European Audit Committee Leadership Network, July 2020
The COVID-19 pandemic has tested information technology (IT) infrastructures and cybersecurity systems in unprecedented ways. Lockdowns forced employees, including executives, to work from home indefinitely, and companies rushed to provide devices to maintain business continuity and technical support on secure networks. New working conditions, and the new ways of doing business they required, rendered many preexisting controls obsolete.
In some cases, criminals and other bad actors seized on the moment to infiltrate company systems in new and creative ways. The rise of layoffs and furloughs—at a time when the pandemic made it difficult to collect company hardware or deactivate network credentials—created additional risk. IT and cybersecurity departments adapted quickly; at times, though, they were more adaptive than proactive. Audit chairs want to understand which strategies and tactical responses were most effective and which lessons can be useful in future crises.
On 26 June 2020, members of the European Audit Committee Leadership Network (EACLN) met virtually to discuss these issues. They were joined by Robin Dargue, global chief information officer at WPP, and Antero Päivänsalo, chief information security officer at Nokia.
EACLN members and their guests explored the following three topics:
The pandemic disrupted IT systems and invited attacks
The shift to remote work disrupted IT systems, employee behaviors, and cybersecurity defenses. Innovative responses maintained business continuity but increased risk by eroding controls. Bad actors adjusted their tactics to take advantage of technological disruptions and health-related anxieties.
Company responses focused on communication and risk management
Companies that responded quickly to the COVID-19 outbreak in Asia learned helpful lessons for the eventual pandemic. Principles-based central messaging that reached everyone in the organization immediately nurtured efficiency and agility. Adjusting controls ensured that business continuity did not create undue risk. Training refreshed and reinforced risk awareness. Risks associated with cloud storage and other third-party solutions were given renewed attention.
Board oversight requires engaging on the details
Audit chairs can help their companies by engaging with and supporting their executives on cybersecurity and IT issues. Companies engaging cloud providers and other third parties should plan carefully and be aware of the downsides. Board oversight of these issues may in the future require additional board technical prowess.