SEC developing policy, regulatory responses to emerging cyber risks, says DG

CSCS, industry leaders proffer solutions
The Securities and Exchange Commission (SEC) is developing policy and regulatory responses to emerging cyber risks, its Director-General, Lamido Yuguda, has said.

Also, the Central Securities Clearing System (CSCS) Plc, Nigeria’s premier Central Securities Depository (CSD), has reinforced its commitment to proffering sustainable solutions to the alarming rise in cybersecurity threats to individuals, institutions and governments in Nigeria and around the world.

These were disclosed yesterday in Abuja at the fourth CSCS Cybersecurity Conference with the theme: “Future of Cybersecurity: Emerging issues and solutions,” which coincided with the organisation’s 25th anniversary as a Financial Market Infrastructure (FMI), providing depository, clearing and settlement of all financial assets across all recognised exchanges in the Nigerian capital market.

Yuguda, who was represented by Executive Commissioner, Operations, Dayo Obisan, stressed that the Commission has made clear provisions for cybersecurity in strict compliance with its rules and regulations on capital market activities and products that leverage technology, as well as in the minimum operating standards for capital market operators.

He hinted that the creation of the Data Protection Bureau (NDPB) in February 2022 underscored the importance the Federal Government attached to data protection.

He said the NDPB had issued a Compliance Notice, introducing the National Data Protection Adequacy Programme (NaDPAP), which guarantees Nigerians a right to privacy.

“Therefore, awareness and action at the national level should spur the various sectors of the economy to protect themselves from cyber threat by ensuring that they adhere to either industry standards or national policy carefully,” he submitted.

Yuguda said in recognition of the role technology would continue to play in the markets, SEC will soon release its guidelines on minimum operating standards for Information Technology (IT) for Capital Market Operators (CMOs).

He clarified that the guidelines would cover computing environment, information technology/information systems management and governance, IT business continuity and disaster recovery.

The SEC boss added that the Commission, through the guidelines, would encourage the establishment of an Information Security and Cybersecurity Policy to be in place to form part of the Enterprise IT Policy of capital market intermediaries, platforms and other financial market infrastructure.

According to him, within the guidelines, SEC expects stakeholders to conduct regular penetration tests at least yearly to detect vulnerabilities and check the resilience of their networks and systems to threats and malicious activities.

While admitting that cybersecurity is a critical issue for the financial sector, he assured that the capital market is up to the task of ensuring that it provides the necessary safety nets for investors and stakeholders.

On his part, Chairman, Board of Directors, CSCS, Oscar Onyema, who spoke on “The future of cybersecurity: Emerging issues and solutions”, which was the theme of the conference, held that as technology continues to revolutionise the financial markets and advance prosperity across most economic sectors, it comes with the scary baggage of cybercrime.

According to Cybersecurity Ventures, global cybercrime is to grow by 15 per cent yearly, reaching an estimated $10.5 trillion by 2025, up from $3 trillion in 2015, representing one of the greatest transfers of wealth in history, with an economic impact that is exponentially larger than the yearly loss due to natural disasters and more profitable than the global trade of all major illegal drugs combined.

Onyema said these figures lead criminals to make significant investments in new technologies to exploit the opportunities arising from technological advancements, noting Nigeria is not left out of the threats.

He maintained that the increasing trend of cybercrime is perhaps more alarming than ever, as it has become an organised crime, sometimes purportedly backed by state actors.

Onyema pointed out that from the common cybercrime tools like smishing, vishing and phishing to the more sophisticated approaches like DDoS, cross-site scripting and ransomware, the impact of cyberattacks is no longer remote, given the interconnectedness of systems.

He added: “It only takes one weak link to shut down an entire ecosystem. Nobody wants to be that weak link that exposes the vulnerability of our ecosystem. This system vulnerability is being reinforced by the increasing adoption of Application Programming Interfaces (APIs), open banking and other liberal technologies that foster efficiency and liberal data exchanges within the remit of tolerable disclosures and global data protection regulations.”

He faulted the argument that the best way to protect the system is, perhaps, to avoid interconnectivity of systems, stating: “I am not sure that solves our problem and, indeed, that is like going back to the Stone Age. We should not deny ourselves the opportunities offered by air transportation because plane crashes can be catastrophic; rather airlines, airports, passengers and all other stakeholders in the ecosystem should take relevant precautions and play active roles in ensuring the safety of the system.”

He lamented that most boards and executives of private and public institutions, who are on the receiving end of these attacks, have not paid enough attention to information security and cybercrimes as cybersecurity often ranks low on many institutions’ lists of priorities.

Onyema continued: “With limited investment in securing ourselves and the broader ecosystem, it has become very easy to benefit from perpetuating this crime.”