lockdown” of hundreds of millions of people across the globe. Governments are showering their populations and commercial sectors with billions of dollars in stimulus as a last-ditch effort to salvage their economies as liquidity quickly evaporates. Adding to the unrest is the information that in real terms a vaccine appears to be at least 12 months away, based on clinical testing requirements. To say this is a scary time is an understatement. The situation is fluid, reactionary and unpredictable – a status quo likely to continue for some months.

Undoubtedly, many organisations have been caught flat footed by this event. Right now, business leaders are rightfully in crisis management mode, activating every contingency at their disposal. Hopefully, your business leaders have the experience and wherewithal to steer your organisation through these extremely challenging and unprecedented times and you are affording them your maximum support.

Based on our analysis of the current and future state, we see the following risks emerging as a result of the COVID-19 pandemic:

Cyber security: the panic and fear associated with COVID-19 will rob individuals of their normal sense of cyber security awareness, through a preoccupation or concern with their own personal circumstances. As a result, they become more vulnerable to malicious attacks perpetrated by cyber criminals seeking to commit fraud, maliciously disrupt ICT systems or compromise information. Cyber risk exposure is expected to increase as the workforce adapts to a transition from an office to a remote working environment. Right now, business leaders should be reviewing cyber security policy and procedures to ensure they cover remote access and working arrangements, engaging their employees in cyber security training sessions and conducting regular briefings to ensure awareness and adoption of new measures. Concurrently, IT departments must ensure technical measures associated with the use of cyber security software packages, OS patching and multi-factor authentication have been deployed, are up to date and users are appropriately supported by the business. Business leaders and IT professionals should remain agile and stay across the information, advice and recommendations made by the Australian Cyber Security Centre during these highly uncertain times. You can also refer to our article on managing cyber security risks, published on our website for further information.

Information security: With the mass transition to remote working, employees will be engaging in information security related activities that otherwise would have been done so in a secure commercial environment. For many, business as usual will still involve generating, handling, processing and storing confidential, secure or classified information. It’s likely that communications links with company IT infrastructures will also be stressed, leading to performance issues and scenarios involving the storage of information on local hard drives, as opposed to encrypted servers or cloud storage arrangements. If your company does not have an ISO 27001 based information security management system, now is the time to develop and implement one. Additionally, you should be looking to benefit from short term gains associated with policy and procedural reviews, training, and technical measures such as hard drive encryption, VPNs and the use of encrypted cloud storage systems. Depending on the context and type of material being handled by your organisation, an information security breach could be catastrophic.

Asset protection: as the populous retreats indoors to evade the coronavirus, the less scrupulous and criminally minded will see this as an opportunity to target your organisations assets, equipment and/or infrastructure. The risk of these type of vectors increases during an event like COVID-19 simply by virtu of the fact that there are less people in the workplace, leading to a decrease in natural surveillance, situational awareness, security management and response. Threats may emanate from both internal and/or external sources. Therefore, it is critical that your organisation implements an offensive security posture, based on the measures defined within your physical security plan and an up to date security threat, vulnerability and risk assessment.

Civil unrest: The COVID-19 pandemic will test who we are as both individuals and as a society. Recent events involving people tussling for basic necessities, and in some cases stockpiling them at the expense of others indicate that civil tensions are increasing in temperature, exponentially. As the world approaches a “lockdown” situation, anxieties are expected to escalate with some actors taking a more hard line, physical approach towards securing groceries, supplies and resources. The net effect of which will flame community tension, place increase stress on retailers and law enforcement leading to a further loss in confidence in domestic order and confidence levels. Now more than ever, people need to come together as a community and support the common good.

Domestic violence: Domestic violence was on the increase (in Australia) well before the COVID-19 crisis. According to Federal Circuit Court and Family Court Chief Justice Will Alstergren, instances of domestic violence (DV) are expected to increase in times of crises, as families begin to suffer adverse economic effects driven by a culmination of job losses, debt recovery and contracting liquidity. Additionally, as individuals become less connected, instances of DV will be harder to detect. If you, or anyone you know is experiencing or may be a target for DV, your circumstances should be shared with friends, family and/or the authorities as soon as possible before tensions begin to escalate.

Insurance: insurance is a critical risk management strategy during times of crisis. However, your policy exposure to an event like COVID-19 may not be as comprehensive as you think. Right now, you should be engaging with your lawyer, insurance broker or insurance company to identify any ‘gaps’ in coverage and ensuring the appropriate risk management measures are put in place to reduce your risk.

The effects and subsequent fall out from COVID-19 are expected to continue for the next 6-18 months. Right now, organisations of all types and sizes across Australia and the globe are being tested by this unprecedented disruption event. If you haven’t already done so, now is the time to implement your business continuity plan and stand up your crisis or emergency management teams. How you respond to the effects of COVID-19 over the next 4-6 weeks will define your business success for the next 6-18 months. Key focus areas are your people that support your critical functions, processes and systems. Don’t forget to communicate and engage with your employees, clients, customers, investors, partners and supply-chain. Remember: don’t panic, think clearly, act swiftly and decisively, look for the opportunity and keep those cogs turning.

In the event you require professional advice regarding the security or resilience of your organisation to the effects of COVID-19, [email protected] now.