IN the wake of the recent high-profile cyber attack on one of the country’s largest financial institutions, it has become clear that stronger regulations are needed to ensure financial firms disclose when their systems have been breached.
The hack resulted in the theft and public leaking of sensitive customer and operational data, putting thousands of Zimbabweans at risk of identity theft, fraud and other malicious activities.
However, the lack of transparency on this incident is concerning and highlights the need for new laws to compel such organisations to be upfront about cyber security incidents.
The attack, carried out by a group calling itself “Mad Liberator”, is just the latest example of Zimbabwean companies falling victim to the growing global threat of ransomware.
According to a report by a cyber security monitoring firm, the Zimbabwean bank was one of six companies targeted by the group, which also hit firms in South Africa, the United Kingdom, Spain and Italy.
The hackers were able to steal names, addresses, account information and more.
They then demanded a ransom payment. When that was refused, they dumped stolen files onto the dark web for all to see.
This is a nightmarish scenario for any financial institution and customers.
- Social commentary: By Moses Mugugunyeki – Cyberbullying weighs more heavily on women, girls
- Social commentary: By Moses Mugugunyeki – Cyberbullying weighs more heavily on women, girls
- Intolerance behind polarisation in Zim
- Lack of reforms dooms polls
Keep Reading
The exposure of such sensitive personal and financial data leaves clients vulnerable to a host of malicious activities, such as account takeovers and fraudulent transactions.
Yet, despite the severity of this breach, the bank has remained silent on the incident. This lack of transparency is unacceptable and highlights the need for regulations that would compel it, and other Zimbabwean financial firms, to be upfront about cyber security incidents.
The consequences of silence extend beyond just its own customers.
Zimbabweans have a right to know when major institutions have been compromised.
This information affects the overall security of the financial system.
If other banks or financial services providers have also been targeted by hackers, the public deserves to know so they can take appropriate precautions to protect their personal and financial information.
Unfortunately, the bank is not alone in its reluctance to disclose cyber security breaches. There is a troubling pattern of companies and organisations remaining tight-lipped about such incidents to avoid reputational damage or due to lack of understanding about the importance of transparency.
This culture of secrecy puts consumers at risk and undermines trust in the country’s financial institutions.
This lack of disclosure not only leaves victims of cyber crimes in the dark, but it prevents other organisations from learning from these incidents and bolstering their own defences.
If financial institutions are able to keep breaches under wraps, it allows vulnerabilities to persist across the industry, putting all Zimbabwean consumers at risk.
To address this problem, Zimbabwe needs to follow the lead of other countries and implement mandatory disclosure laws for cyber security incidents.
Such regulations would require any company, especially those in the financial sector, to promptly notify customers and the public whenever their systems have been compromised and sensitive data has been accessed or stolen.
These laws would serve several important purposes. First and foremost, they would empower consumers to take swift action to protect themselves.
Individuals would closely monitor their accounts, change passwords, and implement additional security measures to mitigate the risk of fraud or identity theft.
Mandatory disclosure would also incentivise companies to take cyber security seriously and invest in stronger defences.
Rather than being able to sweep incidents under the rug, organisations would be compelled to be proactive about detecting and responding to threats.
This can lead the entire Zimbabwean financial system more resilient.
Furthermore, public disclosure of cyber-attacks would enhance transparency and accountability. Rather than operating in the shadows, financial institutions would be held responsible for their cyber security measures or lack of it, and face consequences if they fail to adequately protect their customers’ data.
This would foster greater trust in the industry and ensure companies are prioritising the protection of consumer information. Of course, implementing such regulations would not be without its challenges.
Financial firms may push back, citing concerns about reputational damage or the potential for copycat attacks if vulnerabilities are made public.
There may also be debates around the specifics of what must be disclosed and when. But given the serious risks posed by the recent hack in Zimbabwe, and other similar incidents, the benefits of mandatory disclosure far outweigh the drawbacks.
The time has come for Zimbabwe to take decisive action. By requiring companies to be upfront about cyber security breaches, the country can empower individuals to protect themselves, drive improvements in industry security practices, and foster greater trust in the institutions that play such a crucial role in people’s lives.
The hack was a wake-up call, and Zimbabwe cannot afford to hit the snooze button. It is time to make cyber security disclosure the law of the land.
On another note, what stops the customer from suing the financial institution for not protecting his/her data and not having the right structures to protect the client?
- Mutisi is the CEO of Hansole Investments (Pvt) Ltd. He is the current chairperson of Zimbabwe Information & Communication Technology, a division of Zimbabwe Institution of Engineers. — +263772 278 161 or [email protected]