How might business continuity be impacted by IT matters?
This is a question every Board should be asking. Boards must ensure businesses are coping with new challenges arising from WFH as well as from other aspects of the current crisis.
Pre-Covid-19, not all of Luxembourg’s financial centre was authorised or had the mind-set to allow WFH, so for some arranging this was now a challenge. Christophe told us that some companies had more or less overnight to change their entire BCP and order new equipment as these generally assumed if the office was not available then the back-up site would be used. CSSF compliance, internal policies and overcoming internal systems constraints all needed to be considered, whilst also ensuring a smooth WFH for the entire workforce. This has put enormous pressure on IT systems not built with this in mind. “Previously”, he added, “you had maybe 5-10% of the population who might work from home. The infrastructure simply was not there for companies to allow 100% WFH. Some private banks just simply don’t allow it.” Faced with this new paradigm, logistics of ordering new equipment from laptops to core systems components required to allow remote access. Christophe noted that not all had this in place yet. The good news is that with substantial investments being made in infrastructure updates, some of the newly adopted practices will be well-placed to continue post-crisis.
Cybersecurity for remote users must be assessed, with their security properly verified and audited. The CSSF has reminded regulated entities that restricted access is required for sensitive systems.
Directors need to ask be asking more questions at board meetings, and ensure they receive satisfactory answers. The European Central Bank, for example, has requested weekly reports with statistics and measures taken to ensure adequate cyber compliance.
Business continuity fundamentally relies of IT continuity, so Boards must make this their business, and where necessary increase resourcing for the IT providers. Boards may also need to request third parties be engaged to conduct cybersecurity assessments. A key unknown is how long the crisis will continue., and that will affect planning. More intensive contact with companies might be required by Directors – even weekly meetings in some cases.
In all cases, Directors should be asking more questions.
Example may include:
• how the company’s systems are coping?
• how are IT staff and helpdesks coping?
• have updated guidelines been issued to employees to ensure appropriate use and behaviour?
• Is systems access appropriately graded and controlled?
• Is there a have a clear procedure to follow in case of security incident? Does everyone know it?
• Request some form of incident reporting, or reports with statistics
• Ask: How might business continuity be impacted by IT matters?