Cayman’s financial institutions face the same threats as any other financial centers around the globe, but local cybersecurity experts say people in Cayman may never find out if their personal information is stolen from a local bank.
Banking regulations in Cayman don’t require banks to tell customers if their data has been compromised by hackers, and that is the same for all industries in Cayman. New data protection legislation, which has been circulating in the Legislative Assembly for years, would add consumer protections and could potentially force banks to share information with customers when data is stolen.
Taron Jackman, a partner with Deloitte who specializes in IT security in Cayman, said the country is “not as advanced from a regulatory standpoint.” People don’t hear of data breaches in Cayman, he explained, “because there’s no legislation to demand it.”
Hackers target banks around the world every day, but large scale data breaches, or at least ones that become public, are rare. Wayne Green, who works with Deloitte’s clients to secure their IT infrastructure, said, “It’s not a matter of if you’re going to be hacked, but how you’re going to respond.”
In a spate of attacks in Cayman reported late last year, hackers gained access to emails with bank transfer details and the overseas thieves were able to transfer money out of accounts from several local banks. Hackers stole more than $300,000 from one victim.
In a statement at the time, police said, “Hundreds of thousands of dollars have been fraudulently wired from the Cayman Islands to the U.S., Hong Kong, Singapore, Malaysia, Denmark and other jurisdictions. By the time attempts are made to recall the fraudulent wires, the funds have been collected and it is too late.”
As recently as March, police said local banks were still seeing attempts to make fraudulent wire transfers.
The Cayman Islands Monetary Authority, which regulates banks, has guidance for banks on cybersecurity, but no requirements. According to CIMA’s Sharon Marshall, the Statement of Guidance states banks should “safeguard Internet systems and data,” reduce the risk of fraud, and develop “response plans to manage, contain and minimize problems … that may hamper the provision of Internet services.”
Ms. Marshall confirmed that CIMA “does not require the banks to report the data breaches to us.” She did say that banks voluntarily report cybercrimes to CIMA, but she would not say how frequently banks report online attacks and data theft.
Data protection legislation, which, among other things, could require banks to tell consumers if hackers steal their personal information, has been a topic of discussion in the Legislative Assembly for more than five years. In August this year, the government released a final consultation on that bill, and it could come up for debate in the LA again next year.
The Data Protection Bill is based on European Union and United Kingdom regulations from the 1990s, but those rules are in a process of being updated to meet current realities of expanding online data.
Cayman’s data protection legislation has faced criticism from a number of fronts, in part because many think the bill is outdated and too complicated. The Human Rights Commission reviewed the proposal in 2012 and issued a report critical of the bill or being too confusing. The commission’s report states, “The aim of the Data Protection Law is to protect individuals’ rights with regard to data specific to them; persons cannot grasp, defend, nor exercise such rights without the requisite understanding of the law itself.”
‘A bank is a bank’
Regardless of the regulatory framework, banks in Cayman are connected to the world online just like any other bank in Manhattan or Tokyo, and they face the same threats. “Any bank has client data” like names, birthdates and identification numbers, said Micho Schumann, who specializes in IT security with KPMG. “They’ve got a lot of stuff to protect.”
Mr. Schumann, who has worked in Cayman and around the region for eight years, said people in the country’s financial service industry “have good security awareness.” That means at least hedge fund managers and bank executives know computer security is an issue. But, Mr. Schumann asked, “Does good awareness mean good security? Not necessarily.” The upside, Mr. Schumann said, is that awareness has increased steadily in his time working on island. And with that awareness comes increasing investment in hardening networks and securing data.
Mr. Schumann hesitated to put Cayman into a different category, but he said if there’s any difference between Cayman and other financial centers around the world, it’s that people can be more trusting here.
“A bank is a bank,” Mr. Schumann explained, and the IT challenges to fight hackers are the same in Cayman as anywhere: Overworked IT staff, rogue employees, untrained employees who may unwittingly open a malicious attachment, legacy systems running outdated and vulnerable software, and balancing computer security with being able to do business easily.
And, he said, there’s the same mix of computer security here that’s found around the world: Global firms with global security standards down to small companies with little to no online protection, and everything in between.
The key for Mr. Schumann is the attitude at the top of any company. If a CEO makes computer security a priority and puts the necessary budget behind it, networks and data will be much more secure.