THE NEED FOR DIGITAL TRANSACTION PLATFORMS TO UNDERTAKE A MANDATORY CYBERSECURITY ASSESSMENT FOR CONSUMER PROTECTION

INTRODUCTION 

Cybersecurity according to the Cybersecurity Act,2020 (Act 1038) is about protecting a computer or computer system from unauthorized access or attack so the system is available and operational, its integrity is maintained, its information is both confidential with the integrity maintained.

Act 1038 established a Cybersecurity Authority (CSA), with objects including to prevent, manage and respond to cybersecurity threats and incidents as well as promote the development of cybersecurity in the country to ensure a secured and resilient digital ecosystem. It is therefore the responsibility of the CSA to make sure critical information infrastructures are protected from cybercrime.

Cybercrime means the use of cyberspace, information technology or electronic facilities to commit a crime and a critical information infrastructure according to Act 1038 is any computer system or network that is essential for economic and social well-being of the citizens which includes banking and financial services as well as public utilities. 

Due to the need for financial inclusion where every Ghanaian needs to have a digital transaction account and not necessarily a bank account, Ghana is witnessing an uptake of digital payment platforms from Telcos, Fintech providers and mainstream banks. To start this fight against cybercrime, there is the need to know the status of critical systems that are high risk to cyberattacks which impact on the economic activity of most Ghanaians which are these institutions providing digital transaction platforms.

MANDATORY TEST

There must be a baseline for the CSA to determine the extent of vulnerability of those providing electronic payment platforms such as banks, MoMo transactions from the Telcos, the utility companies such as ECG, GWCL for specific intervention that is bespoke to the institution. It is very possible for someone to remotely hack into the system of ECG to erase or manipulate a bill as having been paid.

Each organization depending on the topology and IT risk management methodology will have different levels of exposure to cyber risk and therefore there cannot be a one size fit all approach. The CSA should direct all such providers of digital transaction platform owners to undertake a mandatory assessment with a framework including penetration test, vulnerability test, configuration test probability and impact test, determined by the Authority.  After the assessment, each institution should be risk graded using a publicly available criterion like the credit rating system by credit rating agencies on countries and financial institutions.

Risk grading after the initial mandatory assessment must be publicly published to nudge the institutions improve on their vulnerability to cyberattacks and will be a good indicator for consumer protection. Consumers will be more informed to choose the institutions with good cybersecurity grading, meaning that they have less risk to cyberattacks and cybercrime.

The CSA should also make sure all critical information infrastructure owners as part of their reporting in their end of year reports make statements on the state of their cybersecurity.

 

ROLE OF THE AUTHORITY

The CSA should in the initial stages be more supportive, giving the needed guidance to bring institutions at risk up to speed rather than introducing a sanctions regime by penalizing to generate internally generated funds. Income generating should not be the goal so institutions can be willing to report cyber threat incidents and voluntarily seek for help. The big players such as the Telcos and banks in the digital payment platform business will definitely have the financial muscle and capacity to engage the best of cybersecurity experts but the small and medium scale institutions will have to be supported. They could be the weakest link.

It may be necessary to categorise all such institutions according to a risk methodology and the expected level of graduated compliance. The high risk, high impact institutions should be given a shorter time to undertake the mandatory test.  Of course there will be IT cost implications to the companies in terms of both the assessment and interventions involving hardware and software and this does not come cheap. The Authority should be able to lobby parliament for cost incurred by Ghanaian owned companies for cybersecurity compliance to be tax deductible. The foreign owned institutions should not come and put the country and citizens at risk but we need to protect our own to grow.

A period by way of number of years may be given for all to be compliant depending on the mandatory assessment of each company and it should be during that period that the Ghanaian SME companies can enjoy the tax incentive. This is likely to speed up the process of compliance and it is only after this supportive and “hand holding” period that a sanctions regime should be instituted.

ROLE OF CYBERSECURITY SERVICE PROVIDERS

There will be cybersecurity service providers, licensed by the CSA who should be ready to help with this initial baseline mandatory assessment and cybersecurity gab analysis. It can only be after this gab analysis that these institutions can be supported to put in place the needed interventions. They themselves should have the capacity and capability to undertake the compliance framework test by the CSA.

There will also be Ghanaian SME cybersecurity service providers that will have to be supported since this is an area that young bright technology savvy entrepreneurs will emerge and need to be nurtured and developed. This is an area for the youth and if not supported will turn out to rather be a risk to the system. They need to survive and might start earning a living through cyber espionage or recruited as cyberterrorist.

CONCLUSION

The digital transactions platform is a sure way for attaining financial inclusion with everybody having a transaction account but at the same time the high risk, high impact area for a cyberattack. A mandatory cybersecurity assessment will give the CSA the comfort as to the status of the country and give an indication as to what peculiar interventions are needed to boost consumer confi

Comments

Post a Comment

Popular posts from this blog

LEGAL ISSUES IN E-COMMERCE WEBSITE DEVELOPING IN GHANA: OWNER BEWARE

Introduction Website presence in the new global village will become a “sine qua non” in conducting business if Ghanaians want to take advantage of the digital platform.   The first point of call in wanting to do this is to approach a website designer with some ideas on how you want the site to look like and the features you expect to see. Design functionality and aesthetics most invariably are the issues the developer becomes pre-occupied with but there are legal issues to contend with especially more so when the website is accessible to anybody, anywhere and at anytime. The Electronic Transactions Act 2008(Act 772) however gives directions as to how website developers can resolve these legal issues. I intend to raise the legal issues in website designing and attempt to give some indications as to what functionalities and best practice may be needed to satisfy the law   Legal Issues in Trading Through A Website There are a lot of legal considerations when designing a websi...
Read more

ELECTRONIC SIGNATURES AND DIGITAL SIGNATURES: HAS GHANA GOTTEN IT MIXED UP UNDER THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT772)?

INTRODUCTION In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected but Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. This therefore means that the following may fall under electronic signatures: A hand signed signature in ink, scanned and electronically delivered Electronically typed (Computer) signature and electronically delivered An electronic typed name and electronically delivered An electronic symbol that is electronically delivered The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After a...
Read more

THE LEGAL ISSUES IN E-MAIL CONTRACTING AND THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT 772) : HAS GHANA GOT IT RIGHT?

Introduction Traditionally an offline contract is formed when an offer made is subsequently accepted and by the acceptance the time or moment and place the contract is formed can be easily ascertained by either the ‘postal acceptance rule’ or the ‘general rule of acceptance’. The Postal Acceptance Rule or Mail Box Rule This provides that a contract is formed when the letter of acceptance is placed in the mailbox. Lord Herschell defined the above rule as: Where the circumstances are such that it must have been made within the contemplation of the parties that …the post might be used as the means of communication the acceptance of the offer, the acceptance is complete as   soon as it is posted. The basic assumption of the postal rule is that : There will be a substantial delay in delivery of the letter, depending on where the letter is to be sent There is a small risk that due to difficulties the message may be delayed further, or not reach its destination at all It is evident ...
Read more