More local companies are relying on their digital infrastructure to do business due to the unexpected pandemic. Many did not have an efficient action plan prepared to handle the risks related to cyber security including phishing emails, ransomware emails, the use of private devices on the company’s network, etc. Everyone became an easy target.
The situation increased the need to establish and maintain a cyber security strategy.
CYBER SECURITY STRATEGY
A cyber security strategy consists of high-level plans for how an organization will go about securing its assets and minimizing cyber risk. One of the most critical goals for any cyber security strategy is achieving cyber resilience. This requires the alignment of the business strategy, the cyber strategy, the cyber governance & oversight, and the cyber risk framework across all levels within the organization.
To achieve this a lot of work needs to be done at all levels. First, establishing an understanding of legal, compliance, and regulatory requirements and adequate cyber security expertise at the board level. Further, it is also important to establish an Enterprise Cyber Risk Management Framework with a budget to ensure its continuity and make sure the documentation of cyber risk treatment options and plans are adequate and working effectively within the company. Let’s try to explore some of the legal, compliance, and regulatory requirements applicable to cyber security in Curaçao.
We’ll call them cyber security legal and regulatory drivers which are required to ensure the effectiveness of the cyber security strategy of companies in the financial industry in Curaçao. Before we continue let me first disclose that I have no legal background or have ever worked as a regulator.
We will try to try a first dive by providing a short description of the current cyber legal or regulatory driver, followed by the related risk(s) for a small company and its importance to the cyber security strategy.
CYBER LEGAL DRIVER: EU GDPR
Curaçao is considered an autonomous country within the Kingdom of the Netherlands, a member of the European Union. Consequently, the autonomy status means that the Head of State of the Island is King Willem-Alexander and is represented in the territory by the figure of the Governor. Curaçao has a parliamentary government and decision-making and legislative autonomy, however, its foreign relations are centralized under the authority of the Kingdom. Therefore, the European Union’s General Data Protection Regulation (“GDPR”) law applies to the country of Curaçao.
SMEs established in Curaçao most probably do offer services to data subjects residing in the Netherlands through their listing advisors and brokers which in most cases do have branches established in the Netherlands.
Risk: Noncompliance with the law exposes the exchange to data protection risk and reputational damage. The risk of not being able to validate if the data is handled in a lawful way compliant with the law, especially on the protection of the data on the cloud which could entail the loss of governance, cloud providers not complying with regulatory requirements, and going concerned of cloud providers.
Importance: Procedures and controls should be in place to ensure that the legal obligations of the exchange are met to prevent or at the very least diminish the impact of a potential noncompliance scenario.
CYBER REGULATORY DRIVER: BOOK 2 OF THE CIVIL CODE OF CURAÇAO ARTICLE 15
According to Article 15 of Book 2 of the Civil Code of Curaçao management must, for administrative purposes, keep a record of the financial condition and everything related to the activities of the exchange according to the requirements to which such activities give rise, and it must keep the books, documents, and other data-carriers in respect thereof. Activities of the exchange include the KYC (Know Your Client) and continuous periodic due diligence documentation of members, listing advisors, and brokers. The exchange maintains physical evidence of its important contracts in a centralized location and digital copies on the cloud.
Risk: This risk of disclosure of centralized storage as well as shared physical hardware could cause a data breach which could lead to reputational damages followed by a material impact on the financial position of the exchange.
Importance: Procedures and controls should be in place to evaluate the data management, data storage, and record-keeping process as part of the cyber strategy.
CYBER REGULATORY DRIVER: PRIVACY ACT CURAÇAO – LANDSVERORDENING BESCHERMING PERSOONSGEGEVENS, AB 2010, 84
The privacy act of Curaçao titled “Landsverording Bescherming Persoonsgegegevens, AB 2010, no. 84”, describes all handling of personal data from the collection to the destruction thereof as data processing. Of significant importance is that personal data can only be collected for a specific justified objective. Personal data shall be supplied, processed, and used in accordance with laws, like the GDPR, and shall at all times be subject to principles of fairness and due care. The exchange stores data on the cloud which is backed up in 8 data centers in several locations around the globe.
Risk: The risk that other laws and regulations apply at the location where the data center is situated compared to where the SME is located, which may require the disclosure of the customers’ data. Serious consequences can arise for the exchange including the risk of reputational damage.
Importance: The privacy act may overlap with the GDPR, but it is still important for the exchange to comply with the local legislation. Until the government and regulators adjust the legislation the exchange should comply with the current regulation and ensure controls and procedures are in place to mitigate the risks as part of the cyber security strategy.
DORA: THE DIGITAL OPERATION RESILIENCE ACT – REGULATION (EU) 2022/2554
DORA is another cyber legal driver that is technically already here but as it is with all laws and regulations related to the Dutch Kingdom it will take some time for the industry to acknowledge it and for companies to start working on digital operational resilience. The Digital Operation Resilience Act (DORA) entered into force on January 16, 2023. With an implementation period of two years, financial entities established in EU countries will be expected to be compliant with the regulation by 17th January 2025.
Risk: DORA solves an important problem in EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience.
After DORA, they must also follow rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk monitoring.
Importance: This Regulation acknowledges that ICT incidents and a lack of operational resilience can jeopardize the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories. Regarding EU Overseas Countries and Territories (OCT), they must comply as well with DORA. Curaçao with its OCT status also must comply with DORA. Eventually, it is expected for DORA to be a global phenomenon.
FINAL THOUGHTS
Local companies should make sure to operate legally and in compliance with cyber laws, rules, and regulations applicable to the financial sector within the Curaçao Jurisdiction and the Kingdom of The Netherlands.
Management should consider discussing the above-mentioned with its legal counsel who can assist in providing an overview for a better understanding of which specific cyber laws, rules, and regulations apply to their particular SME. Management can then work on adjusting the cyber security strategy, for example, the cyber risk framework & controls, to ensure compliance with the applicable local cyber laws, rules, and regulations.
