THE CBN CYBERCRIMES FRAMEWORK
Financial institutions should heed the CBN directive for their enlightened self-interest
The Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (OFIs) recently released by the Central Bank of Nigeria (CBN) could not have come at a better time given the growing cybersecurity threats in the country. But it would not work except the banks and other financial institutions show enough commitment to its implementation. The threats, identified by the CBN for the banks and financial institutions include ransomware, targeted phishing attacks and Advanced Persistent Threats (APT) that have become prevalent within the system. The deadline for full compliance has been put at 1st January 2023.
Cybercrimes refer to those criminal acts such as identity theft and bank frauds facilitated through the use of the internet. To our collective shame, our country is often cited as a breeding ground for these nefarious practices because of the activities of some of our citizens. While cyber criminals in some other countries are using their negative skills for espionage and illicit technology theft, their Nigerian counterparts are using their skills to defraud individuals and companies. But it is not only abroad that these people perpetrate their criminal activities, they also do it at home. So endemic is the problem that the Senate recently disclosed that Nigeria has lost about $450 million to 3,500 cyber-attacks on its Information and Communications Technology (ICT) space, representing about 70 per cent of hacking attempts in the country.
From social networking and research to business and commerce, ICT systems are ordinarily deployed to perform simple as well as complex tasks. But the cyberspace is also vulnerable to the activities of criminals. What marks out the Nigerian fraud gangs operating internationally is their focus on illicit financial and economic transactions. For instance, in June 2019, a damning statement by the American Department of Justice (DoJ) said, “Foreign citizens perpetrate many BEC scams. Those individuals are often members of transnational criminal organisations, which originated in Nigeria but have spread throughout the world.”
Last year, no fewer than 12 Nigerians were charged in four criminal complaints in connection with their roles in expansive online fraud schemes (including romance scams and pandemic unemployment assistance fraud) targeting individuals in the United States. Some others were also charged with mail fraud, attempted mail fraud, and mail and wire fraud conspiracy, in connection with an advanced fee fraud scheme using social media to target elderly victims. In 2015, the Cybercrimes Act was passed into law to address the challenges. The law criminalises a variety of offences – from ATM card skimming and identity theft to possession of child pornography. It imposes, for instance, seven-year imprisonment for offenders of all kinds and additional seven years for online crimes that result in physical harm, and life imprisonment for those that lead to death. But like almost every law in the country, there is the problem of enforcement.
Committed mostly by the young, often called ‘Yahoo Boys’, a precursor of the infamous ‘419’ email scammers, the fraudsters are increasingly taking advantage of the rise in online transactions, electronic shopping, e-commerce and the electronic messaging systems to engage in all manner of crimes that have sullied the image of Nigeria abroad. To deal with such emblem of shame, there is an urgent need to improve the capacity of cyber security officials and the sharing of cyber security best practice from across the globe. In addition, we must build the capacity for local law enforcement.
Given the importance of cybersecurity to the banking sector and indeed all financial institutions, we hope that they will heed the CBN directive by beginning to put in pace necessary compliance measures before the 1st January 2023 deadline.
