WITH a rise in the number of local entities being subject to cyberattacks, cybersecurity analysts are encouraging affected firms to be transparent with their stakeholders and the public as the broadening impacts become more pronounced in everyday activities.

The Financial Services Commission (FSC) is one of the latest firms to have been affected by what it described as a ‘cyber event’. It made the announcement last Wednesday where it noted that it was engaged with a team of cybersecurity experts from the Jamaica Cyber Incident Response Team and Major Organised Crime and Anti-Corruption Agency (MOCA).

While the FSC has not detailed the impact it has had on its operations, a Jamaica Gleaner article published on Monday chronicled different details including the data being encrypted and a ransom being requested. Even e-mail sent to FSC employees were bounced with the regulator providing a different number for persons to make contact.

When the Jamaica Observer reached out to David Geddes, FSC director of communications, about the regulator having some public engagement forum, he replied, “There are no plans at this time to hold a press conference or media briefing. We are in the midst of an investigation. We are communicating with our licensees and stakeholders.”

The FSC sent out an update yesterday to stakeholders that it is working on restoring seamless communication with all stakeholders and that all reports must be filed by hard copy at its Barbados Avenue office with immediate effect.

The lack of a thorough update has brought serious enquiries by members of the public and onlookers who question the extent of the damage which has happened at the regulator. One cybersecurity analyst mentioned that the timing of the attack was coincidental as the FSC continues its investigation into Stocks and Securities Limited (SSL). He also mentioned that it is odd no group has claimed the attack on the financial services regulator.

Another American cybersecurity analyst commented, “What I’d say is the FSC should be transparent with the people about what happened, what has been affected, how they plan to recover and how they plan to ensure it never happens again. They should put controls in place and do regular penetration tests and fix the findings. The most important thing is transparency. Everyone gets hacked eventually but transparency builds trust.”

The FSC regulates the insurance, securities, and pension segment of the Jamaican financial sector. Thus, it holds sensitive information on several licensed firms which includes possible breaches, capital adequacy issues, detailed information of fit and proper persons and documentation related to private companies which would have raised funds in the private capital markets. This breach has also resulted in the prior processing of products, public offerings and other material events being slowed down due to the situation.

Mayberry Investments Limited and Massy Holdings Limited are some of the most recent publicly listed companies to acknowledge that they faced cyberattacks over the last two years. Even Mailpac Groups’ technology partner Aeropost Inc saw its systems compromised in April 2022 in an event that was widespread across the region.

MGM Resorts International’s computer systems were crippled over the weekend as a cybersecurity issue resulted in guests being unable to enter hotel rooms, slot machines going dark and the company website being unavailable. The Federal Bureau of Investigation (FBI) is investigating that event with other firms like Microsoft explaining recent events around Azure.

Derrimon Trading Company Limited publicly noted on Tuesday that its systems were breached on August 28 and that it was able to restore its systems within 48 hours. Derrimon has since strengthened its data protection systems, implemented cutting-edge software and added more stringent procedures.

“We recognise the concerns raised in the wake of the recent network breach at Derrimon Trading Company Limited and assured all stakeholders that we take this matter with the utmost seriousness and have implemented immediate and decisive steps to address it. Our unwavering commitment to safeguard our network, as well as ensuring the security and privacy of our stakeholders, remains paramount. We deeply regret any inconvenience in our operations this incident may have caused and pledge to continually invest in upholding the highest cybersecurity standards,” said chairman and CEO Derrick Cotterell in the release.

ALPHV, Play and Cl0p ransomware groups have all claimed attacks on Jamaican businesses recently with an Ocho Rios hotel also being the victim of another group.

Even with the number of high-profile businesses being targeted, different cybersecurity firms have explained that there hasn’t been an influx of new clients seeking clarity or how to bolster their systems.

“Companies don’t like to report and draw attention to themselves as it relates to these kind of things until it’s a dire situation. They don’t call you to be brought in, they call you when there’s a problem. So, it’s when they have been attacked, breached and comprised when they call you. What we’ve seen an uptick of is companies calling to help them become compliant for the DPA and that is because there will be consequences if you’re not compliant,” said CEO of 876 Technology Solutions Trevor Forrest in a call with the Business Observer on Friday.

The Data Protection Act (DPA) is set to come into force on December 1, but Forrest doesn’t believe that many firms will be ready for the implementation. With respect to being proactive on cybersecurity, Forrest noted that education is critical as the impact of cyberattacks top US$7 trillion.

“Of the things that the Data Protection Act will force companies to do is to make the investment in protecting the data they are in custody of. However, that will take some time because the Act goes into effect December 1, but I don’t think many companies or people who own companies understand the extent of the impact of that piece of legislation and the impact it will have on their business to become compliant. The regulations for the Data Protection Act are not promulgated yet. So, full enforcement of that legislation will not happen by December 1 in my estimation,” Forrest added.

Forrest referenced the National Cybersecurity Strategy and its four pillars of legislation, capacity building, public awareness and technical measures with emphasis that more focus should be placed on the second and third pillars. Cyberattacks present significant danger to the public especially as phishing attacks can happen with personal information, but also from the impact it has to critical infrastructure like hospitals, telecommunications and other services.

“It is to be expected. Over two three years ago, people like me, and a couple other have been saying that the attacks would be increasing because we saw the trends. In seeing the trends and understanding the current state of security and how business, public and private sector have not properly invested and taken [cyber]security seriously. I’m not of the view that enough is being done at a national level to make people aware,” Forrest closed.

Cybersecurity tips for companies:

1) Keeping operating systems up to date.

2) Keeping sensitive data on hardened systems and limiting access to only those who require it.

3) Regularly auditing access to sensitive data and removing access from users that don’t have a business reason for accessing it.

4) Getting regular penetration tests and fixing the findings.

5) Creating backups that can’t be overwritten or modified by your users and testing the recovery process regularly.

6) Installing EDR (endpoint detection and response) and anti-malware software.