The London-listed veterinary services company hit by a cyberattack has been without a head of cybersecurity amid a churn in its senior IT and technology roles.
CVS Group revealed on Monday that it recently had detected and responded to an incident that it believes will disrupt its operations in Britain for weeks.
The incident has been reported to the Information Commissioner’s Office and is being investigated by third-party consultants.
• Vet group CVS warns of disruption for weeks after cyberattack
CVS has been advertising for a new head of cybersecurity, having had two employees in the job in less than three years since the role was created in 2021.
Advertisement
A breach was listed among 16 key risk factors to the company in its last annual report, issued to shareholders in November, deemed “possible” on a scale of “remote” to “very likely”. It stated that potential hypothetical consequences could include a loss of client data resulting in reputational damage.
Under “mitigating factors’, it stated that it employed a head of cybersecurity alongside third-party advisers “where appropriate to ensure we maintain high standards of protection”. However, the position is understood to have been vacant since December.
A recently closed job advertisement sought a “highly skilled and experienced head of cybersecurity to lead our organisation’s efforts in safeguarding our digital assets and ensuring compliance with industry standards”. Responsibilities were said to include “serving as a trusted adviser to senior leadership” and “conducting regular risk assessments and security audits to identify vulnerabilities and develop mitigation plans”.
A spokeswoman for CVS said the vacancy had been open for “a matter of weeks and we’ve been covering this with internal and external support. We have made an appointment to the post and the successful candidate will start shortly.”
The cyberattack prompted CVS to shut a “small number” of its vet practices for a “short time” and to direct clients to other local practices. CVS has said it believes that any client data was stored on a separate, cloud-based server “which was not impacted as a result of this incident”. The company took its IT systems temporarily offline to contain the “threat of malicious activity”, but admitted that the action had caused “considerable operational disruption over the past week”.
Advertisement
Its IT services to practices and business functions had been securely restored across the majority of its estate, CVS said, although increased security and monitoring had meant that “some systems are not working as efficiently as previously”, which was “likely to result in an ongoing operational impact”. Operations outside the UK were unaffected, as were non-CVS-hosted systems and the group’s ecommerce systems, it said.
The cyberattack has come at a difficult time for CVS, with its shares having slumped amid a separate market investigation by the Competition and Markets Authority.
CVS is one of the biggest veterinary practice businesses in Britain and is one of the largest companies on Aim, the London Stock Exchange’s junior market. It operates about 500 practices throughout the UK, the Netherlands, the Republic of Ireland and Australia and employs about 9,000 people. It also operates laboratories providing diagnostic services to CVS and third parties, pet cremation and clinical waste disposal and Animed Direct, an online retail business.
Shares in CVS, which have nearly halved over the past year, closed down a further 16p, or 1.7 per cent, at 926p.
