CYBER SECURITY REGULATIONS

CYBER SECURITY REGULATIONS

Introduction

In the recent past, financial institutions have faced many cyber-attacks threatening their operations. This calls for the need to put tight mechanisms to ensure cyber security is heightened. Among the numerous financial institutions, commercial banks by their nature of offering products which are in direct touch with the public, they become very vulnerable to the cyber attacks. The management of the banks therefore envisions a phenomenon of cyber-attacks which, unless checked, may generate cyber risks of catastrophic nature.

Not many countries have strong regulatory mechanisms to combat the challenge. Among the few countries which have strong mechanisms to combat cybercrime include Singapore, the United States and the United Kingdom.

Cyber security

There is a general need to regulate the cyber security frameworks due to the unique nature of the cyber risks and their evolution. Cyber security regulations consist of directives aimed at safeguarding information technology and computer systems to make companies and organizations to protect their computer systems and information from cyber-attacks.

The cyber attacks include phishing, denial of service attacks, viruses,  Trojan horses, unauthorized access which comprises of stealing intellectual property or confidential information), worms, and control system attacks.

Regulatory oversight of cyber security

Scholars have a varied opinion on the need to regulate cybercrime. One view opines that cybercrime is undergoing evolution due to the advances in technology as such cybercrime issues can be regulated by the already existing laws relating to modern technology. A contrary opinion is of the view that there is a need for strict regulatory structure due to the uniqueness of the cyber crimes and the increasing threats associated with the heavy digitization of the financial sector. Two approaches can be employed during the implementation of the regulatory mechanism of cyber security. The principles-based approach involves the affected financial institutions identifying the information that requires cyber protection. There is a need to test the financial institution’s resilience and vulnerability to cyber risks. Abnormal and unprecedented cyber activities need to be reported. The institutions need to have unambiguous accountability and responsibility measures as important ingredients in the cyber security arrangements.

Another approach is the supervisory approach which argues that bank cyber security is still evolving and therefore, its effects need to be assessed. By and large, there is strong convergence towards implementing the threat informed approach to come up with simulated cyber-attacks to determine the extent to which the financial institution has implemented cyber security.

Whichever the institution took the approach should have the sole objective of ascertaining the cyber security of the firm. A key challenge that many of the institutions face is in terms of identifying and keeping cyber security experts. This is an area that not many people have delved into, and as such, the required personnel are in high demand.

Cyber security has been of much concern to many governments world over. It poses ominous threats to the working patterns of many organizations which at times lead to disruptions in the patterns of operations. Many firms have shut down because of cybercrime, a situation that calls for stringent regulatory mechanisms to combat it.

Governments have an obligation to establish boards which have a mandate to of protecting corporate assets. This includes confidential information, information relating to proprietary regulations, goodwill and reputations of the organizations concerned. They also oversee the systems put in place by the management to identify, mitigate and manage risks for the organization. In as much as many company boards have proven their lack of preparedness in combating cybercrime, it falls within their purview to ensure the cyber environment is secure. It is debatable whether the boards have the requisite knowledge and preparedness to handle cyber security.  They need to rely on expert advice in tackling such issues. Just like the directors take remedial measures to tackle other issues that affect the business operations, they should also use the same approach while handling cyber security issues as these may in the same vein affect the smooth operation of the companies which inevitably affects their performance and hence their profitability. A good approach should minimize dwelling so much only on the technical issues as opposed to mitigating factors. There should be efforts to address issues of policies and the processes involved. The board needs to make concerted efforts to educate its personnel on cyber security matters to ensure compliance and to allocate appropriate resources for such purposes. This implies that the board needs to have an in-depth understanding of the types of cyber security risks that the company faces. These risks differ from one company to the next, depending on the nature of the business involved. The cyber security board then needs to have a clear understanding of the policies, control measures and policies that the management has put in place to help in the identification, mitigation and risk management concerning cyber security and the kind of response when such incidents occur. There must always be adequate oversight of the disclosures, their controls and procedures.

Current oversight boards and their sufficiency

In the recent past, data security has become a matter of grave concern for firms to the extent that it has led to the corporate crisis that caused regulatory, financial, reputation and litigation harm to the companies. Boards need to be swift in their actions against cybercrime as waiting until its occurrence is too late and does not measure to adequate oversight preparedness. The cyber security issues have continued to become more complex, and there is, therefore, need to understand the legal and regulatory environment as the actual threats keep on metamorphosing, leading to too much uncertainty.  The boards should also understand the legal implications of these threats.

In the United States of America, the Federal Trade Commission (FTC) is a regulatory body whose mandate is to protect consumers and promote competition. The Consumer Financial Protection Bureau (CFPB) is an independent agency of the US government responsible for consumer protection in the financial sector. These regulatory bodies have championed data security enforcement actions. FTC has in the recent past brought many cases against several companies with allegations of unfair business practices and actions bordering on data breaches. On the other hand, the CPB came up with its first action of data security enforcement against a firm for giving false information to its customers concerning its data security and the safety of its online payment protocols. In addition to the two regulatory bodies, the Gramm-Leach-Bliley-Act (GLBA) was established to ensure personal information is protected. According to the regulations of GLBA, the financial institutions must develop precautions to ensure that the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (Johnson 12). Against this backdrop, the regulatory bodies have issued directives on cyber security risks and cases that clearly highlight the role of the board in the management of the cyber security risks (Shackelford 305).  Investors also need to assess the extent to which the board manages cyber security issues. Policies and procedures need to be put in place that ensures that there is a timely notification of incidents of cybercrime and to prevent trading by the management on non-public information regarding incidents of cybercrime experienced by the company.

Many companies have also faced investigations by government attorneys because of violating data regulations. Government attorneys investigated Equifax because of breaching data protocols. Other acts like the Health Insurance Portability and Accountability Act are also mandated to ensure the protection of some kinds of data and may cause liability in certain cases. Such legal and regulatory requirements are common in many jurisdictions and businesses world over need to be aware of them and comply.

Additional cyber security controls

As the world becomes more interconnected as a result of advances in technology, companies must come up with ways to ensure their personal and customer information is protected. Advances in social media and the related applications have made the world become a global village. The use of social media among many companies has increased, and so is the cyber threats associated with such usage. Social networking sites which are frequently used have become good grounds for cybercriminals to hack personal information and steal private data. The social media hackers have used people as baits to get the types of information they require. People have also become gullible to the extent that they easily give out their valuable information without much caution. In as much as the social media cyber crimes are on the increase, the platforms offer the companies an opportunity for great information sharing and marketing to the extent that the companies cannot easily detach themselves from such sites. The companies must therefore come up with strategies of what information needs to be shared, how to valuably analyze the information from social media and better ways to have long-lasting security solutions to the cyber crimes to stay away from such threats. Social media must be handled with caution and using the correct policies and other technological cautionary measures. The idea of having a user name and password must always be adhered to as it is a basic way of protecting information and avoiding cybercrime. Any information from the internet should always be authenticated before being downloaded as some may come from sites that pose threats not only to personal data but also to the machines used during the process. Companies must also invest in malware scanners so that all documents in a system are properly scanned for malicious viruses, worms and Trojan horses. Firewalls must also be installed to help screen out hackers, viruses and worms that may invade the system. Installing anti-viruses is a basic protection measure that a company cannot afford to ignore.

Cyber ethics is also another critical factor in arresting cyber risks. This is the code of regulations in using the internet in a disciplined and safer manner. Internet should be used for good communication between people, governments and companies. Bullying others over the internet should be avoided. It is always necessary to use internet desirably and legally. Sending any malware to other systems and corrupting them is unethical. Stealing passwords and operating other people’s accounts is a common occurrence which should be avoided. People should avoid sharing personal information for unnecessary purposes. Adhering

From the angle of the regulatory boards, cyber security should be viewed as a threat to the whole company, its processes and operations and not just as a challenge to information technology. There is also the need to thoroughly understand the legal implications of cyber security threats as they relate to the company in totality. There should be adequate time devoted to discussing cyber security issues during board proceedings and good access to the relevant experts. Cyber security risks should be discussed with the management in a bid to find the mitigating measures to combat it.

Conclusion

Many countries have regulations that govern cyber security. These existing laws, both at national and international levels, differ in terms of content and the extent of implementation and even the punitive measures to combat crime. There is also variation in terms of powers vested on the regulatory bodies, the evidence required and cooperation among countries. Measures are needed to ensure that laws that have led to the access of the internet are not abused and are in tandem with human rights and the rule of law operating in a particular jurisdiction. The need to regulate the cyber security frameworks due to the unique nature of the cyber risks and their evolution cannot be overemphasized.

Works Cited

https://www.ncc.gov.ng/thecommunicator/index.php?option=com_content&view=article&id=899:a-summary-of-the-legislation-on-cybercrime-in nigeria&option=com_content&view=article&id=899:a-summary-of-the-legislation-on-cybercrime-in-nigeria

https://www.nist.gov/publications/framework-improving-criticalinfrastructure-

cyber security-version-11

https://www.ffiec.gov/cyberassessmenttool.htm

https://www.bis.org/cpmi/publ/d146.htm

Johnson, Emory R., G. G. Huebner, and G. L. Wilson. “Transportation.” Economic Principles, (2000).

Shackelford, Scott, et al. “Toward a Global Cyber security Standard of Care?: Exploring the Implications of the 2014 NIST Cyber security Framework on Shaping Reasonable National and International Cyber security Practices.” Texas International Law Journal, vol. 50, no. 2/3, University of Texas, Austin, School of Law Publications, Inc., Apr. 2015, p. 305.