A number of business continuity work-streams will need to be implemented and managed by most companies covering:
- Compliance, regulatory, data and cyber security policies
- Workforce health, safety and ability to perform their roles
- Premises management
- Supply-chain management
- Response to demand side shocks
- Communication with relevant stakeholders
For each work-stream, specific goals should be set for business continuity management, which should be frequently reviewed and adjusted in the event of an escalating outbreak of the COVID-19 virus.
As a priority, businesses should start to implement continuity planning across a range of practical issues, including:
- Communications to staff, clients and customers, suppliers and other stakeholders
- The business impact of workforce absence arising from self-isolation, staff illness, quarantine and/or caring for dependents
- Increasing tech investment and specialist IT support to facilitate remote working where feasible, including investment in back up hardware and systems and enabling remote workforce supervision and support
- Contingency planning to mitigate any cash-flow impact and/or supply chain disruption
Compliance with internal policies for confidentiality of data, client call recording and/or general quality standards may be impacted.
It is important to ensure that staff working remotely or providing temporary cover understand how policies apply, and how exceptions are granted.
Businesses need to consider whether COVID-19 issues may impact on their compliance with regulatory obligations and plan accordingly.
Where the effects of COVID-19 are material in any particular respect (for example, causing a significant threat to resources or the ability of businesses to continue to provide adequate services to its customers) firms will be required to provide immediate notification to their Regulator.
For financial services firms, the PRA and FCA will expect businesses to identify, manage and seek to mitigate risk.
Manufacturing companies should review the regulatory aspects of any proposals to source alternative raw materials and/or parts or re-engineer existing products.
Where relevant, businesses should also take note of any Government restrictions on the import and export of goods to the UK or the operation of airports and ports.
Maintaining data integrity, privacy and reputational issues
For businesses that can support, or partially support, remote working, ensure:
- Access to adequate IT infrastructure is in place, including sufficient software licences and bandwidth to accommodate an upsurge in remote working; and
- Delivery of clear communication of the policies the workforce is required to follow when working remotely, including strict compliance with confidentiality obligations to clients, suppliers and the business.
Wherever possible, remote workers should be provided with the facility to access the business email system securely.
If remote workers have to access another system to work remotely, this will likely be sub-optimal – increasing the risk of hacking (see below), loss of confidentiality and loss of data.
GDPR requires all businesses to ensure adequate levels of data security. Using an unknown or unsecure provider risks putting the employer in breach of that obligation. If this cannot be avoided, at the very least, impose policies that restrict remote hard copying facilities to the extent possible to avoid inadvertent confidentiality breaches and ensure communications and work product are password protected.
High levels of awareness around COVID-19 and resultant public concern has seen an increase in criminals using public health themed phishing emails to deliver malware and steal sensitive information. Staff should be advised of
this and reminded of relevant processes for handing suspicious emails.
Requirements for remote working may also present opportunities for cyber criminals as staff may be required to work outside normal policy and using unfamiliar systems. Personnel should be provided with clear guidance on processes for authentication and secure access. This is particularly relevant where staff are providing temporary cover or are working remotely. Extra controls should be introduced around financial transactions, including their authorisation. For example: transactions being verified by both an e-mail and a follow up confirmatory telephone conversation.
Remote working may also create challenges in responding to security incidents, which could worsen the impact of a cyber attack. Businesses should consider what element of their response plans require physical access to systems and develop contingency options for their response.