Cedric Stephens | Risk perception of growing cyber threat

Allianz SE is a multinational financial services company headquartered in Munich, Germany. Its core businesses are insurance and asset management, and it provides services to 90 million customers around the world.

The company publishes an annual risk barometer after surveying experts in Europe, the Americas, Asia, Africa, and the Middle East. Survey participants are asked to identify the biggest risks facing businesses each year. Forty-four per cent of the experts listed cyber incidents as the biggest threat facing businesses in 2022. This estimate increased from 40 per cent in 2021.

Business interruption, which was the subject of last week’s article about the fire at the Jamalco plant in Clarendon, occupied the number two slot at 42 per cent. Risks posed by natural catastrophes were in third place at 25 per cent.

Locally, Digicel Business, a unit of telecoms provider Digicel Jamaica, in a recent research report and guide, listed the five top concerns of local business leaders in the context of things digital. They were, in descending order, insufficient expertise, budget prioritisation, lack of technological infrastructure, lack of sound digital transformation strategy, and security concerns.

Would these business leaders’ perceptions of risks have matched those of the foreign experts if technical skills were not deficient? Are these two things connected?

MC Systems, a technology services provider and member of the JN Group, offers regular and high-quality insights by way of full-page advertorials in this newspaper about developments in the global tech industry. Seven of the 25 paragraphs of its latest publication, 28 per cent, discussed cybersecurity. The company’s forecast for 2022: “businesses will become more vulnerable as hackers gain access to more powerful tools. In 2021, hackers put these tools to the test, racking up 500 million attempted cyber breaches by September. The average ransomware payment climbed to US$570,000 during the first half of the year, from US$312,000.”

Slack with cybersecurity

Other local experts have been sounding the alarm. The head of the Jamaica Cyber Incident Response Team, JaCIRT, disclosed to this newspaper earlier this month that because of Jamaica’s “maturity level of cybersecurity infrastructure” – a fancy way of saying it was not at an advanced stage – the island is seen by hackers as a soft target. JaCIRT, a division of the Ministry of Science & Technology, “identifies thousands of threats annually but only 200, or so are reported to the authorities,” he said. Commercial banks are among the entities that are engaged in under-reporting.

The Jamaica Observer described the state of cybersecurity more dramatically. Companies in the Caribbean region, it reported, were “slack with cybersecurity”. Less than 30 per cent of 2,000 businesses surveyed across the Caribbean have upgraded their cybersecurity even though the number and scale of cyber threats have increased, and companies have become more dependent on technology to conduct their operations because of COVID-19.

The Observer article was quoting from the Digicel Business report cited previously. Liam Donnelly, Digicel Group chief business officer, said on January 28 that “cybersecurity is a hot topic globally … you do not have to be a large company to be targeted … organisations that have not taken the necessary precautions to protect their information remain vulnerable to catastrophic assaults. Protecting company and customer data is imperative to keep the business operational in the face of ever-present threats”.

Chukwuemeka Cameron, a privacy practitioner, attorney-at-law, and founder of a consulting firm that helps companies comply with privacy laws, wrote recently about the Data Protection Act or DPA. Thanks to him, we now know that the DPA has been gazetted and that the information commissioner, the administrator referred to in Section 4 of the act, assumed office on December 1 last year. These are important developments on the cybersecurity front.

In explaining the purpose of that law, Mr Cameron stated that “in 2019, our Constitutional Court actually ... declared our right to informational privacy, and in so doing, our chief justice said that if anyone uses our data without our permission, they would be breaching our privacy rights. So, we are starting from a position of a constitutional right. So, not only is it a constitutional right, but we also have a piece of legislation that gives teeth to that right. That legislation sets out what those rights are”.

DATA PROTECTION

According to Mr Cameron, data protection is even more important because of the information age in which we now live.

“As the CEO, chairperson, or member of a board, there is only one objective you should be focusing on at this time: ensuring that your company is in a position to register with the Office of the Information Commissioner whenever it is announced by the information commissioner that you must register. Having put yourself in a position to register, you can now start implementing your data protection compliance programme,” he wrote.

The new law, when coupled with the ever-increasing dependence of businesses on digital solutions to run their operations, plus the use of more sophisticated tools at the hackers’ disposal, will inevitably increase companies’ exposure to risk.

Part IV – Standards for Processing Personal Data – in Section 21 of the DPA, provides an example. It imposes standards for processing personal data and sets specific rules when security breaches occur, including those caused by hackers. For example, data controllers will be required by law to file a report with the information commissioner “within 72 hours after becoming aware of the breach, and among other things, provide information about the measures taken or proposed to mitigate the adverse effect of the breach”.

Additionally, data controllers will be required to notify each data subject whose personal data has been affected by the breach. Non-compliance with these rules will result in monetary penalties.

Raf Sanchez, head of cyber services Beazley, owners of specialist insurance syndicates at Lloyd’s, wrote on February 8: “Organisations today face a sophisticated, well-funded and innovative criminal landscape, where significant financial gain with negligible risk of being caught is the prize. For organisations grappling with privacy and cybersecurity laws, regulations, and standards, a well-executed cyberattack can swiftly bring them to their knees if steps are not taken early on to ensure a robust cyber risks profile is in place”.

If Northern Caribbean University were a private educational institution in which I owned shares, I would not be satisfied with the anodyne statement that was put out last Wednesday about the recent ransomware attack, given the gloomy forecast among experts that the frequency and impact of cyberattacks will continue to increase.

Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com or business@gleanerjm.com