Cyber Security Authority begins Licensing of Service Providers

The Cyber Security Authority (CSA) has begun the implementation of licensing Cybersecurity Service Providers (CSPs) in the country.

This is in addition to accrediting Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs), pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59.

The purpose of the regime is to ensure regulatory compliance with the Cybersecurity Act, 2020 (Act 1038) and to certify that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.

A statement issued by the Authority said given the critical role CEs such as digital forensic laboratories and managed cybersecurity services played in securing the country’s digital ecosystem, it was imperative that processes and technology used by such establishments were in line with international best practices and standards adopted by the authority.

Essential

It has, therefore, become essential that the authority, in line with Section 59(3) of Act 1038, takes the necessary measures such as licensing CSPs and accrediting CEs and CPs to ensure that recognised standards have been met.

“The regulatory process starts with the licensing of existing and new CSPs, which will subsequently be followed by the accreditation of CEs and CPs. CSA will license CSPs and accredit CPs with requisite expertise in Vulnerability Assessment and Penetration Testing, Digital Forensics Services, Managed Cybersecurity Services, Cybersecurity Governance, Risk and Compliance,” it said.

Accreditation to CEs, it said, would consider Digital Forensics Facility and Managed Cybersecurity Service Facility and that under the regime, existing CSPs, who were already engaged in the business of providing cybersecurity services would be given six months (from March 1 to September 30, 2023) to apply for a licence.

“A CSP who fails to obtain a licence within this period will have to cease operation until a licence is obtained from the authority,” it added.

The statement further noted that it had become necessary that the industry was regulated to control cybersecurity risks and protect the interests and safety of children, businesses, the government and the general public and that “with the increasing rate of cybercrimes, CSPs, CEs and CPs have become critical components for mitigating cybersecurity threats and vulnerabilities within the country’s fast-developing digital ecosystem in line with the Cybersecurity Act, 2020 (Act 1038).”

Cybersecurity

“Cybersecurity services by the nature of their operations are intrusive, and as a result, CSPs, CEs and CPs always gain access to clients’ critical information assets, thereby gaining knowledge of existing vulnerabilities and sensitive information, which could be potentially abused or exploited,” it emphasised.

The statement said it was also possible to have CSPs, CEs, and CPs who might not be competent or who might employ substandard processes in their offerings to the detriment of the country’s digital ecosystem.

In addition, it said some businesses or government agencies lack the capability of ascertaining the credibility or qualification of CSPs, CEs or CPs, especially since there was no repository of licensed and accredited CSPs, CEs or CPs.

Process

“This process is to ensure that the targeted entities have the requisite skillset and competence and meet the established standards for offering sufficient protection of the computer systems and networks in the country’s digital ecosystem.

“The regulatory exercise will provide greater assurance of cybersecurity and safety to consumers, and to raise the quality of Cybersecurity Service Providers’ deliveries, thereby improving and maintaining standards that offer baseline protection to Ghana’s digital ecosystem,” it said and added that it would “ensure that qualified professionals with the appropriate certification, provide cybersecurity services to support a secure and resilient digital ecosystem and consequently give recognition to the cybersecurity profession as a critical profession to support and sustain the current digital transformation agenda”.

Regulations

Furthermore, it said national security considerations were driving regulations in the sector to ensure only qualified persons and institutions in good standing would undertake these critical services.

“The government, through the CSA, regulates the sector by providing a licensing framework in accordance with Sections 49 to 59 of Act 1038 to guarantee that CSPs, CEs and CPs attain a higher level of compliance with Act 1038 and standards in line with international best practices.

This is to provide assurance to the public and other key stakeholders that the cybersecurity services they procure from the industry are effective in securing their assets and processes,” it said.

Section 57 of Act 1038 mandates the CSA to establish a mechanism to accredit cybersecurity professionals.

Such an accreditation process provides recognition to accredited cybersecurity professionals, who have proven demonstrable competence in their cybersecurity domain.

Section 59 of Act 1038 further mandates the CSA to enforce cybersecurity standards and monitor compliance by the public and private sectors, including Cybersecurity Establishments or institutions.