Kingston, Jamaica – Access Financial Services Limited and Niche Financing Limited are the latest Jamaican companies to inform the public of cybersecurity incidents which have affected them within the past few weeks.
Access notified investors on Tuesday about the breach via the Jamaica Stock Exchange (JSE), indicating that its internal monitoring systems detected suspicious activity on February 27. While the company is still determining all the details, initial assessments confirmed a breach, and they are investigating the extent and nature of the incident.
“However, we want to assure you that our team has successfully contained the matter and implemented immediate measures to disrupt unauthorized access. Additionally, we have initiated a comprehensive review of our cybersecurity measures to identify and address any potential vulnerabilities. We are also working closely with our cybersecurity experts to implement further measures to safeguard our systems and data. These steps are designed to prevent any future occurrences,” Access stated in its disclosure.
Access further stated, “To minimize any impact on our operations and ensure business continuity, we have deployed alternative measures that have allowed us to maintain essential services and minimize disruptions. Our teams are working diligently to resolve the situation and restore normal operations as quickly as possible. We are confident that the steps we have taken have significantly mitigated the potential impact on our services.”
Access noted that it has submitted a preliminary report to the Office of the Information Commissioner (OIC) and reported the event to the relevant authorities. As a publicly listed company and a licensed microcredit firm, Access had a $6.15-billion consolidated loan book at the end of December 2024. Access is one of the largest known microcredit entities in Jamaica, with a small subsidiary in Florida.
Niche Financing Limited, another licensed microcredit firm, had a sponsored advertisement on Instagram regarding a security breach which apparently occurred around February 21. When the Jamaica Observer contacted Niche, a customer service representative confirmed a breach of the company’s email system.
The Business Week reached out to Niche’s Data Protection Officer, who stated, “Yes, we experienced a data breach two weeks ago. Our Outlook emails were compromised. So, anything we sent through Outlook, that’s what has been breached, not our servers or anything like that. None of our client’s information was released, just emails within the office that have been breached.”
Jamaican firms have been coming under a wave of attacks within the last couple of months. Mervyn Eyre, chief executive officer of Fujitsu Caribbean, told the Business Week in February that Jamaica has become the most targeted country in Latin America and the Caribbean for cyber-attacks. He revealed that 55 percent of malicious files were delivered via email, with most attacks aiming to exploit vulnerabilities in information systems.
“The reality is that it’s not if you’re going to be attacked, it’s when,” Eyre said, emphasizing the importance of proactive cybersecurity measures.
Biomedical Caledonia Medical Lab Limited was the latest victim to publicly admit to a significant cyber-attack. Several publicly listed companies on the JSE have noted being victims of cyber breaches in the last three years, with the Financial Services Commission, a financial sector regulator, being hit with ransomware in late 2023.
Cyber criminals are using emails, company websites, and potential weaknesses in backward integration to enter systems. Ransomware is used to steal information and block business functions. These threat actors also delete digital backups to further weaken their victims and pressure them to capitulate to their demands.
As the world continues to evolve, governments have introduced different incentives to attract talent and encourage companies to invest in cybersecurity. Trinidad & Tobago introduced the cybersecurity investment tax allowance in February 2024, allowing businesses to benefit from a TT$500,000 (J$11.50 million) tax deduction for eligible businesses that invest in cybersecurity software and network security monitoring equipment. Other European territories have created programs to make the path to permanent residency easier for cybersecurity professionals.
Numerous financial institutions in Jamaica have mandated cybersecurity training for their employees to help reduce their cyber risk. If an employee doesn’t pass the training or gets caught by simple phishing tests from internal departments, they can be mandated to attend further training sessions. Some financial companies go a step further and will deduct part of an employee’s salary if they don’t complete the mandatory cyber training sessions.
“There needs to be an investment in skills in the technologies that represent the greatest threats, which are around AI’s and evolving technologies like quantum [computing]. All organizations should have mandatory training programs. They’re easy to introduce. If you go over the checklist of things, it does come back to some basic 101 stuff. I think far too many organizations feel anxious that it’s [information] something they should keep to themselves,” Eyre closed.
