This blog post is the first in a two-part series. In our initial article, we will explore cybersecurity and remote work during the COVID-19 pandemic and its role in expanding an enterprise’s attack surface. In our next blog post, we will examine privacy issues related to COVID-19 contact-tracing.
The COVID-19 pandemic offers an interesting opportunity to look at both the risk and management of Environmental, Sustainability and Governance (ESG) factors in a highly volatile operating environment. There is little doubt that the risks associated with two of these factors – privacy and cybersecurity – have been amplified by the pandemic as enterprises are forced to shift to remote working environments, in some cases without the benefit of long-term transition planning. As investors attempt to understand the operational risks driven by COVID-19, we consider cybersecurity to be an important factor to monitor.
An Expanding Attack Surface for Enterprises
Even before COVID-19, privacy and cybersecurity had emerged as key operational risks for enterprises. According to Sustainalytics incidents data, we have seen a steady rise in unique incidents tied to data privacy and security over the past five years.[i] Our incident generation process considers impacts such as operational disruptions, as well as risks in the form of legal or regulatory liability, such as those driven by the European Union’s General Data Protection Regulation (GDPR). Couple this with data from IBM Security that in 2019, the average cost of a single data breach was USD 3.9 million with 25, 575 records compromised on average, the operational impact and financial costs can quickly escalate.[ii]
Unique Data Privacy and Security Incidents (May 2015-May 2020)
Source: Sustainalytics
While remote work may offer flexibility and convenience, this abrupt shift in working arrangement has expanded the attack surface available to malicious actors. Unlike a secure corporate network backed by an IT security organization, residential network connections and personal devices are much more vulnerable. With the pandemic, everyone in a company from senior executive officers to regular employees are now “outside” the standard security perimeter. This generates new opportunities for cybercriminals to exploit vulnerable connections and gain access to sensitive corporate data. While it is still early to assess the overall impact, preliminary data already suggests that there has been an escalation in cyberattacks with reports citing a 238% increase in cyberattacks targeting banks alone.[iii] According to a survey commissioned by Barracuda, a firm that specializes in IT security, 46% of global businesses encountered at least one cyberattack since transitioning to remote work and 49% expressed that they expect to suffer a cyberattack in the next few months.[iv] Even the World Health Organization (WHO) reported a fivefold increase in targeted cyberattacks.[v]
Threat Vectors
The proliferation of cloud-based videoconferencing applications amidst the pandemic, such as Zoom, have created new threat vectors, that is, pathways for malicious actors to exploit. Zoom has become well known for its ease of use, but is it secure? Zoom has been widely adopted and its current valuation reflects this increase in use.[vi] However, its security flaws are well-known as demonstrated by the addition of “zoombombing” to the cybersecurity lexicon. This has led to limitations on corporate and government use, along with regulatory investigations. To its credit, Zoom has rapidly implemented a new privacy and cybersecurity program and acquired Keybase, an end-to-end encryption and file-sharing company.[vii] However, claims that Zoom was not transparent or proactive in fixing known vulnerabilities may impact its credibility in the event of additional vulnerabilities.[viii]
Zoom is not the only company where management of this issue contributes to overall ESG risk. According to Sustainalytics data, where we track the Data Privacy and Security MEI at the company level, about 51% of enterprises are assessed to be at medium risk of experiencing financially material impacts as a result of this issue. This means that for these companies, a substantial degree of risk exposure remains unmanaged after taking into account corporate privacy and cybersecurity-related management capabilities.[ix]
Distribution of Data Privacy and Security MEI Risk Category n=3047
Beyond COVID-19: Implication of Remote Work as a New Normal
Even before COVID-19, remote work had risen along with the prevalence of high-speed internet. The pandemic has accelerated this shift. Recent developments, such as Twitter, Facebook and Shopify’s announcements that they will offer remote options to most of their employees, suggest that it could become the norm in certain industries.[x] As a result, many enterprises will need to reassess their overall cybersecurity capabilities as part of a broader business continuity strategy, from data security controls to system certifications, as well as relationships with external partners. This also means that investors may have to examine the change in a company’s long-term risk landscape related to data privacy and cybersecurity issues. In this regard, Sustainalytics Data Privacy and Security MEI can be used as a starting point to understand which enterprises face relatively higher levels of risk and whether they have the appropriate mechanisms to effectively manage this exposure.[xi]
Sources:
[i] Incidents between May 2015 – May 2020
[ii] https://www.ibm.com/security/data-breach
[iii] https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/
[iv] https://blog.barracuda.com/2020/05/06/surge-in-security-concerns-due-to-remote-working-during-covid-19-crisis/
[v] https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance
[vi] https://www.visualcapitalist.com/zoom-boom-biggest-airlines/
[vii] https://www.cnet.com/news/zoom-security-issues-zoom-buys-security-company-aims-for-end-to-end-encryption/
[viii] https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.htm
[x] https://www.bloomberg.com/news/articles/2020-05-21/shopify-is-joining-twitter-in-permanent-work-from-home-shift?srnd=premium-canada&sref=wv7TMTgY
[xi] https://www.sustainalytics.com/esg-ratings/
Recent Content
Six Best Practices Followed by Industries Leading the Low Carbon Transition
In this article, we take a closer look at the leading industries under the Morningstar Sustainalytics Low Carbon Transition Rating (LCTR) and examine the best practices that have allowed them to emerge as leaders in managing their climate risk.
-5-key-questions-answered-about-company-readiness-and-investor-risk.tmb-thumbnl_rc.jpg?Culture=en&sfvrsn=ee2857a6_2 "Navigating the EU Regulation on Deforestation-Free Products (EUDR): 5 Key Questions Answered About Company Readiness and Investor Risk")
Navigating the EU Regulation on Deforestation-Free Products: 5 Key EUDR Questions Answered About Company Readiness and Investor Risk
The EUDR comes into effect in December 2024, marking an important step in tackling deforestation. In this article, we answer five key questions who the EUDR applies to, how companies are meeting the requirements, and the risks non-compliance poses to both companies and investors
Child Labor in Cocoa Supply Chains: Unveiling the Layers of Human Rights Challenges
Child labor remains a persistent issue in the cocoa supply chain. So can major food brands do to stop it? Discover the steps companies can take to address the issue and ways investors can engage with companies to mitigate it.