Access Financial Services Limited and Niche Financing Limited are the latest Jamaican companies to inform the public of cybersecurity incidents which have affected them within the past few weeks.

Access notified investors on Tuesday when it made a disclosure on the Jamaica Stock Exchange (JSE) about the breach, indicating that its internal monitoring systems detected suspicious activity on its network on February 27. While the company noted that it is still determining all the details of the breach, its initial assessments confirmed a breach and that they were investigating the extent and nature of the incident.

“However, we want to assure you that our team has successfully contained the matter and implemented immediate measures to disrupt unauthorised access. Additionally, we have initiated a comprehensive review of our cybersecurity measures to identify and address any potential vulnerabilities. We are also working closely with our cybersecurity experts to implement further measures to safeguard our systems and data. These steps are designed to prevent any future occurrences,” Access stated in its disclosure.

It further stated, “To minimise any impact on our operations and ensure business continuity, we have deployed alternative measures that have allowed us to maintain essential services and minimise disruptions. Our teams are working diligently to resolve the situation and restore normal operations as quickly as possible. We are confident that the steps we have taken have significantly mitigated the potential impact on our services.”

Access noted that it has submitted a preliminary report to the Office of the Information Commissioner (OIC) and that it has reported the event to the relevant authorities. Access, a publicly listed company and a licensed microcredit firm, had a $6.15-billion consolidated loan book at the end of December 2024. Access is one of the largest known microcredit entities in Jamaica with the company having a small subsidiary in Florida.

Niche Financing Limited, another licensed microcredit firm, had a sponsored advertisement on Instagram regarding a security breach which apparently occurred around February 21. When the Jamaica Observer contacted Niche, a customer service representative confirmed a breach of the company’s email system.

The Business Week reached out to Niche’s Data Protection Officer who stated, “Yes, we experienced a data breach two weeks ago. Our Outlook emails were compromised. So, anything we sent through Outlook, that’s what has been breached, not our servers or anything like that. None of our client’s information was released, just emails within the office that has been breached.”

Jamaican firms have been coming under a wave of attacks within the last couple of months with Mervyn Eyre, chief executive officer of Fujitsu Caribbean, telling the Business Week in February that Jamaica has become the most targeted country in Latin America and the Caribbean for cyber-attacks. He also revealed that 55 per cent of malicious files were delivered via email, with most attacks aiming to exploit vulnerabilities in information systems.

Eyre said, “The reality is that it’s not if you’re going to be attacked, it’s when”, while emphasising the importance of proactive cybersecurity measures.

“So, everybody needs to position themselves and we can help shift that culture from a hall of shame to a hall of fame in that the story then becomes not around you trying to hide the facts, but how you successfully navigated a security attack. By you actually making that more transparent, you’re building more trust,” Eyre explained further.

Biomedical Caledonia Medical Lab Limited was the latest victim to publicly admit to a significant cyber-attack. Several publicly listed companies on the JSE have noted in the last three years being victims of cyber breaches with the Financial Services Commission, a financial sector regulator, being hit with ransomware in late 2023.

Apart from breaches arising from emails, cyber criminals are also using company’s websites and the potential weakness in the backward integration to enter their system. Ransomware is used to steal information and block the ability for a business to function in a normal manner. These threat actors are also deleting digital backups to further weaken their victims and pressure them to capitulate to their demands.

Jamaica had a black eye moment in 2021 when TechCrunch author Zachary Whittaker revealed a vulnerability with the Government’s JAMCOVID website and application which had an exposed cloud server that allowed for anyone to view the personal information of travellers. Other payment gateway weaknesses have been revealed by different tech specialists, with some penetration testers finding numerous weak points for Jamaican companies which were hit in the past by cyber-attacks.

As the world continues to evolve, governments have introduced different incentives to attract talent and encourage companies to invest in cybersecurity. Trinidad & Tobago introduced the cybersecurity investment tax allowance in February 2024 which allows businesses to benefit from a TT$500,000 (J$11.50 million) tax deduction for eligible businesses that invest in cybersecurity software and network security monitoring equipment. Other European territories have created programmes to make the path to permanent residency easier for cybersecurity professionals.

Numerous financial institutions in Jamaica have mandated cybersecurity training for their employees to help reduce their cyber risk. If an employee doesn’t pass the training or are caught by simple phishing tests from internal departments, they can be mandated to attend further training sessions. Some financial companies go a step further and will deduct part of an employee’s salary if they don’t complete the mandatory cyber training sessions.

“There needs to be an investment in skills in the technologies that represent the greatest threats which are around AI’s and evolving technologies like quantum [computing]. All organisations should have mandatory training programmes. They’re easy to introduce. If you go over the checklist of things, it does come back to some basic 101 stuff. I think far too many organisations feel anxious that it’s [information] something they should keep to themselves,” Eyre closed.

Access Financial and Niche Financing were recently affected by cybersecurity events.