Incorporation Number: CS046510323
SeevCash Limited INFORMATION SECURITY POLICY
Abbreviations
- BoG
- Bank of Ghana
- CISO
- Chief Information Security Officer
- CISD
- Cyber and Information Security Directive
- DPA
- Data Protection Act, 2012 (Act 843)
- ISMS
- Information Security Management System
- ISP
- Information Security Policy
- PSSA
- Payment Systems and Services Act, 2019 (Act 987)
- PSP
- Payment Service Provider
Introduction
SeevCash is a mobile financial platform designed to serve the unbanked and underserved communities by reducing transaction fees and providing digital tools to manage finances more effectively. Our mission is to make digital transactions and financial management more affordable and accessible for individuals in Ghana, particularly those facing economic hardships. We aim to empower communities by providing inclusive financial solutions that reduce the burden of transaction costs and foster economic resilience. As a technology-driven mobile financial platform operating in partnership with licensed Payment Service Providers (PSPs) in Ghana, SeevCash recognises that the confidentiality, integrity, and availability (CIA) of customer data, payment information, and operational systems are fundamental to maintaining trust. We take our responsibility to safeguard information assets seriously and implement robust information security controls in full adherence to the laws of the Republic of Ghana. This Information Security Policy (ISP) forms part of our overall risk management framework and is issued to support our operations and partnerships. We implement strong information security measures in compliance with:
- The Data Protection Act, 2012 (Act 843)
- Relevant provisions of the Payment Systems and Services Act, 2019 (Act 987) as they apply through our licensed PSP partners
- The Bank of Ghana Cyber and Information Security Directive (CISD) and any revisions
- Industry best practices, including principles of ISO/IEC 27001
By using SeevCash and all services offered under the brand, you acknowledge that we maintain strict information security standards. All data collected during this process shall be stored securely and shall not be disclosed to any third parties for monetary or other reasons unless required through legal process.
The objectives of this policy include:
- To protect the confidentiality, integrity, and availability of all information assets, including customer personal data, transaction records, and critical systems.
- To prevent unauthorised access, use, disclosure, alteration, or destruction of information in line with the Data Protection Act, 2012 (Act 843).
- To establish a comprehensive Information Security Management System (ISMS) that identifies, assesses, and mitigates cyber and information security risks.
- To ensure that the laws of the Republic of Ghana are duly complied with, including through our partnerships with licensed PSPs.
- To ensure compliance with applicable guidelines issued by regulators in our country and the requirements of our licensed PSP partners.
- To maintain customer trust by implementing industry-leading controls, including multi-factor authentication, encryption, monitoring, incident response, and business continuity measures.
- To promote a strong security culture through continuous training, awareness, and accountability across all lines of defence.
- To enable ongoing monitoring, testing, auditing, and continuous improvement of our security posture.
Our Information Security Lines of Defense
SeevCash applies three (3) Lines of Defense while implementing our Information Security and Cyber Security program. These shall be helpful in strengthening the procedures at operational level and shall provide tools for ensuring enough robustness to the entire mechanism of Information Security Compliance.
1. First Line (Employees and Operational Teams)
During their day-to-day activities, first-line employees and operational teams are responsible for adhering to security policies and may observe unusual or potentially suspicious activity related to information security. First-line staff are required to be vigilant in their identification, escalation, and reporting of potential security incidents or policy violations. Management should ensure that all personnel, especially those who directly interact with customers or systems, adhere to the internal processes for identification and referral of potential security risks.
2. Second Line (Management and Oversight – CISO Function)
As part of the second line of defense, the Chief Information Security Officer (CISO) has the responsibility for ongoing fulfillment of all information security and cyber security duties. The CISO has responsibility for reporting significant security matters to the board and to local authorities where required. The CISO shall be provided with sufficient resources to execute all responsibilities effectively and play a central and proactive role in SeevCash's information security regimen.
3. Third Line (Auditing)
The Internal audit function is responsible for independently assessing the effectiveness of the design and operation of information security controls. Additionally, there shall be periodic external auditing reviews to supplement the Internal Audit Function.
Components of our Information Security Program
Our Information Security Program includes the following interrelated components:
- Governance
- Risk identification, assessment, and mitigation
- Policies and procedures
- Asset management and classification
- Access control and user management
- Physical and environmental security
- Operations, communications, and cryptographic security
- Transaction and system monitoring
- Incident management and response
- Business continuity and disaster recovery
- Communication and training
- Continuous improvement, testing, and audit
These components are broken down further below:
i) Governance
A sound governance structure is the foundation of an effective Information Security program. Our governance structure includes the board of directors, the senior management, a Chief Information Security Officer (CISO), and a properly resourced system with three lines of defense.
ii) Risk identification, assessment, and mitigation
SeevCash shall over time review the risks inherent in the technology and financial services space we occupy, along with internal reviews for inherent risks within our system. We shall modify our internal controls based on the risks determined during assessments, with particular attention to risks relevant to our partnerships with licensed PSPs.
iii) Policies and procedures
Internal procedures around information security shall be directed by a risk-based approach. Our policies shall be reviewed by the Board of Directors and shall be ratified by the Board at each alteration. The policies shall be subjected to annual reviews and changes to suit the changing needs of the market and regulatory environment.
iv) Asset Management and Classification
We maintain an inventory of all information assets, classify them according to sensitivity and criticality, and apply appropriate protection controls.
v) Access Control and User Management
We enforce the principle of least privilege, role-based access control, multi-factor authentication, and regular access reviews to prevent unauthorised access to systems and data.
vi) Physical and Environmental Security
Physical access to offices, data centres, and critical infrastructure is strictly controlled through appropriate measures.
vii) Operations, Communications, and Cryptographic Security
Sensitive data is encrypted in transit and at rest. Networks are segmented, systems are hardened, and secure development and operational practices are followed.
viii) Transaction and System Monitoring
Automated tools monitor transactions and system activity for anomalies in real time to support fraud prevention and security.
ix) Incident Management and Response
A formal incident response plan is maintained, with prompt investigation and notification to relevant authorities and partners as required by law.
x) Business Continuity and Disaster Recovery
We maintain tested plans to ensure the availability of critical services in the event of disruption.
xi) Communication and Training
SeevCash shall hold frequent strategic and operational meetings to discuss and communicate information security policies. Training sessions shall be planned annually to ensure employees are equipped to identify and respond to security risks.
xii) Continuous Improvement and Testing / Internal and External Audit
There shall be continuous monitoring to ensure that SeevCash's information security system stays robust. Internal audit, as described, is our third line of defense. It shall independently evaluate the information security program.
Conclusion
SeevCash is committed to offering frictionless service. It is with this in mind that we aim to maintain proper and complete information security controls on the platform we operate through our Information Security program. We shall strive to comply with regulations, both local and international. Over time, our policy will change to reflect changing global standards. We shall especially refer to industry best practices and Bank of Ghana guidelines from time to time to adopt standards that support our operations and partnerships. We value your trust, and we shall ensure your safety and stability by ensuring that our services and data are protected from misuse or abuse by malicious parties to the detriment of genuine users. This Information Security Policy enables us and our customers to execute our responsibilities in a more efficient, compliant, and cost-effective manner.