Sagicor’s data privacy leadership in financial services

On March 20, 2024, a significant seminar on the Data Protection Act and its impact on financial services was held at the Hilton Barbados Resort under the topic Compliance Beyond Borders: Insights from Financial Regulators. Its significance was not just due to its topic or the presence of speakers from the ministry responsible for ICT, the Data Commissioner, and senior management from participating corporate entities like the Financial Services Commission (FSC), but also because of a subtle announcement made by Sagicor. They revealed that they were in the final stages of their data privacy programme.

Why is this significant if it wasn’t particularly newsworthy? Over the last two years, the FSC has witnessed a steady rise in successful attacks on non-banking sector members, urging them to develop proposed guidelines to mitigate risks and strengthen operations. Insurance companies like Sagicor fall under this remit.

Moreover, the Barbados Data Protection Act classifies all financial data that identifies individuals as sensitive information, requiring advanced systems and procedures that surpass standard data protection measures. To comply, Sagicor implemented a data privacy programme, ensuring adherence to the data protection laws across multiple countries and jurisdictions where they operate. This programme encompasses not only IT system upgrades to secure client data but also significant improvements in internal procedures and comprehensive staff training.

Sagicor Financial Corporation, with a market value exceeding US$1 billion, serves as a regional bellwether, often predicting emerging trends. The term “bellwether” originates from shepherding, where the leading sheep, with a bell attached to its neck, guides the flock.

In the FSC’s proposed Technology and Cyber Risk Management Guidelines, basically a rule book which sets out best practices for the financial services sector, the ‘Outsourcing’ section emphasises that financial institutions must assess and manage their exposure to technology and cyber risks that could compromise the confidentiality, integrity, and availability of IT systems and data when outsourcing to third parties.

So, what does this mean for potential third-party partners seeking business from Sagicor? Third-party providers must now meet a standard level of cybersecurity and data privacy practices, ensuring appropriate care to protect data confidentiality, integrity, and system resilience. This is crucial in sub-outsourcing situations where Sagicor transfers processes or activities to other providers. Sagicor must perform thorough due diligence to guarantee compliance with regulatory requirements and its policies, minimising any undue risk that could be upstreamed to Sagicor through outsourcing arrangements. After all, Sagicor is in the business of risk management, particularly when it comes to their own.

In my cybersecurity awareness training sessions, I often emphasise that financial institutions in Barbados are the most in-tune and secure by local standards. Therefore, if I wanted to compromise any player in the financial sector, I wouldn’t attack Sagicor directly, given their rigorous policies and sophisticated security systems. Instead, I would target their outsourcing partners, such as legal and healthcare professionals who work with them through various medical plans, and outsource legal services i.e. mortgages.

I’ve personally tried to engage SMB healthcare practitioners and lawyers, but the response to understanding and implementing appropriate cybersecurity measures has been less than encouraging. Most of these professional service offices lack basic firewall services, trained staff, or documented policies on cybersecurity or data privacy.

To address these gaps, third-party professional services should prioritise developing a comprehensive cybersecurity and data privacy operations framework. This begins with adopting a cost-effective risk management methodology to identify, assess, and manage cyber risks. Security templates and predefined standards tailored to the requirements of the financial sector should be used, especially if the business frequently works with financial services.

Additionally, the framework should include:

Comprehensive yet concise compliance documentation, which is essential to align security measures with regulatory requirements. Periodic self-assessments or external cybersecurity services can help ensure consistent compliance.

Access control (systems that determine user identity) and endpoint security (advanced antivirus) are crucial. Secure access control tools like multi-factor authentication (typically requiring an additional step beyond just a username and password) and endpoint security software should be implemented. Regularly reviewing user access privileges and removing inactive accounts will help maintain security.

Service-level agreements (SLAs) should clearly outline response times and expectations. Offering niche or specialised services helps vendors distinguish themselves from larger competitors.

Data privacy and security awareness training need annual maintenance to keep staff updated on best practices. Using free or low-cost training materials and webinars can enhance team skills effectively.

In Barbados, the Data Protection Act imposes strict penalties on data controllers who fail to meet governance requirements with their third-party service providers, known as data processors. Non-compliance can result in fines of up to $500 000, imprisonment of up to three years, or both.

If businesses do not adapt quickly, their existing contracts and relationships may be at risk due to a prevailing culture of apathy toward securing technology. Their lack of commitment to data privacy and cybersecurity not only jeopardises companies like Sagicor but also exposes them to significant penalties for failing to meet due diligence standards.

Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at: Mobile: 246-233-0090 Email: steven@dataprivacy.bb