Cybersecurity during COVID-19

Published on 24th September 2020

Hannah Dillon, Legal & Regulatory Analyst.

Cybersecurity in the modern workplace is growing in importance. Specifically, companies need to protect sensitive data, personally identifiable information, intellectual property, and data from theft and damage attempted by cyber criminals. This growth in importance is evident from the controls and regulatory categories that Corlytics have most frequently tracked with cybersecurity; firms’ risk management and data protection.

Cybersecurity risks are also increasing, driven by global connectivity and usage of cloud services to store sensitive data and personal information. Since 2019, Corlytics have monitored over USD 552 million in enforcement fines which involve cybersecurity control failures. In July 2020, the New York State Department of Financial Services filed its first cybersecurity enforcement action against First American Title Insurance Company regarding the exposure of documents containing consumers’ sensitive personal information. These charges are the first alleged violations of the Department’s Cybersecurity Regulations, Part 500 of Title 23 of the New York Codes, Rules, and Regulations, and highlights the importance regulators put on cyber resilience.

The protection of internet-connected systems from cyber-threats is at the forefront of firm’s priorities in recent times, especially during the COVID-19 pandemic. Between January and June 2020, compared to the same time frame in 2019, Corlytics have tracked a 37.3% increase in publications by regulators regarding cybersecurity. The pandemic has required remote working which has brought with it new cybersecurity challenges and new opportunities for cyber-attacks to materialise, and regulators are aware of the need for cyber resilience.

BUSINESS CONTINUITY AND CYBERCRIME DURING COVID-19

The pandemic has made it harder for companies to maintain security and business continuity. Companies may have overridden the recommendations of IT security to quickly facilitate remote working and access in line with government measures. Since January 2020, Corlytics have registered the most publications regarding cybersecurity within the European jurisdiction. This was followed by the United States as the jurisdiction with second largest amount of publications, while Asian regulators published the least regarding cybersecurity. This indicates that companies within the EU and US jurisdictions should increase their focus on cybersecurity risk.

The European Union Agency for Cybersecurity has advised employers to ensure they had adequate business continuity through effective backup and restore procedures. In terms of cybersecurity in Ireland, the CBI has stated that it expects firms’ boards and senior management to take responsibility for cyber-resilience by implementing best practice in managing the security of consumers’ personal and financial data, effectively managing consumers’ access to their funds, and rectifying situations where IT and cyber issues have caused consumer harm. The Irish National Cyber Security Centre recommends firms adopt strong cybersecurity defences to ensure remote services are properly integrated, and that firms should provide security awareness for employees working from home.

In the United States, FINRA has increased its focus on cybersecurity. They emphasise the importance of firms training their staff about increased cybersecurity vulnerabilities and potential fraud risks in a remote work environment. FINRA have recognised that firms are involved in additional efforts to monitor and assess critical information technology vendors by engaging a third-party oversight team, in efforts to boost their cybersecurity. The US Department of the Treasury also marked this area as high priority to ensure that the financial system’s infrastructure remains operational during the pandemic, since the access of all policy initiatives in financial services depends on cyber resilience.

CYBERSECURITY THREATS AND FRAUD

While firms implement working from home measures during the COVID-19 pandemic, these actions create opportunities for cyber threats to compromise IT systems. Working from home has increased the use of potentially vulnerable services such as VPNs which amplifies the threat to individuals and organisations.

A speech by the Bank of England drew attention to two principle methods used by cyber criminals during the pandemic, phishing e-mails and malware, and highlighted that these methods have continued to rise. Firms are warned to be aware of the growing number of COVID-19 related themes used by cyber attackers. The UK’s National Cyber Security Centre has detected more UK government branded scams relating to COVID-19 than any other subject. The CSSF have reported a significant increase in the number of scam campaigns relating to COVID-19 since January 2020, with almost 3% of global spam now COVID-19 related. The CSSF encourage companies to remain vigilant and continue to implement and maintain effective systems and controls to ensure that their system infrastructure is not vulnerable to cyber-attacks or fraud.

The World Health Organization (WHO) has also reported a large increase in the number of cyber-attacks directed at its staff and fishing e-mail scams that target the public. WHO have noticed an increase in scammers impersonating them in emails to channel donations to a fake fund instead of the authentic COVID-19 Solidarity Response Fund.

OUTLOOK

Europol have warned that the number of cyber-attacks is expected to increase further, as cyber criminals continue to innovate their development of malware themed around the COVID-19 pandemic. Europol highlights that cyber criminals are likely to exploit the increase around employers adopting telework and allow connections to their organisations’ systems from employees’ homes. If firms choose to outsource their cybersecurity while working remotely, IOSCO stresses that they must always ensure that the service providers maintain appropriate IT security, cyber resilience, and disaster recovery capabilities and business continuity plans.

Overall, the importance of cybersecurity and, more specifically, protecting against cyber risks has been heightened by the COVID-19 pandemic. Since the beginning of 2020, Corlytics has analysed over 100 regulatory notices relating to cybersecurity. As firms continue to implement working from home measures, regulators will continue to implement cyber resilience requirements.

Corlytics’ RegTech solutions can assist firms to shape their compliance with such requirements and ensure sound business continuity during the pandemic.

Please contact us to find out how we can help your business.