FSC drops the ball
The news gods told me to write about cyber risks today. My first article on the topic, a two-part piece titled ‘Many Risks Lurk in Cyberspace’, was written on January 1, 2010. Five more followed. The most recent, ‘Cyber Protection is Everybody’s Business’, was published last October.
This column, I suspect, for some reason, is not on the reading list of the folks in the insurance division of Financial Services Commission. However, I’m a regular reader of the commission’s in-house magazine, The Invested.
The regulator, insurance companies, agents, and brokers are in the risk-management business. Managing cyber threats, among other risks, should, therefore, be part of the FSC’s DNA.
The commission, according to its 2018-19 annual report, developed an enterprise risk-management framework in 2014. The aim was to “take a proactive approach to risk management”. There was no evidence in the report that cyber threats were identified as one of the critical operational risks facing the commission and its licensees.
McKinsey and Company said in a recent publication that “adversaries — no longer limited to individual actors — include highly sophisticated organisations that leverage integrated tools and capabilities with artificial intelligence and machine learning. The scope of the threats (are) growing, and no organisation is immune”.
The commission’s public disclosure about its ‘cyber event’ suggests to me that it was caught flat-footed. According to the Jamaica Observer, when it reached out to the FSC’s director of communications, David Geddes, about having some public engagement, he replied, “There are no plans at this time to hold a press conference or media briefing. We are in the midst of an investigation. We are communicating with our licensees and stakeholders.”
That statement, if accurate, presupposes that communicating with the media is not part of the commission’s strategy to manage the cyber event; that the media is not a stakeholder; and communicating with licensees and stakeholders, to the exclusion of the public, via the media, is in the regulator’s best interest.
This newspaper’s September 11 report about the incident stated that the cyberattack appears to have been a graver cause for concern than first acknowledged by the entity that oversees the regulation of Jamaica’s insurance, pensions, and securities industries. Reports indicated that the commission has lost almost all its data that was hacked and encrypted. The hackers also demanded a ransom and provided a link to a site with instructions on how the ransom should be paid.
Multiple sources told The Gleaner that so widespread is the cyberattack that even the phone system at the commission has been affected. “Internal calls can be made but calls from the outside or being made to outside lines do not get through,” one source said. The FSC brought in overseas consultants who worked over the weekend to try to get the commission back online.
It was not expected that the FSC’s internet system will be back up and running until later this week. Along with files reportedly being compromised and Internet service and the phone system being affected, even payments to staff have been impacted. The Gleaner understands that even if the files are recovered, they may be useless. “Backup paper files as well as files that were not on the hacked system may be useful, but all files hacked and encrypted will be of no use,” one of The Gleaner’s sources said.
It was not immediately clear what type of files were primarily affected, but the FSC officials with whom The Gleaner spoke described the situation as a “disaster”.
The regulator appears not to have learned from the SSL d?b?cle. It seems unaware that the lack of a well-thought-out communications strategy, post-cyber event, will harm its reputation. There is evidence to support this claim.
“The lack of a thorough update,” according to the Observer, “has brought serious enquiries by members of the public and onlookers who question the extent of the damage which has happened at the regulator”.
FSC’s response is in stark contrast to those of publicly-listed, local company Derrimon Trading. Its systems were breached on August 28 and were restored within 48 hours. The company says it has since strengthened its data protection systems, implemented cutting-edge software, and added more stringent procedures.
“We recognise the concerns raised in the wake of the recent network breach and assure all stakeholders that we take this matter with the utmost seriousness and have implemented immediate and decisive steps to address it. Our unwavering commitment to safeguard our network, as well as ensuring the security and privacy of our stakeholders, remains paramount. We deeply regret any inconvenience in our operations this incident may have caused and pledge to continually invest in upholding the highest cybersecurity standards,” said the chief executive officer.
Notably, the FSC’s new executive director was missing in action. Where are the reassuring words from FSC Chairman Richard Byles? Does FSC carry cyber risk insurance?
Today’s article ends with words I wrote on May 30, 2021:
Many experts, including Sean Thorpe, head of University of Technology Jamaica’s School of Computing & Information Technology, say that to help prevent attacks, businesses need to make cybersecurity a top priority. Working with cybersecurity experts to conduct a risk assessment, holding consistent training for employees, and conducting quarterly testing of internal and external networks can help make organisations less vulnerable to attacks. For smaller companies that may not have the resources to retain the services of an expert, Joseph Steinberg’s book, Cybersecurity for Dummies, is an excellent place to start.
Ted Ginnis, content specialist at the Global Association of Risk Professionals in New Jersey, wrote in February 2021, that while “there is no silver bullet for eradicating cyber risk, cybersecurity insurance can help protect against the financial fallout from cyber incidents – including data breaches, network damage, business interruption, legal fees, and even ransom payments. When a covered event occurs, the insurer assesses the damage and either pays out or arranges for vendors to assist the policyholder in restoring its business. Like any form of insurance, the language of the policy dictates whether an event is covered and, if it is covered, the required compensation”.
Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com or business@gleanerjm.com