NIB chairman: No data breach after cyber attack

THE National Insurance Board (NIB) said there has been no breach of its data or risk to customer information being exposed, as a result of a cyber attack on the company last December.

The assurance came from company chairman Patrick Ferreira in a statement on Thursday.

"Forensic analysis by our cyber security specialists indicates that, at this time, there is no evidence of data exfiltration and no expected risk to confidential or personal information held by the NIB."

Ferreira reminded the public that the NIB experience a cyber attack on December 26.

"This attack was detected while in progress and quick action disrupted it before the threat actor was able to complete the task."

He said the NIB "will continue to work with our cyber security partners to improve the security and resiliency of our systems to strengthen against future potential incidents."

Last December's cyber attack on NIB, saw the company temporarily closing its offices in Port of Spain and San Fernando as a precaution while it dealt with the incident.

At that time, the NIB said it reported the incident to the Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) of the National Security Ministry.

The unit has been working with the NIB to address this matter.

Speaking in the Senate on December 19, Attorney General Reginald Armour, SC, said new laws to deal with cyber crime will be coming to Parliament soon.

He said his ministry is preparing "a cyber crime legislative package that will replace the existing Computer Misuse Act."

Armour said, "The most notable legislative reforms include the advancement of computer-related crimes, seeking to protect against the involvement of our youth in this type of criminal activity and the need to streamline our laws with that of international legal advancements."

He said the legislative package that will replace the Computer Misuse Act will "accommodate the robust criminalisation of cyber crimes through new advances of information and communication technologies."

Armour said, "This is being prudently operationalised while allowing for the proposed amendments to take into consideration our anticipated international commitments."

Armour's ministry, the Telecommunications Services of Trinidad and Tobago (TSTT), Judiciary, PriceSmart and Courts were among the public and private sector entities which experienced cyber attacks last year.

At a public meeting held by the Parliament's Social Services and Public Administration Committee on December 11, its members were told about 200 cyber attacks on public and private sector entities over the last five years and no legislation to define these incidents as crimes and help the authorities bring the perpetrators to justice.

Those testimonies came from members of the TT-CSIRT and the police cyber and social media unit (CSMU).

CSMU head Supt Amos Sylvester said while there have been many cyber incidents, there are no specific laws which identify them as crimes.

"We depend largely on legislation (to act against criminals)."

The only legislation which deals directly with computer-related offences is the Computer Misuse Act 2000.

Sylvester lamented this law "never had the sight of the kinds of (computer/cyber) crimes that we are seeing now."

He added that since 2009, efforts to strengthen this legislation have been unsuccessful.

Sylvester was unaware of anyone being charged for computer-related offences in the last three years.