Ransomware Attack on Oman United Insurance Company SAOG: A Call for Stronger Cybersecurity Measures
The Threat and Response
On the first day of 2020, Oman United Insurance Company SAOG suffered a ransomware attack that compromised their main servers and encrypted critical data. Fortunately, due to the company’s robust backup system, they were able to recover their lost data by January 2nd. This incident served as a wake-up call for not only the insurance company but also for Oman as a whole, as it reflected the growing threat of cyberattacks in the country.
The attack faced by Oman United Insurance Company SAOG was not an isolated incident. In 2020, Oman recorded an alarming 123 million web application attempts, with over 417,000 confirmed attacks resulting in more than $1 million in losses. However, it is worth noting that this number represents a 13% decrease compared to the nearly 500,000 confirmed attacks reported by the Oman government in 2019.
The Importance of Cybersecurity Assessments
The decrease in confirmed cyberattacks in Oman can be attributed to the Ministry of Technology and Communication’s annual security assessments of government websites. These assessments exposed over 41,000 vulnerabilities and 13,000 IP addresses that were promptly analyzed and fixed. This proactive approach to cybersecurity has been part of Oman‘s high-level cybersecurity strategy since 2010 when the Oman Computer Emergency Readiness Team (OCERT) was established. The OCERT’s mandate is to detect and analyze cyber risks in the country and raise cyber awareness at all levels.
As a result of these efforts, the number of attempted cyberattacks in Oman significantly dropped from 880 million in 2017 to 12 million in 2022. This demonstrates the positive impact of a well-implemented cybersecurity strategy and highlights Oman as a leader in the Persian Gulf region in terms of cyber resilience.
The New Cybersecurity Framework by the Central Bank of Oman
Ensuring Resilience in the Financial Industry
Recognizing the need for a unified approach to cybersecurity in the financial sector, the Central Bank of Oman (CBO) issued a new Regulatory Framework for Cybersecurity and Resilience in September 2023. This framework applies to licensed institutions such as banks, financing and leasing companies, payment service providers, and money exchange companies. It sets out minimum requirements for these institutions to build resilience against cybersecurity risks.
The framework incorporates six key “Control Domains” or pillars, each representing an essential area of focus and guidelines for implementing security measures. These domains include:
1. Governance
This domain emphasizes the importance of strong cybersecurity governance and leadership, ensuring that institutions have clear policies and procedures in place to tackle cyber risks effectively.
2. Compliance & Audit
Institutions must adhere to relevant laws, regulations, and international standards and establish mechanisms for regular audits to assess their compliance.
3. Technology & Operations
This domain covers the technical aspects of cybersecurity, including secure network architecture, encryption, endpoint protection, and incident response capabilities.
4. Third-Party Supply Chain Management
Recognizing the interconnected nature of the financial industry, this domain focuses on managing the cybersecurity risks that arise from third-party relationships.
5. Online Financial Services
With the rise of digital banking and online transactions, this domain emphasizes the need for secure online platforms, authentication mechanisms, and secure communication channels.
6. Risk Management
This domain requires institutions to establish robust risk management frameworks to identify, assess, and mitigate cybersecurity risks effectively.
The Impacts and Benefits
By implementing and adhering to the Regulatory Framework for Cybersecurity and Resilience, the financial institutions in Oman will enhance their capabilities to safeguard against various types of cyber threats. It provides a standardized approach across all licensed financial institutions in the country, ensuring uniformity in managing cybersecurity risks.
This framework also establishes predefined protocols to help institutions respond swiftly to cyber incidents, minimizing potential damage and financial losses. Moreover, it fosters confidence among investors and the general public, promoting stability in Oman‘s financial market. Meeting international security standards through this framework may also attract international investments and partnerships, further benefiting the country’s economy.
Additionally, enhanced security measures serve to reassure customers that their financial transactions and sensitive information are safe. This encourages trust and promotes a healthy customer-business relationship.
Conclusion
The ransomware attack on Oman United Insurance Company SAOG highlights the pervasive threat of cyberattacks and the need for robust cybersecurity measures. Oman‘s proactive approach to cybersecurity assessments and the issuance of the new Regulatory Framework for Cybersecurity and Resilience by the Central Bank of Oman demonstrate the country’s commitment to combating cyber threats.
Implementing and adhering to this framework will better equip financial institutions in Oman to protect themselves from cyber incidents and ensure the security of their customers’ sensitive information. Moreover, it positions Oman as a leader in cybersecurity within the Persian Gulf region, bolstering the country’s economic stability and attracting international investments.
As cyber threats continue to evolve, it is imperative for both public and private entities in Oman, as well as individuals, to remain vigilant and invest in robust cybersecurity measures. Ultimately, this collective effort will contribute to a safer digital landscape for both Oman and the global community.
<< photo by Talal Hakim >>
The image is for illustrative purposes only and does not depict the actual situation.
