“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu
Payment service providers (PSPs) are part of critical infrastructures that are fundamental to any nation’s maintenance of a secure, sound and effective national payment system.
Critical infrastructures are becoming more and more the targets of cybercrime due to the high stakes they hold in the stability and effective operation of the nation and an attack can result in crippling effects, therefore the understanding cyber security threats in the cyber vapour is crucial.
The vast amount of information held within systems and transmitted across them, coupled with the sheer volume, evolution and sophistication of cyber-attacks makes cyber security a key concern for regulators, whose main objective is to ensure that relevant markets function as expected by considering the interests of all involved parties in a transparent and independent fashion. Regulation of PSPs when it comes to cyber security is of great import due to the fact that it brings about standardization on cyber security policy and process implementation issues that would otherwise be a challenge due to the variance of interests between the private and public sectors.
The guidelines on cybersecurity for payment service providers by the Central bank of Kenya released in July of 2019 “outline the minimum requirements that PSPs shall build upon in the development and implementation of strategies, frameworks, policies, procedures and related activities aimed at mitigating cyber risk” and “set the minimum standards that PSPs should adopt to develop effective cybersecurity governance and risk management frameworks.”
Some key highlights are as follows:
Cybersecurity governance:The guidelines place the ultimate responsibility for the PSPs cyber security on the Board of Directors. The IT governance institute defines governance as “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly”.
The board has a fiduciary responsibility to represent and protect the interests of both internal and external stakeholders. Consequently, PSP Boards have been tasked with overall oversight and strategic direction of the cyber security program. This requires that all PSPs board members understand the PSPs cyber security environment, information lifecycle and various stakeholder’s information security requirements.
Part of their mandate is to assign a Chief information security Officer, facilitate the cultivation of a cyber security culture, budget allocation, review of the cybersecurity program, implement monitoring structures and ensuring that the organisation is well equipped in terms of cybersecurity skills and competencies.
Information security culture: A cyber security culture fosters the maturity of a cyber security program because the culture of an organisation is synonymous with its personality.
In order to deal with the human aspect of cyber security organisations seeking to implement information security effectively must have a culture that is conducive to the protection of information, since culture has a direct relationship with security behaviour. Culture is both a constantly enacted and created attribute and at the same time dynamic phenomenon that surrounds us at all times that is shaped by leadership behaviour, interactions with others and a set of structures, routines, rules, and norms that guide and constrain behaviour. Chief Information Security Officer (CISO) whose key role “is aimed at creating an organizational culture of shared cybersecurity ownership, implementing the cybersecurity program and enforcing the cyber security policy”.
PSPs have been granted the leeway to outsource the CISO function but this is limited to only operational security functions such as monitoring, testing and threat intelligence but excludes governance, oversight and management functions. They are however mandated to inform the authority before engaging a third party for this role, while concurrently keeping in mind that the overall compliance responsibility remains with the PSP.
Risk management: A risk-based security program represents the more planned and intentional methodology for constructing a security program.
PSPs are required to understand their internal and external dependency risks, formulate a risk management framework and to carry out periodic risk assessments to be recorded as risk registers. A risk register provides the organisation with a mechanism to document, rank, track and report risks. Quarterly vulnerability assessments and annual penetration tests have also been mandated.
VAPTs are both critical in any cybersecurity program because they attempt to improve security systems and develop a more mature, integrated security program through the proactive identification of weakness and definition of mitigation mechanisms. The risk team, is assigned the responsibility for addressing risk, as it pertains to information security.
Cybersecurity program, strategy, framework and policies: The cybersecurity program must be service and support oriented, which means that it is there to provide service and support to the business.
Consequently, it should, as much as possible, be seamlessly integrated into the systems and processes of at least the core business and all systems connected to that core business of the PSP. Within the cybersecurity program a cybersecurity strategy must be implemented that should be aligned to the overall corporate strategy. A strategy can be defined as the plan for achieving an organization’s business, mission, and objectives and a roadmap as a time-based approach to articulate the plan.
Employing an information security framework within the program will provide the PSPs with discipline and structure for the security program. In order to integrate various aspects of the information security program, information security policies are employed. PSPs are required to measure the effectiveness of their cyber security programs.
Incident response and cyber resilience: Unplanned events and incidents disrupt normal operations, interfering with productivity. An effective incident response plan will minimize the downtimes experienced by the PSP and at the same time minimize financial loss which occurs as a result.
The guidelines mandate PSPs to “plan for, respond to, contain and be able to rapidly recover from disruptions caused by cyber incidents, thereby strengthening their cyber resilience” and to foster competence of their teams in order to facilitate effective incident management. PSPs are required to report security incidents to CBK within 24 hours while Systemically Important Payment Systems (SIPs) and System-wide Important Payment Systems (SWIPs) are required to report within 2 hours.
Outsourcing: PSPs are required to ensure that any third party they engage with must comply with legal, regulatory requirements and international best practices.
They are also required to engage third parties based a documented vetting process and to implement meaningful outsourcing agreements and contracts. They should notify the authority of their desire to outsource thirty days prior.
Security organisation: Security organisation is dependent on various aspects such as mission of the organization, the risk appetite of the business, the culture, the size of the business, the scope of responsibilities, and the budget that we have been given to work with.
The regulator has thus given PSPs some flexibility around this area as smaller PSPS. SWIPS and SIPS are further required to have a CISO who directly reports to the board, implement a CIRT (in-house or outsourced), conduct periodic testing. PSPs are also mandated to implement a training and awareness program that extends to their associated third parties such as customers and suppliers.
The importance of this cyber security guideline is not in doubt as it requires PSPs to take a proactive approach in cyber security risk management. With PSPs given 90 days within which to implement the said requirements, it will be interesting to see how they go about implementing this and the challenges they will face in the process.
One of the anticipated challenges is in the measurement of the cybersecurity program since formulation of cyber security measurement metrics is still a problem for many organisations. Another challenge would be the staffing of competent cyber security teams as since there is a global shortage of competent cyber security professionals.
It would be beneficial to review the PSPs cyber security one year down the line to determine the effectiveness of this guideline on the cybersecurity postures and cultures.
Aprielle is a Researcher in Cybersecurity and the CEO Infosphere