KPMG, the highly regarded global auditing firm, has warned that only a paltry 20 per cent of Jamaican companies are paying attention to the serious business of cyber security, leaving the country at the mercy of cyber attackers.
The company, which has a wide range of experience in providing insight about cyber security at the boardroom level, made the startling revelation in its just published results of recent research into cyber security reporting in the annual reports of 800 companies across 28 countries.
The breakout of the Jamaican component of the research did not cover threats, risks, countermeasures and risk appetite, the company said, noting that had it done so, the results for Jamaica would have been worse.
“Our research show that security awareness and privacy were the only cyber security topics mentioned in the annual reports of the companies surveyed in Jamaica. Forty per cent of surveyed companies reported on privacy and only 20 per cent on security awareness.
“The Industries comparison have the financials and telecommunications industries leading but reporting is limited to a few sentences or one paragraph,” KPMG said.
Cyber security has taken on urgent significance, following the hacking of emails of Democratic Party personalities during the 2016 United States presidential elections, which has led to contentious congressional investigations into alleged Russian collusion with the Donald Trump Campaign.
Following is the KPMG findings on Jamaica which was issued as part of a press statement Thursday.
While we believe that cyber security is of serious concern to the listed companies on the main stock exchange in Jamaica, the disclosure of cyber security efforts is yet to mature. The absence of a robust legislative framework and with no specific requirement from regulators, firms are free to determine how they manage and report on cyber security governance.
Increasing cyber security threats in Jamaica, improving awareness of citizens as well as pending legislation on data protection, should drive local organisations, including the Government, to have cyber security as a main governance item on the boardroom agenda.
The main results of the research are as follows.
• Board responsibility in Jamaica (50%) is reported as better than the Caribbean (11%) and All companies surveyed (20%).
• Cyber security as a topic in the annual report is mentioned as either a sentence or a full paragraph in fifty per cent (50%) of Jamaican companies which is on par with All companies surveyed and higher than the Caribbean.
• Privacy and security awareness are the only cyber security topics mentioned in the annual reports.
• The financials and telecommunications industries led the way in cyber security governance.
Note that we have not reviewed whether each company covered threats, risks, countermeasures and risk appetite. The results would have been worse. We have only considered boardroom responsibility for cyber risk if it is explicitly addressed in the annual report.
Like the rest of the world, there is much scope for improvement in the reporting on cyber security governance and in the explicit recognition of board level responsibility for cyber security. Fifty per cent of companies in Jamaica did not mention cyber security at all compared to 56% for All companies surveyed. No Jamaican company wrote more than a paragraph which is below the total population figure of 12.45%.
Board responsibility in Jamaica reported at a high of 50% which dwarfs the Caribbean results of 11% and the All companies surveyed results of 20%.
Across the industries represented, financials and telecommunications reported highest on mentioning cyber security and on boardroom responsibility. Consumer goods followed the leader on boardroom responsibility. The consumer services and industrials industries made no mention of cyber security or boardroom responsibility.
In Jamaica, cyber security is still transitioning from an IT-only issue to a standing board agenda item. Several companies still view cyber security through a narrow lens of penetration testing rather than building cyber resilience from a governance perspective.
ICS/SCADA is not a surprising absentee as the population does not include any of the manufacturing entities and users of industrial control systems. The reasons for the absence of security monitoring, threat intelligence and vendor risk management are not clear. With new threats of ransomware, these aspects will need to move from the purview of the IT specialist to that of the board. Training of board members on management of cyber risk will assist.
Companies in Jamaica should be aware of key legislation including:
o Data Protection Act (pending)
o Cybercrimes Act (2015)
Data Protection Act
The Data Protection Act (DPA) is expected to be tabled in Parliament in 2017/18 legislative year. The DPA is being drafted with the intent to safeguard, in general, the privacy of individuals in relation to personal data as well as govern the collection, regulation, processing, keeping, use and disclosure of certain information in physical or electronic form.
Cybercrimes Act
The Cybercrimes Act (2015), which seeks to address computer specific offences, was passed in Parliament on October 13, 2015, with two amendments. The new Act replaced the 2010 legislation, and incorporates new offences such as computer-related fraud or forgery; the use of computers for malicious communication; and unauthorised disclosure of investigation. It also addresses the use of the computer for malicious communication.
