Latest Headlines
Of Regulatory Supervision and Cybersecurity Breaches
James Emejo writes on the need to invest in cybersecurity networks and enhance regulatory supervision of operators in the financial services space to make their platforms safe for vulnerable consumers, boost confidence and limit collateral damage to the industry and economy in general
Worried by the growing havoc, which the misuse of the internet now poses to contemporary banking and the need to limit infiltrations and compromise of cybersecurity networks of financial institutions, the Central Bank of Nigeria (CBN) last week introduced an “Exposure Draft of the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions”.
In launching the framework, the apex bank pointed out that the move had become necessary to strengthen the cyber resilience of financial institutions to ensure that they remain safe and sound amidst the increasing numbers and sophistication of cybersecurity threats and attacks against them.
The draft exposure which was dated August 13, 2021 and signed by the Director, OFIs Department, Nkiru Asiegbu, stipulated the minimum requirements for enhancing cybersecurity and put enormous responsibility on companies’ board of directors,
senior management and chief information security officers (CISO), among others.
According to the CBN, the purpose of the guidelines, which provides a risk-based approach to managing cybersecurity, was to, among other things, create a safer and more secure cyber environment that supports information system security and promote stability of the OFI sub-sector.
It explained that that the safety and soundness of the sub-sector particularly required that they operate in a safe and secure environment, adding that the platform on which information processed and transmitted should be managed in a way that ensures the confidentiality, integrity and availability of information as well as the avoidance of financial loss and reputational risk, among others.
Essentially, the document provided for the cybersecurity governance and oversight; cybersecurity risk management system; cyber resilience assessment; cyber operational resilience; cyber threat intelligence and metrics monitoring and reporting.
The guidelines also spelt out the responsibilities of the board of directors, senior management and CISO, stating that the board of directors shall ensure that cybersecurity is completely integrated with business functions and managed across the OFI as well as have oversight and overall responsibility for cybersecurity programmes.
In addition, senior management of OFIs would be responsible for the implementation of the board-approved cybersecurity strategy, policies, standards and the destination of cybersecurity responsibilities, among others.
The document also mandated every OFI to appoint or designate a CISO whose responsibilities shall include the day-to-day cyber activities and the mitigation of cybersecurity risks in the institution.
However, the concerns over the safety of internet transactions is not peculiar to the OFIs as over the past years and till 2019 and beyond, cybersecurity infiltration continues to pose major risks to the financial services sector, including the deposit money banks (DMBs).
Losing Huge Amounts
In fact, banks have continually lost huge amounts of money to fraud with electronic and internet-based transactions accounting for the bulk of the attacks.
Internet fraud has increased with the efforts of financial regulatory authorities to boost financial including by expanding access channels as well as introducing a variety of digital products and assets.
In 2017, the Nigeria Deposit Insurance Corporation (NDIC) in it annual report, stated that the actual amount lost to fraudulent activities by banks that year stood at N12.01 billion, though lower by 1 per cent, 25.20 per cent and 61.70 per cent in relation to figures recorded in 2014, 2015 and 2016, respectively.
Interestingly, the corporation pointed out that technology-based platforms were the most vulnerable points for the banking system and had the highest frequencies similar to what happened in previous years.
The NDIC also observed that the “rising spate of fraudulent practices and actual losses from these activities could be attributed to prevailing misalignments in the nation’s economic environment, amid high youth unemployment, amongst others”.
Yet, in 2018, the corporation reported a significant increase in the number/frequency of reported fraud and forgery cases in the banking sector, recording a total of 37,817 fraud cases against 26,182 in 2017, representing an increase of 11,635 or 44.42 per cent.
Similarly, the amount involved significantly increased by over 224 per cent to N38.93 billion in 2018 from N12.01 billion in 2017.
As pointed out by the corporation, “the rising fraud incidences could be attributed to the increase in sophistication of fraud-related techniques, such as hacking, cybercrime as well as increase in information technology-related products and usage, fraudulent withdrawals and unauthorized credit.”
Sources of Fraud
In the same vein, Internet and technology-based sources of fraud had the highest frequency, accounting for 59.2 per cent of fraud cases and 42.83 per cent of the actual total loss suffered.
However, in 2019, the NDIC noted that number of fraud cases rose in the first three quarters but declined in the last quarter, adding that “overall, there was an uptick in the total number of fraud cases in 2019 compared to previous years.”
It stated that ATM card-related fraud had the highest frequency, accounting for 49.78 per cent of fraud cases followed by web-based internet banking frauds with 21.02 per cent.
The above narrative presents a worrisome development for the banking and financial services sector, which is regarded as critical for the growth of the economy.
The vulnerability of the systems could also affect confidence in the sector at a time when the government is trying to bring more people into the financial landscape.
Although some bigger banks have been able to gradually beef up their cybersecurity architecture by building firewalls, and introducing additional layers of security, including multiple factor authentication as well as increasing the awareness of customers around the strategies deployed by scammers to fleece vulnerable targets, the OFIs, who ought to cater for the financial needs of the unbanked population at the bottom of the pyramid, have been found lagging behind.
Commenting on the development, Managing Director/Chief Executive, Credent Investment Managers Limited, Mr. Ibrahim Shelleng, told THISDAY in an interview that the authorities need to do more to secure platforms and boost confidence.
He said given that a major part of the financial inclusion drive is based on using fintech to penetrate the underbanked, “any potential threat to security of funds will certainly have a negative impact on that drive.”
Shelleng added that, “Already a large number of the population are skeptical on the security of these fintech platforms, especially since scammers use the same technology to siphon funds from unsuspecting investors.”
Cybersecurity Breaches
Similarly, Managing Director/Chief Executive, SD&D Capital Management Limited, Mr. Idakolo Gbolade, said increasing cybersecurity breaches remain a major source of concern as the financial sector moves more into digitisation of transactions.
He said, “The USA recently witnessed major cybersecurity breaches on its financial sector and major national assets despite their advancement in technology. This should give us serious concerns because we are not even as advanced as the major economies.
“The financial sector should constantly enhance its firewalls to prevent frequent breaches as this has been identified as a major threat that can lead to constant financial losses if not checked.”
According to Gbolade, “these criminally-minded individuals are also advancing in their techniques but with constant awareness and security alerts, the financial sector can reduce losses arising from cyber thefts.”
Analysts have also criticised the banking and financial services sector for not deploying adequate and aggressive awareness campaigns to sensitise consumers about the increasing threats to the cyber and electronic space.
According to the NDIC, the increasing use of financial technology channels, particularly mobile and ATM transfers, among others, was attributed to a rise in frauds and forgeries via these channels.
The corporation pointed out that it was imperative that the financial system continued to upgrade cyber security platforms backed up by continuous consumer education and sensitisation to prevent loss of funds and build depositor confidence.