Cyberattacks are a serious threat to all of us. By definition, cyberattacks are criminal activities where services or application in the cyberspace are used for or are the target of a crime, or where the cyberspace is the source, tool, target, or place of a crime.
Considering the high level of interdependence within the financial sector, cyberattacks are not only a threat to individual institutions but pose a threat to the stability of the overall financial ecosystem.
Bank of England Governor, Mark Carney at the 2019 World Economic Forum (WEF) summit in Davos, Switzerland warned industry players of the increased cyber- security risks in finance, Carney said, “What’s quite important here is planning for failure. Assume failure. It’s one thing bondholders in banks have to think about. They are going to be bailed in. One of the things we have started working on with the International Monetary Fund (IMF) and Financial Stability Board is — assume a successful cyberattack. How quickly can you get back up and running? How will you? What are the mechanisms? Planning for failure is hugely important.”
Attackers could try to hack into a private computer or an organization for economic gain or simply for demonstrative purposes, or they could be driven by the aim of causing damage and disruption. This threat has to be taken seriously by banks, financial institutions, and financial market infrastructures (such as payment or settlement systems). Central Bank of Kenya’s Governor Patrick N. Njoroge on January 29 told a press conference in Nairobi that cases of ICT-related frauds have been on the rise in recent years, calling on banks to tighten their systems because Cybercrime is one of the risks targeting the financial sector which is expected to increase in sophistication and frequency.
The risk of cyberattacks is further accentuated by the high reliance of the financial system on digital technologies, the difficulty to protect against fast changing threats and because they are borderless. It is therefore essential that commercial banks, other financial institutions and financial market infrastructures, as well as central banks like the Central Bank of Eswatini, have an adequate level of cyber resilience to ensure their own protection as well as that of the entire ecosystem.
The Reality of Cyberattacks: The 2013 CBE Cyber Attack Case
Central Banks remain a soft target for cyber-attacks and have been victims in the recent past resulting in losses of US$117 million. Central Banks like the Federal Reserve Bank of New York in 2010, Sveriges Riksbank in 2012, Federal Reserve Bank of Saint Louis in 2013, European Central Bank in 2014, Bangladesh Bank in 2016, Bank of Russia in 2016, Bank of Italy in 2017 and the Central Bank of Eswatini in 2013 and 2016 all fell victims of cyberattacks ranging from data breach and fraud. Forensic investigationson CBE by highly skilled local and South African companies discovered that the cybercrime actors were: cybercriminals interested in defrauding by electronic means; disgruntled employees leaking sensitive company information or exploiting their access rights to collude with external parties against the CBE; and hackers gaining unauthorized access to systems. This resulted to an actual loss amounting to E7.5 million, although the fraud attempts totaled about E21 million.
It is a common mistake made by some institutions to look at the loss and begin to think they can live with it because it might cost more to recover it. They lose sight of the fact that this is a very narrow view of looking at this. The potential chance of a repeat of this with even bigger loss cannot be ruled of. Also the forensic investigation costs is justified since it helps show the weakness of the system, identify the bad potatoes employees who committed or assisted in committing the fraud, and also take preventative measures as well as introduce better fraud resistant systems while creating awareness across the organization and other sister local and regional stakeholders. Clearly such measures are priceless.
Beyond this loss, the CBE spent a total of E33million in forensic investigations to get to the bottom of how the crime was committed; disciplinary hearings for corrective actions that were deemed necessary by the results of the forensic investigations; ICT systems review as part of the measures for preventing future occurrences; and professional fees like the costs of engaging attorneys. It is worth mentioning that these efforts resulted in the Bank being able to recover about E1.1 million directly fromSouthAfricaandfurtheraboutE5.9millionfrominsuranceclaims. Further,the Bank understands that the costs of such incidences are beyond the actual losses as it also results in erosion of confidence on an institution.
Towards a more resilient CBE
In appreciating the costs that the Bank incurred due to the cyberattack, it was imperative that the Bank take strides to prevent any further attacks. Considerable investments were made in order to combat against this imminent threat, in order to identify, protect, detect, respond and recover from cyber- attacks. Since these attacks spread across networks, it is important for cyber- crimetobetreatedasathreattonationalandindustrysecurity. Theimportance of disclosure by an institution that has been a victim of a cyberattack remains one measure to curtail criminal effects, as it ensures awareness and for potential victims to take mitigating actions before their security is breached.
Over the past 4 years, the Central Bank of Eswatini has put in place considerable cyber security measures such as; recruiting cyber security professionals to implement more stringent policies and procedural measures, implementing software to identify, detect and counter cyber-attacks, upgrading core systems that had weaknesses exploited in the 2013 fraud and continuously driving cyber security awareness to CBE staff. All this has been and continues to be efforts by the CBE Board, management and staff to safeguard the Bank’s information assets as it continue to fulfil its national mandate.
The effects of cyber-attacks can be devastating for any country’s financial eco system. Institutions suffer in many ways when they fall victim to cyberattacks, one of which is dealing with the financial repercussions. In most instances it requires institutions to spend even much more in installing preventative measures. It should be obvious that it’s a priority for companies to learn how to put security measures in place. It is important to note that decisions to invest in situations of cyber breaches requires courageous leadership as such decisions will not be taken without some level of strong criticism from various stakeholders. The Central Bank, being the regulator aught to set a good example in such issues as it attempts to ensure financial stability in the Kingdom of Eswatini. As such, any such criticism is taken positively as it encourages the Bank to continuously assess the business case or value proposition for continuous investment in strengthening our environment for resilience against cyber attacks.
The purpose of this article is not only to inform the public about cybercrime, but mainly to appeal to all the banks and nonbank and all actors in the financial sector to invest in cyber resilient measures with an overall aim to protect Eswatini Financial Sector for continued stability.