May 15, 2020

______

kpmg.com

Technology risks in light of COVID-19 Performing a rapid technology impact assessment

Performing a COVID-19 rapid technology impact assessment

– 1 –

Resilience

Marketplace technology trends – Provided a safe but connected workforce – Deployed technology innovations and work-arounds – Identified resiliency challenges and opportunities – Experienced onset of uncertainty

Reflects the need to operate in an environment of rapid change while assessing business impacts.

Businesses are implementing strategies to stabilize and protect businesses, sustain operations,

and withstand economic pressures.

Recovery

How tech risk teams are responding – Optimizing and securing technology – Supporting new phases of resilience – Driving cost and operating efficiencies – Demonstrating the tech risk value proposition

Focuses on restoring confidence, reshaping operations, incorporating learning, and

transforming to meet the changing patterns of demand and consumption.

New reality

Potential future outcomes

– Evaluate and continue innovations – Redefine the tech risk operating model – Revisit and reestablish “new basics”

Businesses are adapting strategies and experiences to a world more comfortable with virtual connectivity,

implementing changes to improve business resiliency and enhance risk management, and responding to

newly developing consumer habits—what do we keep, throw away, enhance?

Where are we today?

With management’s attention on COVID-19 response, technology leaders have a responsibility to monitor key technology risks, support critical control operation, and protect against high-risk vulnerabilities. A rapid technology impact assessment can help technology leaders quickly identify technology risks in their environment and identify which controls are critical to mitigating those risks. During disruption, as key decisions are being made daily that impact key systems and processes, a targeted and timely evaluation is critical to help ensure the technology environment is protected.

Organizations are working together to meet the unprecedented challenges of a rapidly changing landscape to establish clarity, emerge with strength, and inspire the future of business. Efforts are being organized into phases: resilience, recovery, and new reality.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Performing a COVID-19 rapid technology impact assessment

– 2 –

KPMG rapid technology impact assessment framework

As technology leaders work through the resilience, recovery, and new reality phases, they will face challenges and uncertainty that have not been faced before, and understandably their responses should vary based on organizational priorities. What is clear is tech risk professionals (tech risk and tech audit functions) need to have a strong point of view of their value proposition. They need to be relevant to their organization and should be focused on what is relevant now, not what was planned six months ago. Tech risk professionals should be laser focused on identifying control deficits and new risks—what are they and how are they being addressed? Lastly, in the new reality, they need to define the new "standards" of risk and control, which will inevitably change with new ways of working and greater influence from technology consumers.

This framework is designed to be a rapid impact assessment that will enable tech risk professionals to address the statements outlined above, while providing a mechanism to continuously assess technology risk in light of the ever changing risk landscape as organizations address the fallout from the global impact of COVID-19.

Why should you perform a rapid technology impact assessment?

Are you identifying emerging technology risks, vulnerabilities, and threats related to COVID-19 before they materialize?

Have you made changes to your security controls and posture in light of COVID-19?

Have you assessed the impact that COVID-19 will have on your compliance and regulatory obligations?

Have you introduced new technologies or unexpected changes to the environment as a result of COVID-19?

Can you summarize quickly for executive leadership and the board the effects that COVID-19 has had on the technology organization and strategy?

1

2

3

4

5

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Source: KPMG Road to New Reality Webcast Survey, May 2020

70% of tech risk professionals are

actively assessing the impact of COVID-19

within their environments

Performing a COVID-19 rapid technology impact assessment

– 3 –

COVID-19 illustrative risk scenarios Domains Risk scenarios Domains Risk scenarios

Strategy and governance

— Key employees with requisite knowledge are not available for mission-critical tasks/key projects

— Technology budgets may decrease and impact the ability to deliver services and solutions in alignment with the technology strategy

— Key decisions are made in a ungoverned manner that go against technology policy and standards

Programs and implementation

— Increased cost/inefficiency to the business by deferring or discontinuing a project

— Increased noncompliance with project management standards and procedures (i.e., user acceptance testing, conversions, etc.)

— Inability to deliver projects due to resource capacity and lost knowledge (i.e., furlough, competing priorities, delay of consulting engagements)

Security and data privacy

— Cyber security vulnerability and patch management not maintained

— Increase in COVID-19-related phishing activity without increase in security awareness efforts

— Increased use of bring your own device (BYOD) and remote connectivity introduces new security vulnerabilities

— Data movement, transfer, and storage of sensitive data in a remote working environment increase likelihood of compromising sensitive data

Identity and access

management

— Terminated or furloughed employees still have access to corporate systems and sensitive data is not removed timely

— Increased risk of unauthorized access and segregation of duties conflicts due to additional access rights being provisioned as part of the COVID-19 response

Availability and business

disruption

— Business continuity planning (BCP), disaster recovery planning (DRP), and incident management plans not fit for purpose in remote work environment

— Increase in single points of failure as a result of remote operations

— Increased supply chain availability risks — Lack of organizational preparedness as

the economy and impact evolve

Operations

— Operations teams are not scaled to handle the increased volume of service requests

— Processes do not allow for a rapid response and ongoing management of remote access technologies and infrastructure technology to accommodate the evolving needs of the business

— Critical technology resources are not identified/available to support operations, impacting effective response and business continuity

Emerging technology

— New collaboration tools or digital tools deployed rapidly without full assessment of security and controls

— New mobile devices, cloud solutions, or automation deployed without full assessment

Compliance

— Changes in technology processes may result in noncompliance with regulatory (e.g., privacy, SOX) requirements

— Changes to regulatory requirements not being monitored timely

Infrastructure and asset

management

— Critical facilities are inaccessible — Increased remote network traffic

without proper capacity and stress testing

— Improper use of VPN technologies — Inability to respond to the increase of

service desk issues

Third party management

— Third parties may become insolvent or inaccessible and unable to continue performing services, causing disruption to business operations

— Key technology third parties are unable to scale or flex to accommodate the changes needed or meet the demands of the business

— The pandemic response of third parties is not effective or controlled, creating unknown operational, regulatory, or security risk to the business

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Performing a COVID-19 rapid technology impact assessment

– 4 –

Rapid impact assessment timeline and activities

Illustrative output Providing top areas of impact and where action is needed to manage risks will be a valuable outcome of this assessment. Below is an illustrative way to summarize and communicate with key stakeholders and organization leaders.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Technology risk domain Impact Likelihood Summary risk result Needs action plan

Strategy & governance Yes

Security & data privacy Yes

Availability & business disruption

No

Emerging technology No

Infrastructure & asset management

No

Programs & implementation Yes

Identity & accessmanagement

No

Operations No

Compliance Yes

Third party management Yes

HighLow COVID-19 Impact

Phase Week 1 Week 2 Week 3 Week 4

Assemble

Assess

Adapt and Execute

Reassess (ongoing)

– Agree timing, survey method, communication strategy, and number of stakeholders

– Tailor framework utilizing COVID-19 specific technology risk catalog, incorporate organization-specific risk areas

– Conduct rapid impact assessment via online survey tool, virtual discussions

– Assess the likelihood and impact of risks materializing– Vet the results with key stakeholders

– Provide dashboard reporting – Develop executive summary

and detailed results reporting– Develop management action

plans to mitigate risks

– Reassess on a recurring frequency as warranted

– Provide stakeholder reporting and monitor progress against plan

Performing a COVID-19 rapid technology impact assessment

– 5 –

Illustrative action plans Identifying any new technology risks will be a key outcome of this assessment, but even more importantly will be the identification of quality and comprehensive action plans that need to be taken in order to manage those risks. It is key to identify the detailed action plans, responsibilities, and the related timelines. Below are example action plans that we have seen technology leaders execute coming out of the impact assessment.

— Assess and monitor the security team’s management strategies for increased cyber threats, including ramped-up phishing activity, off-boarding personnel and contractors, mobile device management, BYOD, and data sharing.

— Understand and assess the changes to the IT strategy in light of COVID-19 response and adoption of new working approaches and operating models. Review IT’s current planned initiatives and project portfolio against the updated strategy.

— Review technology changes that have been implemented since the COVID-19 response activities began, and assess compliance with internal policies and external compliance requirements.

— For programs that are being put on hold, evaluate how management is managing risk in the program shut down across the areas of business case, technology solution, people and change, compliance and controls, financials, and third parties.

— Work with IT vendor management office (VMO) and/or service owners to assess changes to vendor services, performance, service levels, contracts, and operating model to address increased or changed demand during the pandemic. Evaluate strategies for managing new risks and navigating changes.

Security and data privacy

Strategy and governance

Compliance

Programs and implementation

Third-party management

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Performing a COVID-19 rapid technology impact assessment

– 6 –

Summary of technology-focused COVID-19 resources

Below is a summary of recent KPMG publications specific to technology and COVID-19

Don’t ignore technology risks in COVID-19 response

Highlights how technology risk teams can play a critical role in ensuring companies’ technology and operational resiliency.

Addressing the cyber security challenges of COVID-19

The CISO has key roles to play in helping to ensure their organization can function as containment measures are implemented.

Risk considerations when reprioritizing programs during COVID-19

KPMG outlines how organizations can evaluate the short- and long-term impacts of postponing programs during COVID-19.

Pivoting to remote working at scale

COVID-19 has driven radical change in businesses. How can you get your security to scale up with your remote working infrastructure?

How the IT auditor can help

A guide to the recalibrated role of internal audit related to the enterprise IT agenda due to the COVID-19 environment.

COVID-19: Insights for CIOs and IT executives

KPMG has developed a list of considerations that you as an IT leader might consider as you tackle supporting your company through these challenging times.

Visit KPMG’s full COVID-19 resource center here.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

Contact us For more information or guidance on these issues, please contact:

Beth McKenney Principal, Technology Risk Management, Advisory T: 313-230-3406 E: bmckenney@kpmg.com

Tyler Williamson Director, Technology Risk Management, Advisory T: 404-739-5395 E: twilliamson@kpmg.com

Louise Pordage Director, Technology Risk Management, Advisory T: 857-507-7203 E: louisepordage@kpmg.com

www.kpmg.com

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDP090816-1B

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

kpmg.com/socialmedia