Insolvency is not an easy process for any company. There are innumerable challenges to face and fires to fight, with internal and external stakeholders alike. But any increase in risk within an organisation makes that business a more tempting target for criminals. Businesses undergoing insolvency proceedings are not setting aside enough time and budget to plan for cyber resilience in this new context. With cyber criminals becoming ever more innovative, specific plans are required to protect core business assets.

Companies in all sectors are dealing with increased pressures during the COVID-19 crisis. Some sectors that are being hit especially hard, like tourism and hospitality, could see large increases in defaults and insolvencies through the rest of this year. Insolvency creates new vulnerabilities for businesses that make effective cyber risk planning even more important.

Insolvency creates new and existential cyber risks

The most common threat to organisations is an external cyber attack that seeks to compromise systems and extract data from an organisation. Cyber attacks are now an everyday threat: 80% of IT leaders surveyed in CyberEdge’s latest Cyberthreat Defense Report said that their organisation had suffered a successful attack in the last 12 months.

As well as external attacks, security leaders perceive insider threats as a growing concern. Insider threats include scenarios like employees exfiltrating proprietary data outside the organisation, to express discontent or by acting as whistleblowers. According to ENISA’s latest Threat Landscape Report, 54% more organisations recorded increasing insider threat levels in 2018 compared to the previous year.

Internal and external risks are exacerbated in an insolvency context. If a company’s insolvency is featured in the media, it can draw attackers’ attention to the difficulties the company is facing and increase the chance of new cyber attacks. Internally, employees may be angry or actively searching for new jobs: both these circumstances increase the chances of data being exfiltrated outside the organisation.

To make matters worse, COVID-19 has created a new working environment that may raise the chance of high-risk conduct. More data and information is being transferred than ever, and much of this is now being done over personal wifi connections rather than secure corporate environments or VPN-protected networks. Globally, just 25% of internet users have used a VPN in the last 30 days.

Creating an insolvency cyber plan

Companies in insolvency situations may not think of cyber security straight away. But any organisation undergoing an insolvency has to take steps to protect its most crucial and valuable assets.

Finding new budget in an insolvency is never easy. However, it may not be necessary to find more cash – instead, executives can focus on optimising expenditure and making existing budget work harder. This might even involve reducing spend, as long as the money is focused on the essential assets that ensure business continuity: the so-called crown jewels.

Part of the challenge for CEOs is understanding what the crown jewels actually are, establishing where they sit in the organisation, and ensuring they are protected in the right way. (CIOs and other IT leaders can play a part in this process, but the final decision has to rest with the CEO and the board.)

A strong cyber plan should begin with three simple steps:

1. Assess business assets, understanding which data or cyber infrastructure are truly business-critical – essentially, identifying the crown jewels. (An online retailer may regard its database of customer email addresses as an especially important digital asset, for instance. For a manufacturing company, it might be the Industrial Control Systems (ICS) governing the production.) Assets that save money or generate new revenues must be prioritised before money is spent protecting non-essential data.
2. Assess security technology, with the dual purpose of checking the level of protection over the crown jewels and optimising cyber spending, focusing budget on where it is actually needed.
3. Defining a roadmap, planning how to right-size cyber expenditure and reduce business risk in the shortest possible time in order to protect the crown jewels. This is particularly important during an insolvency, where there may be additional scrutiny of spending from creditors.

One advantage of an insolvency setting is the ability to add more flexibility and consciousness into security spending. Many organisations apply roughly the same degree of protection to all assets, but this can both overprotect non-critical assets and underprotect the crown jewels.

Summary: responding in high-pressure situations

Managing a company’s response to an insolvency process is always difficult. The CEO’s challenge is to preserve and protect the inherent value of the company, for shareholders, creditors, employees and other stakeholders. But insolvency processes can create new and very serious cyber security risks: if an already jeopardised organisation suffers from a serious cyber attack, the threat might be existential.

A&M has worked with some of the largest European and global organisations to stabilise financial performance, transform operations, catapult growth and accelerate results through decisive action. When traditional improvement activities are not enough, A&M’s restructuring and turnaround heritage brings fact-based, action-oriented leadership to transformation and delivers rapid results.

Our professionals have both operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our Cyber Risk Services, please get in touch with one of our key contacts.