4 months ago
27
The Jamaican Government created an information and communications technology authority. Its mission is to provide a single voice (also known as the leadership) and framework to improve the delivery of information and communication services across the public sector.
The organisation, which was established by The ICT Authority Act 2019, began operation this year.
The ICT Authority’s functions include: a) developing and implementing a national ICT strategy that is in alignment with the country’s development goals; b) establishing and enforcing ICT policies, standards, and guidelines to ensure the effective and efficient use of ICT resources; c) providing shared ICT services to government ministries, departments, and agencies, to improve efficiency, reduce costs, and enhance service delivery; and d) promoting digital transformation across the government.
Items c) and d) increase the potential impact of illegal intrusions. If one part of the digital system is compromised, it can expose sensitive information across multiple organisations, cause disruption, and trigger actions for infringement of privacy rights. The Data Protection Act imposes onerous duties on large and small organizations to responsibly handle personal information.
Natural disasters like hurricanes Beryl and Rafael, and the creation of financial buffers to minimise the impact of shocks to the local economy were discussed during the recently concluded and earlier budget debates. There were, however, no references to cyber risks or jokes about the paternity of risk mitigation or financing strategies in this year’s debate.
Threats to ICT infrastructure and disruption caused by the actions of foreign and domestic cyber-criminals and other bad actors can mess up government and private sector operations. The World Economic Forum’s Global Risks Report 2025 listed cyber threats and technological risks as two of the six key risks that face governments and the private sector.
Nature of the threat
Other sources say that globally, governments and companies are dealing with:
• Ransomware attacks: cybercriminals encrypt data and demand payment for its release;
• Phishing: fraudulent attempts to steal sensitive information via email or other communication channels;
• Supply chain attacks: targeting vulnerabilities in suppliers to infiltrate larger organisations; and
• Artificial intelligence-driven attacks: using AI to create more sophisticated malware and phishing schemes.
The March 30 Sunday Gleaner article about a recent cybersecurity incident at Access Financial Services should not be seen in isolation from events that have occurred locally and overseas.
Other sources say that local cyberthreats have been significant. These include the targetting of businesses of all sizes by way of ransomware and malware; unauthorised access to sensitive information; and targetted attacks where cybercriminals focus on specific industries, such as finance and healthcare.
Ransomware is a type of malicious software or malware that locks or encrypts data and files, making them inaccessible. The attackers then demand a ransom payment to restore access. It is like being held hostage, but in the digital world. Pay up or lose your data!
Malware refers to any software designed to harm or exploit computers, networks, or devices. It includes viruses, worms, Trojans, spyware, ransomware, and more. It is a collective noun for all the nasty digital threats.
Sources say that Jamaica experienced 4,908 attempted cyber-attacks every hour during 2023.
That metric can be compared to data in one of my earlier articles, ‘Cyber Protection is Everyone’s Business’. It quoted one source that said, “Since January 2009, local police authorities have received 10 to 15 cyber-related complaints per month.”
While the number of attacks has declined, they have become more targetted. The average cost of a data breach in 2024 globally was US$4.88 million. The impact can therefore be damaging, and often leads to significant operational disruptions.
Cyber catastrophe
Other local companies have suffered from the activities of cyber-criminals. Here is a small sample.
A former Jamaica Bankers Association head said in May 2019 that hackers were “siphoning off $4 million monthly” from local banks. A regional telecoms provider said a customer survey conducted in Barbados, Jamaica and Trinidad & Tobago found that hacking – the unauthorised access to or control of computer network security systems – spiked during COVID-19. Jamaica National Group reported a ransomware attack. Organisers of the Montego Bay entity, Build Expo & Conference, were threatened unless they paid a ransom of US$3,000 to hackers. Insurance companies ICWI and IronRock reported cyber-attacks last year.
Deloitte Centre for Integrated Research said in a 2023 article that cyber-security threats and incidents differ by region, and that in October 2022, a ransomware incident in Anhalt-Bitterfeld, Germany “forced the regional authority to declare a state of disaster, shut down citizen-related services for 200+ days, and describe it as the country’s first cyber catastrophe”.
Cyber insurance
Business continuity planning, or BCP, is a process of preparing strategies and actions to ensure that an organization can continue operating effectively during and after unexpected disruptions. These disorders could include natural disasters, cyberattacks, equipment failures, or other emergencies.
The goal of BCP is to minimise downtime, protect assets, maintain critical functions, and ensure the safety of employees and customers. The process involves:
• Risk assessment: identifying potential threats and vulnerabilities;
• Organisation impact analysis: understanding how disruptions would affect operations;
• Recovery strategies: developing solutions to restore systems, processes, and communication; and
• Training and testing: training staff on their roles and evaluating the plan regularly to ensure effectiveness.
A strong BCP helps organisations stay resilient, safeguard their reputation, and reduce financial losses.
Cyber insurance policies are available and can provide financial protection for businesses and other organisations. These policies typically cover data recovery costs, legal fees, business interruption losses, and ransom payments under strict conditions. Munich Re, a huge player in the global cyber-insurance industry, said earlier this month that “in today’s technology-dependent world, organisations can only be successful if they strengthen their digital defences with robust, multi-layered risk management. Cyber insurance is an effective component in this approach”.
Digital transformation is a process by which organisations integrate technology into their operations, culture, and services to fundamentally change how they operate and deliver services.
This is one of the goals of government and local businesses. Managing the risks associated with the process must be part of the national conversation and board room discussions. Scotiabank recognises this. It published an ad in this newspaper last Sunday offering free cyber-security training for residents of Jamaica and Trinidad.
Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com or business@gleanerjm.com
English (US) ·