By Aduragbemi Omiyale
The need for the development of a robust strategy on cyber risks to protect the funds of investors and boost market confidence has again been emphasised by the Director-General of the Securities and Exchange Commission, Mr Lamido Yuguda.
While presenting a paper recently at the Central Securities Clearing System (CSCS) Plc Cyber Securities conference, Mr Yuguda said stakeholders must urgently work on this policy because cyber risks pose a significant threat to market confidence, integrity and efficiency because people’s hard-earned income and other financial instruments are saved and invested in it.
“In the Nigerian capital market, we clearly take issues on cybersecurity very seriously due to the increasing volume of data and information that are stored electronically, coupled with the increased adoption of digitization and digitalization options in processing market transactions on a daily basis.
“Today, more of our market activities are conducted through the use of technology than ever before. While this has significantly raised efficiency levels, it has introduced our market’s exposure to a new set of risks, including cybersecurity risk, which we must recognize and manage,” he said.
The DG said that the experience of the COVID-19 pandemic, which necessitated the activation of business continuity plans through remote operations has further increased the rate at which stakeholders embrace technology and underscores the critical need to protect our systems from existing and potential threats that are present in cyberspace.
Mr Yuguda stated that cyber-attacks on financial institutions are often with the aim of gaining access to sensitive and confidential information for illicit financial gains. With the increased interconnectivity among financial institutions, a cyber-attack from one location or entity may have an impact on the entire system, thereby compromising the functions and safety of several sectors of the economy.
It is in this regard he stated that SEC appreciates the efforts of the federal government, through the Office of the National Security Adviser, in developing the National Cybersecurity Policy and Strategy 2021.
“The policy is focused on achieving its objectives through strengthening cybersecurity governance and coordination, protection of critical national information infrastructure, enhancing cybersecurity incident management, strengthening legal and regulatory framework, enhancing cyber defence capability, promoting a thriving digital economy, and enhancing international cooperation, among others.
“In November 2021, the capital market community received updates from the Office of the National Security Adviser (NSA) at a workshop it sponsored for the Capital Market, and a detailed presentation on the national cybersecurity policy was also made at the Capital Market Committee (CMC) meeting in the fourth quarter of 2021.
“The International Organization of Securities Commissions (IOSCO) to which Nigeria is a full member, has also done considerable work in making its members aware of the increasing risks around Cybersecurity. The IOSCO Board has provided guidance through its ‘Guidance on Cyber Resilience for Financial Market Infrastructures’ report, indicating the various plans or measures that industry stakeholders could adopt to ensure cybersecurity.
“It encourages regulated entities to adopt practices that are appropriate to their unique functions. Nevertheless, it notes that these should cover the identification of critical assets, protection measures and controls to enhance security, detection of abnormal activity or patterns, response plans in the event of an attack, and recovery plans to resume operations.”
He disclosed that the SEC Nigeria is developing policy and regulatory responses to emerging cyber risks in its Rules and Regulations on capital market activities and products that leverage technology, as well as in the Minimum Operating Standards for capital market operators, for which clear provisions for cybersecurity have been made.
He stated that, “Due to the importance of data protection, the Federal Government created the Nigeria Data Protection Bureau (NDPB) in February 2022. The NDPB has issued a Compliance Notice introducing the National Data Protection Adequacy Programme (NaDPAP), which guarantees every citizen of Nigeria a Right to Privacy. This is one of the concerted efforts by the NDPB to create more awareness of the obligations of Data Controllers/Processors under the NDPR 2019.
“Therefore, awareness and action at the national level should spur the various sectors of the economy to protect themselves from cyber threat by ensuring that they adhere to either industry standards or national policy carefully.”
In further recognition of the role technology will continue to play in the markets, the DG disclosed that the commission was set to release its Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators (CMOs). The guidelines will cover, among other important areas, the Computing Environment, Information Technology/Information Systems Management and Governance, IT Business Continuity and Disaster Recovery.
He assured that the commission, through these guidelines, will encourage the establishment of an Information Security and Cybersecurity Policy to be in place to form part of the Enterprise IT Policy of capital market intermediaries, platforms and other financial market infrastructures.
“Within the guidelines, we expect stakeholders to conduct regular penetration tests at least annually to detect vulnerabilities and check the resilience of their networks and systems to threats and malicious activities.
“Cybersecurity is a critical issue for the financial sector, and the capital market is up to the task of ensuring that it provides the necessary safety nets for investors and stakeholders,” he added.
Mr Yuguda, therefore, stated that the CSCS had come a long way and today stands as a pillar in our market, given the fact that it is a critical and technology-driven market infrastructure, it is not only appropriate but well placed for it to organize discussions around cybersecurity.
