FSCA and cybercrime — making sure the guard dog is guarded
The sweet spot in prevention is based on detection, response and recovery
The digital age is characterised by rapid change and the introduction of pioneering solutions that have the power to make a real difference. Unfortunately, with these innovative solutions comes increased exposure to cybercrime — a fact many South Africans are intimately familiar with, given that more than nine attempted attacks take place every second.
The truth is that no individual or business is immune to the possibility of an attack. Addressing this risk and the catastrophic consequences that come from it requires an intensive approach, something we as the Financial Sector Conduct Authority (FSCA) are aware of, take seriously and are investing in. As the authority responsible for regulating the way SA financial firms conduct themselves, we are required to stay ahead of the curve.
Our cybersecurity technology investments need to be targeted, business-driven, and focused on mitigating the threats and vulnerabilities of our current operations. Improving our ability to detect and respond to cyber threats swiftly is core to what we do. This thinking is important for us to avoid incidents of stolen intellectual property, lost customer data, crippling ransomware and other forms of cybercrime. This is why we have adopted a risk-based approach in our cybersecurity strategy, supported by a dedicated team that is charged with ensuring its implementation.
We are not oblivious to the risks brought by the pace of change as a result of our digital transformation journey and the balance we must strike on privacy concerns. Our information and security governance structures have been deliberately designed and embedded into our corporate governance structures to ensure the information, data, privacy and business risks are considered proactively and coherently.
This is not a silver bullet approach, but it’s a method we believe closes the gap between what is important to business, and proactively deploying effective cybersecurity safeguards that protect the FSCA and ensure we continue to serve the industry.
SA suffers high rates of digital crime, particularly in the financial services space, whether it’s in banking apps, online banking or mobile banking. The SA Banking Risk Information Centre has found that banking fraud incidents are on the rise, with the biggest threats coming from mobile banking, where there was a 64% increase in the number of incidents between 2017 and 2018 and a 7% increase on losses of R250bn.
Though the latest statistics are yet to be shared, we can expect that the risks have continued to grow and that cybercrime continues to be a significant threat to individuals, businesses and governments alike. This is because as technology and security advance, so too do sophisticated and cunning cybercriminals and attackers, making a breach more a case of when than if.
Prevention is better than cure as adequate preparation and security layers cushion the cost of a breach and enable quicker response and recovery. Cybercriminals take the time to study their potential victims, their business cycles and ways of working so they know the best time to attack. This means organisations need to anticipate and plan responses for possible attacks and implement incident reporting strategies accordingly.
As the sector’s conduct regulator, our systems require the necessary sophistication to protect us from systemic risks. We are continually studying global best practice to guide us and ensure that internal and external risk factors to the FSCA do not trigger other vulnerabilities in and to our system.
Some of key factors constantly under review to limit data breaches are limiting (and even negating where possible) inadequate security technology, IT configuration errors, failure to fully implement purchased security products, accidentally published data/information through internal negligence, malicious insiders, physical loss and social engineering/phishing.
SA has a cybersecurity hub in place to act as the country’s national computer security incident response team. Its role is to consult, co-ordinate, disseminate information, provide guidance, promote compliance and create awareness.
While the hub is meant to be regulatory, it is waiting for the Cybercrimes Bill — which is before parliament — to be passed into law. Once passed it will allow the hub and the department of communication & digital technologies to adopt sub-legislation. This makes the passing of this bill imperative to foster prevention, detection, response and recovery.
Legislation is key in the fight against cybercrime. As it stands, the Financial Sector Regulatory Act defines the specific role the FSCA plays, including protecting and enhancing financial stability and if a systemic event has occurred or is imminent, restoring or maintaining financial stability. We are also required to monitor status and take reasonable steps to prevent systemic events from occurring.
We have to detect attacks. Co-ordinated and concerted efforts to build cyber threat intelligence, information sharing, collaboration and incident sharing are needed for us to remain sustainable and visionary as a conduct regulator, applying the same methods in our own business as we would expect from those we regulate and protect.
Overall, though we are already investing extensively in preventing, detecting, responding to and recovering from cybercrime, we encourage increased cross-sector collaboration to put in place effective security measures so that South Africans can derive true value from the innovations of the digital age.
• Mogase is FSCA chief information officer.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.