Cyberspace has redefined how people, businesses and the global economy operate. However, the emergence of the digital economy has also resulted in the proliferation of cybercrime – a scourge affecting the financial industry globally.
Cybercrime has long posed a significant risk for financial stability in African countries given limited capacity and attention to managing cyber risk. The ongoing coronavirus pandemic exacerbates existing challenges.
Cybercrime is an umbrella term that includes any illegal behaviour facilitated through electronic means. This behaviour is directed at disrupting the security of computer systems and their data through hacking, data leaks, online scams, software piracy, mobile money fraud and cyberterrorism. Some 556 million online users fall prey to cybercrime each year, Microsoft estimated in 2016. This means that every second, cybercrime nets 12 victims. McKinsey reports that global returns on tangible equity declined from 20% in 2013 to 14.1% in 2018 largely due to digital disruption caused by cybercrime.
Financial cost of cybercrime
The impact of cybercrime on economies is significant. SciDev.Net indicates that the world economy loses US$500 billion every year to cybercrime, a staggering amount that is higher than South Africa’s total annual gross domestic product and comparable to the US$521.8 billion GDP of Nigeria. A study by the Internation al Data Group Connect found that cybercrime cost the South African economy approximately US$573 million in 2013, it cost the Nigerian economy US$500 million and the Kenyan economy an estimated US$36 million in the same year. In 2018, the South African Banking Risk Information Centre (a non-profit company formed by the four major banks to combat organised bank-related crimes) reported that cybercrime in the financial sector accounted for losses amounting to R2.2 billion (US$115.5 million) in South Africa every year.
It is important for financial market infrastructure to be safe and operate efficiently to maintain and promote financial stability and economic growth. The operational and cyber resilience of financial institutions specifically are central to financial systems and their operational failure can negatively impact financial stability. Cyberattacks on critical financial market infrastructure and institutions could result in a disruption in the provision of financial services. Cybercrime and insufficient cybersecurity therefore pose significant financial stability risks.
The G20 Finance Ministers and Central Bank Governors recognised this threat as early as 2017 when they mandated the Financial Stability Board (FSB) to perform an assessment of regulations and supervisory practices relating to cyber-resilience in G20 countries and identify international best practices. After publishing guide notes on enhancing common understanding of cyber risk and notes on a common language, the FSB is currently developing effective practices for cyber incident response and recovery with the objective of identifying a set of tools that the private sector and supervisory authorities can use in designing incident response and recovery policies.
Enter COVID-19
The spread of COVID-19 has sent a shockwave through the financial sectors of the world and poses substantial cyber risks for strategic sectors of the economy. The discontinuity of work and lockdowns in several countries have led to increased online activity as many people have had to resort to working from home.
Remote accessing of organisational software and databases, which are not secured by end-to-end encryption provided by dedicated servers, make online systems particularly vulnerable to cyber risks and cybercrime. Africa is particularly vulnerable.
The continent has been experiencing exponential growth, which has led to rising middle class incomes amid a technological boom. Mobile smartphones, which have dropped substantially in price over the last decade, mean more Africans are accessing the internet more often.
It is estimated that sub-Saharan Africa’s 311 million mobile users in 2013 will increase to 504 million in 2020, representing a penetration rate of 49% of the population. This has a downside: Africa’s rising internet connectivity and rapid growth of mobile banking solutions have led to an increase of pirated software among users as the original software is often too costly. And wherever pirated software goes, cybercriminals are sure to follow. This has resulted in the continent harbouring a proverbial nest of cybercriminals.
The United Nations Conference on Trade and Development (UNCTAD) has warned that developing countries are increasingly being targeted by cybercriminals due to the lack of enforcement of relevant legislation.
Algeria, Egypt, South Africa and Kenya are experiencing the highest numbers of cyber attacks on the continent. A 2011 study by Deloitte showed that financial institutions in Kenya, Rwanda, Uganda, Tanzania and Zambia had sustained losses of US$245 million due to cyber-fraud.
Banks are prone to cyber risks because they process confidential data of consumers. In ensuring continuity of financial services during the COVID-19 pandemic, banks have now opted to shift to digital channels and/or electronic platforms to reduce in-bank services, further exposing the financial sector to cyber risks.
According to McKinsey, two challenges have arisen from the pandemic: how to increase the security of working at-home tools and processes; and how to secure ‘confidentiality, integrity and availability of consumer-facing network traffic’. In terms of the latter, organisations have made extraordinary efforts to safely serve customers using online services and workers using work-from-home technologies during the COVID19 pandemic, which has led to increased exposure to cyber threats.
Against this backdrop it is absolutely essential that banks in Africa pay more attention to adequately identifying and managing cyber risks that could negatively affect their functions, especially as cybercriminals thrive on organisations which fail to implement effective cyber controls .
Financial institutions are central to financial systems; therefore, their operational failure can negatively impact financial stability. Banks nonetheless generally still lack cyber strategies that clearly define tolerance and appetite levels for cyber risk which have been approved and adequately challenged at the highest level of the organisation. This is a critical gap.
By enhancing cyber reliance safeguards, cyber breaches could be kept at bay. This would ensure continued protection of information and data, thereby enhancing the integrity and availability of critical assets and services to the financial system. For African countries with limited cyber risk controls, cyber strategies and frameworks to comprehensively map and actively manage their IT system architecture are critical in mitigating cybercrime.
Cyber risk concerns should occupy the minds of the financial sector and regulators in the region as they work towards enhancing and maintaining financial stability in the midst of the COVID-19 pandemic.