Working from home – A checklist of the IT risks and exposures

6 min read

For further information, please visit the White & Case Coronavirus Resource Center.

As the COVID-19 disease continues to spread, many countries have implemented nationwide lockdowns and many businesses have mandated employees to work from home. Even with the relaxation of lockdowns in different parts of the world, working from home continues to be in place as a cautious approach taken by employers. However, the huge surge in Internet traffic and the increased reliance on remote access and online conferencing platforms have created concerns over the resilience of the IT infrastructures that keep things running. Working from home also exposes companies to increased security risks and Internet fraud.

IT service providers worldwide, such as Internet broadband providers, virtual private network (VPN) operators and cloud computing firms, are facing unprecedented challenges to meet demands so as to enable businesses to continue to operate while employees work in their home environment. Apart from the potential strains on different IT systems, interruptions in societies may also prevent engineers from attending onsite checks and maintaining hardware and cables, posing a real-time stress test on the world's IT infrastructures.

While the full impact of the COVID-19 outbreak and the resulting responses from the IT sector remain to be seen, substantial business disruptions brought by IT service failures due to strains from increased remote working are possible. IT disruptions may include significant drops in Internet broadband speed, VPN connectivity issues, and syncing problems with cloud storage or email systems. Employees working from home with less stringent Internet security protection may expose the business to hacking possibilities, posing enhanced security or operational risks to businesses. All of these may significantly affect a corporation's quality and delivery of services to its customers or clients and may also lead to significant financial losses.

Whether corporations have already been working remotely for weeks or are just starting to do so, IT disruptions during the COVID-19 outbreak could substantially impact the performance of day-to-day business. It is therefore important to consider the points below to ensure that business remains as usual and is properly protected.


Review IT service contracts

  • Review each IT service contract, and consider your contractual rights if an IT service provider is unable to deliver services over a certain period of time. Consider:
    • whether any non-performance due to the effects of COVID-19 will be subject to a force majeure provision (for further information on implications on force majeure clauses, see Suspending contractual performance in response to the coronavirus outbreak);
    • whether any non-performance due to the effects of COVID-19 will be subject to a material adverse change clause; and
    • whether any temporary suspension of IT services due to above-peak demand and usage will constitute an event of default.
  • If there is a potential claim against an IT service provider, consider:
    • whether there is any exclusion liability clause that may limit the remedies to be claimed, for example, the exclusion of specific heads of loss, exclusion of consequential or indirect losses, time bars on claims etc.; and
    • whether there is any potential obligation to mitigate, and identify the measures which can be taken. For example, to initiate discussions with the IT service providers in respect of any contingency plan and to seek alternative IT service providers to minimise loss from the disruptions.


Review insurances polices

  • Review existing insurance policies to determine their coverage on business disruptions due to IT service failures.
  • Discuss with insurers to explore the need for additional cover on specific new exposures in respect of any IT disruptions.
  • Identify if insurers' consent is required for steps anticipated to be taken in response to any IT disruptions.
  • Consider whether any mitigation measures may be relevant to and fall under any available heads of cover.
  • Take note of all notification requirements under the insurance policies and comply strictly.


Assess business operations and evaluate their reliance on IT services

  • Conduct a full assessment on the extent to which existing business operations may rely on various IT services.
  • Evaluate the potential impact of any IT disruptions on the delivery of services to customers or clients.
  • Consider alternative options and formulate contingency plans when the main IT service providers are not performing.


Publish internal work from home policies for employees' reference

  • Publish internal policies to employees on remote working arrangements, which may cover:
    • the expected productivity standards during working from home;
    • the preliminary solutions to any IT connectivity, technical and logistical issues; and
    • a reporting mechanism on any IT disruptions.


Closely monitor IT incidents and disruptions

  • Check internal IT incident response frameworks for compatibility with remote working arrangements.
  • Closely monitor any repeated IT incidents or continuous IT disruptions, and keep a comprehensive record of such details.


Beware of fraud and potential hacking risks

Aside from employees, it is likely that a lot of your business partners and suppliers (including their senior officers) in different parts of the world are also working from home. Thus, the risks of Internet disruption and security breaches are also pertinent in your counterparties' IT systems. This, in turn, may translate into an increased exposure to hacking and Internet fraud. Therefore, it would be important to pay additional attention and diligence to your interactions with your business partners.

  • Be mindful of any requests for payment, and in particular, any request to change payment or account details.
  • If possible, confirm with your contact orally (rather than by email) of any such payment requests.
  • Check the actual email address of the payment request email against the old emails you received from your business partners. Attention to detail is key here as very often, hackers would use a slightly different email address when sending such emails, which masks their identity.
  • Seek confirmation through a new email chain after payment has been made.
  • If a fraudulent activity has been discovered, act quickly. It is sometimes not too late if an immediate request is made to your own corresponding bank to stop the payment.

The key message for all corporations is to have full knowledge of their rights and obligations on existing IT services contracts, be acutely aware of their businesses' reliance on various IT services, and be prepared to act promptly and flexibly in the event of any IT disruptions or security breach. As the COVID-19 outbreak has evolved from an unprecedented event to a known risk, corporations should consider taking active steps to mitigate risks and losses arising from potential IT disruptions which could substantially impact their businesses.


Denise Cheung (White & Case, Associate, Hong Kong) contributed to the development of this publication.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP