An increasingly interconnected world has meant that, after decades of ‘flying under the radar’, there is now much greater transparency and knowledge globally of where Caribbean International Financial Centres (IFCs) are, what they do and who makes use of them.
Geographical separation is no longer enough to protect privacy. Cyberspace can ignore borders and holds all territories in its embrace, the Caribbean included. Aside from clients, business partners and employees having heightened expectations of data protection, legislation that mandates obtaining proper consent and protection of personal information, regardless of where it may be stored or managed is conventional and routine. The lack of local data breach notification legislation across the Caribbean islands does not prevent organisations from needing to notify residents of other countries in the event of a breach. Furthermore, penalties for not doing so can be severe. Under the EU Global Data Protection Rule (GDPR), for example, a data breach or abuse of consent can result in fines of up to 4 per cent of global revenues. The recent Panama and Paradise Papers breaches underscore the importance of security for both the organizations and firms managing wealth and for the clients they seek to protect.
What Caribbean IFCs need to do to Improve Cybersecurity
The good news is that the magnitude of the cyber risk has been recognised and action plans are being developed. The Caribbean Community (CARICOM), an organisation of 15 Caribbean nations, released their Crime and Security Strategy in 2013. Cyber risk received the highest classification (Tier 1 – Immediate significant threat).
A CARICOM cyber security and cybercrime Action Plan was published in 2016. The Action Plan sought to address the cyber security vulnerabilities in each participating Caribbean country so as to establish a practical harmonized standard of practices, systems and expertise to which each Caribbean country could aspire in the short or medium term. It was specifically noted that cyber security issues and cybercrime are borderless, and the plan is intended to serve as a platform for other Caribbean countries to collaborate with CARICOM Member States and Associate Member States.
Progress has been made regarding data privacy in a number of countries with legislation either in place or in the process of being enacted. The legislation includes requirements for the protection of Personably Identifiable Information (PII), as well reporting requirements in the event of a breach. To date specific cyber regulations have only been the topic of discussion and recent data breaches such as the Panama and Paradise papers have shown that the risk is very real and should further fuel the discussion and resulting legislation.
It would, therefore, be more than prudent for those operating in IFCs to take action now rather than wait for regulatory frameworks. Given the significant increases in compliance costs and the increasingly competitive financial services environment, investments to mitigate cyber risk should be based on leading practices.
Leading practices are guiding organisations away from the panacea of perfect security in favour of getting ‘cyber defensible’. Cyber defensibility involves identifying sensitive information and services and implementing controls that safeguard it. In the event of an incident, organisations need to be able to demonstrate that they are able to efficiently protect or recover data and in so doing minimize impact.
Developing a Good Cyber Strategy
However, the implementation of cyber security controls may be complicated and costly and developing a good cyber strategy should include more than just technological controls. With the growing awareness and popularity of the dark web, and underground marketplaces selling point-and-shoot malware that is reported to evade detection by security controls for under US$500, cyber security needs to be a much broader focus across an organization and should encompass people, process and technology.
Strategies ought to help position security as a strategic business enabler as well as address the appropriate security and privacy requirements. These requirements are driven from:
Regulatory, legislative, corporate policies and contract commercial requirements mandated by clients and business partners.
Industry best practices that remain aligned with the outcomes of cyber-related litigation within the region, which is referred to as common law.
Thus, it becomes important for decision makers and management to understand the ways to implement an effective cybersecurity strategy and framework. Generally, the following aspects should be included:
1) Being secure – this means having risk-prioritized controls to defend information assets against known and emerging threats.
2) Being vigilant, which means having threat intelligence and situational awareness to anticipate and identify harmful behaviour.
3) Being resilient, which means being prepared and having the ability to recover from cyber incidents and minimize their impact.
The board should review and approve the security strategy as well as receive regular updates on how the organisation is setting itself up to be secure, vigilant and resilient.
‘Getting secure’ means leveraging your security strategy and improving your focus on having risk-prioritized controls that operationalise protection across people, processes and technology. Attempting to build security without the core elements of a security program is akin to building foundations on sand. Some of the key fundamentals that should be put in place are:
Vulnerability and configuration management: Many smaller organisations are running outdated or unlicensed software that cannot be patched for the latest cyber threats and serve as a material risk. Identifying operating system, application and network vulnerabilities and configuration exposures are essential in reducing your attack surface and improving design.
Mobile phone device management: As usage of mobile devices continues to grow across the Caribbean, so too will the transmission and storage of sensitive data on these un-trusted devices.
Data encryption: Controlling access to and the encryption of sensitive information before it leaves organisational computers, USB keys, the cloud etc.
Technical security controls, from anti-virus to unified threat management devices and next-generation firewall organisations, should have security controls in place that can detect malicious activity across the computers and networks.
Third-party management: It is important to identify which third parties have access to your sensitive information. It’s also essential to ensure that adequate security clauses are contained within the contract so that suitable controls are implemented to protect data entrusted to them and so there are notification requirements in the event of a suspected incident.
‘Becoming vigilant’ allows organisations to develop a good understanding of what is happening across their business and industry so that they can detect and respond to malicious behaviour or identify emerging risks that require further monitoring or mitigating controls. A primary outcome of security controls is data. It is not uncommon for organisations to receive millions of security events on a monthly basis, each one serving as a potential indicator or an active attack. It’s also not strange for organisations to struggle in making sense of it all. Identifying material residual risk requiring action often leaves them with a false sense of security.
Leveraging external intelligence is equally as important as monitoring the activity within your organisation. External intelligence can add context to internal alerts and ensures that you are aware of emerging risk and can proactively protect critical assets. Intelligence should be bi-directional and includes sharing security trends, successes and challenges with peers and the community.
Managed security services continue to be a popular solution for organisations looking to quickly deploy mature industry-good security capabilities. IFCs should consider this solution, especially if they have yet to make substantial investments in security event management systems, processes and dedicated security staff.
Becoming resilient involves establishing a crisis plan. It is likely that IFCs have crisis plans for different forms of natural disasters but cyber plans are rarely tested or have not been developed at all. A plan is critical and is a key piece to proving defensibility in the wake of a breach. Before developing or enhancing a plan it is important to push the keyboard away and take time to identify the type of cyber incidents your organization is likely to experience. Too often plans are developed that are too generic and miss out on key operating procedures essential in managing incidents that frequently occur in an organisation. With a list of incidents that are likely to be experienced, a plan can be developed that can ensure threats are adequately managed. To start you can develop standard operating procedures for a ransomware attack and data breach and introduce new operating procedures’ as your organisation matures. Plans should extend beyond technology teams, encompassing stakeholders across the business, including legal, risk, privacy, business unit leaders and public relations/communications. Testing should be done at least once per year and include any external third-party providers. The devil is in the detail, and during an incident the stakes are high. The industry expectations are for a near-flawless response. This puts pressure on you to ensure your organisation is effective in responding and recovering from an incident.
The IFC is not immune to cyber-attacks and, on the contrary, can be a much richer and easier target than organisations in other industries. IFCs should demystify cyber security and develop a cyber defensible position that will ensure they are doing an effective (not necessarily perfect) job of becoming secure, vigilant and resilient to cyber risk.
Brett Henshilwood Partner
Kevvie Fowler Partner (Cyber Risk)