SAFETY FIRST

Cybersecurity resilience forms a vital part of the JSE’s overall strategy and information security framework

SAFETY FIRST

Information security – like any security – is a tricky business. You need to protect users without getting in their way, building walls and fences that keep data safe while still ensuring it’s accessible to the people who need it. The London Stock Exchange Group sums it up well: ‘Security is like insulin,’ it says. ‘Too little of it and you’re vulnerable, too much and you’re paralysed.’

In a stock exchange context, that balance is even more delicate. The wheels of trade and commerce have to spin smoothly to keep the economy moving but any security breach could have catastrophic consequences. And – as many financial institutions are learning – security breaches could happen anywhere, and to anyone.

Even world-class exchanges are at risk. The London Stock Exchange provides a case in point – in June 2016, its website was taken down for two hours by the hacking group Anonymous during a widespread cyberattack that also targeted the Nasdaq, IMF and several central banks. Trading was unaffected and no sensitive data was stolen, yet the warning was clear.

‘Information security is about the preservation of information confidentiality, integrity and availability – or what we call the CIA Triad,’ says Ignus de Villiers, Information Security Officer (ISO) at the JSE.

‘The preservation of the CIA Triad is critical for most services that the JSE delivers. Not doing so would have a disastrous impact on the stability of the market, which is why security is so important to the JSE.’

De Villiers’ main role at the exchange as ISO is to ensure that information security risks are mitigated; that the organisation complies with required legislative and regulatory requirements; and that cybersecurity resilience forms part of the JSE’s overall information security, strategy and control framework. He says that the while the JSE’s approach to information security rests on those three pillars of the CIA Triad, additional security controls are in place to protect the bourse’s most critical information assets.

‘Examples of these include our trading and post-trading environments, as well as all other critical information assets that are used as an integral part of the financial market infrastructure ecosystem,’ he says.

The JSE has an information security management system (ISMS) based on the ISO 27001 standard. This guides all the key aspects of information security, including governance, risk, compliance, process, people and technology.

‘Part of the ISMS is an information security control framework, which consists of a combination of best practice – legislative and regulatory – as well as risk mitigation security controls,’ says De Villiers. ‘It has a number of very important processes as security controls, including information security incident response, disaster recovery, change management, patch management, vulnerability management, malware management and so on.’

As high-profile cyberattacks continue to bring information security into the global headlines, De Villiers says there is high demand to provide assurance reporting regarding the overall cybersecurity resilience posture of the organisation.

One would think that, with such a comprehensive system, all security bases would be covered. Yet, as anybody involved in IT support will tell you, silicon-based errors are far less common than carbon-based ones. Human error is one of De Villiers’ primary concerns. ‘From an ISO perspective, more engagement with users is needed to ensure awareness, about cybercrime especially,’ he says. ‘From an organisational perspective, employees need to be more aware, vigilant and apply due care in their day-to-day interaction with information assets.’

De Villiers urges all users – investors and employees alike – to ‘do the basics right’, all the time. ‘Users should never assume they are exempt from being targeted,’ he says, adding that they must always use proper passwords, identify and verify the source of incoming emails, ensure sensitive information is adequately protected, and never share private information on social platforms.

By Mark van Dijk
Image: Gallo/Getty Images