This blog post is the first in a two-part series. In our initial article, we will explore cybersecurity and remote work during the COVID-19 pandemic and its role in expanding an enterprise’s attack surface. In our next blog post, we will examine privacy issues related to COVID-19 contact-tracing.
The COVID-19 pandemic offers an interesting opportunity to look at both the risk and management of Environmental, Sustainability and Governance (ESG) factors in a highly volatile operating environment. There is little doubt that the risks associated with two of these factors – privacy and cybersecurity – have been amplified by the pandemic as enterprises are forced to shift to remote working environments, in some cases without the benefit of long-term transition planning. As investors attempt to understand the operational risks driven by COVID-19, we consider cybersecurity to be an important factor to monitor.
An Expanding Attack Surface for Enterprises
Even before COVID-19, privacy and cybersecurity had emerged as key operational risks for enterprises. According to Sustainalytics incidents data, we have seen a steady rise in unique incidents tied to data privacy and security over the past five years.[i] Our incident generation process considers impacts such as operational disruptions, as well as risks in the form of legal or regulatory liability, such as those driven by the European Union’s General Data Protection Regulation (GDPR). Couple this with data from IBM Security that in 2019, the average cost of a single data breach was USD 3.9 million with 25, 575 records compromised on average, the operational impact and financial costs can quickly escalate.[ii]
Unique Data Privacy and Security Incidents (May 2015-May 2020)
While remote work may offer flexibility and convenience, this abrupt shift in working arrangement has expanded the attack surface available to malicious actors. Unlike a secure corporate network backed by an IT security organization, residential network connections and personal devices are much more vulnerable. With the pandemic, everyone in a company from senior executive officers to regular employees are now “outside” the standard security perimeter. This generates new opportunities for cybercriminals to exploit vulnerable connections and gain access to sensitive corporate data. While it is still early to assess the overall impact, preliminary data already suggests that there has been an escalation in cyberattacks with reports citing a 238% increase in cyberattacks targeting banks alone.[iii] According to a survey commissioned by Barracuda, a firm that specializes in IT security, 46% of global businesses encountered at least one cyberattack since transitioning to remote work and 49% expressed that they expect to suffer a cyberattack in the next few months.[iv] Even the World Health Organization (WHO) reported a fivefold increase in targeted cyberattacks.[v]
The proliferation of cloud-based videoconferencing applications amidst the pandemic, such as Zoom, have created new threat vectors, that is, pathways for malicious actors to exploit. Zoom has become well known for its ease of use, but is it secure? Zoom has been widely adopted and its current valuation reflects this increase in use.[vi] However, its security flaws are well-known as demonstrated by the addition of “zoombombing” to the cybersecurity lexicon. This has led to limitations on corporate and government use, along with regulatory investigations. To its credit, Zoom has rapidly implemented a new privacy and cybersecurity program and acquired Keybase, an end-to-end encryption and file-sharing company.[vii] However, claims that Zoom was not transparent or proactive in fixing known vulnerabilities may impact its credibility in the event of additional vulnerabilities.[viii]
Zoom is not the only company where management of this issue contributes to overall ESG risk. According to Sustainalytics data, where we track the Data Privacy and Security MEI at the company level, about 51% of enterprises are assessed to be at medium risk of experiencing financially material impacts as a result of this issue. This means that for these companies, a substantial degree of risk exposure remains unmanaged after taking into account corporate privacy and cybersecurity-related management capabilities.[ix]
Distribution of Data Privacy and Security MEI Risk Category n=3047
Beyond COVID-19: Implication of Remote Work as a New Normal
Even before COVID-19, remote work had risen along with the prevalence of high-speed internet. The pandemic has accelerated this shift. Recent developments, such as Twitter, Facebook and Shopify’s announcements that they will offer remote options to most of their employees, suggest that it could become the norm in certain industries.[x] As a result, many enterprises will need to reassess their overall cybersecurity capabilities as part of a broader business continuity strategy, from data security controls to system certifications, as well as relationships with external partners. This also means that investors may have to examine the change in a company’s long-term risk landscape related to data privacy and cybersecurity issues. In this regard, Sustainalytics Data Privacy and Security MEI can be used as a starting point to understand which enterprises face relatively higher levels of risk and whether they have the appropriate mechanisms to effectively manage this exposure.[xi]
[i] Incidents between May 2015 – May 2020