Physical Address
Kampala, Uganda
In 2016, it was reported that a group of unknown individuals compromised the SWIFT system of Bangladesh Bank, the Bangladesh central bank, and initiated transfer instructions of a total value of USD 1 billion, held at the Federal Reserve Bank of New York. The ploy was reportedly carefully planned and was executed between 8:00 pm and 4:00 am on the eve of a weekend, during the non-business hours of the bank.
The destination of the funds was fictitious accounts set up in the Philippines, and the settlement date coincided with a bank holiday in the Philippines. This meant then that the hackers had secured themselves ample time of up to 5 days to execute and complete the breach, uninterrupted.
The Federal Reserve Bank of New York processed USD 81 million of the USD 1 billion before the transfers were halted, following a transaction monitoring trigger associated with sanctioned Iranian assets.
The investigation into this breach was reported by the BBC in a series titled “The Lazarus Heist” and has been attributed to the Lazarus Group – a cybercrime network. The Lazarus Heist is not an isolated incident. Cyber-attacks on the financial services ecosystem continue to intensify, almost at the pace of growth and innovation in the industry. The GSMA State of the Industry Report on Mobile Money 2023 indeed notes fraud remains the most imminent threat to the growth of digital financial services, given its potential to erode trust and impede uptake. According to the report, in 2022, the global volume of mobile money transactions stood at USD 1.2 trillion, of which USD 832 billion was attributable to Sub-Saharan Africa and USD 491.8 billion attributable to East Africa.
This article highlights key cybersecurity considerations for boards, as they provide oversight over security strategies to deal with existing and emerging types of fraud.
Key Cybersecurity Considerations
Bank of Uganda (BOU) adopted Cybersecurity Guidelines for institutions licensed under the National Payment Systems Act, 2020. The Guidelines lay out common cybersecurity vulnerabilities and the minimum controls that must be implemented. The vulnerabilities are in four broad categories that include Systems, Processes, Governance, and People and highlight the general cybersecurity risks oversight duty of boards.
The next sections highlight the key considerations boards must consider across these four categories.
Systems
Boards must identify and prioritize the organization’s most important payment systems. The identification of the organization’s most important assets would enable a board to allocate the appropriate investment required to enhance system resilience in areas where it is most needed, in terms of technology and people. This prioritization also enhances a board’s ability to provide oversight over periodic system resilience assessments and would be an important consideration in the event an organization considers outsourcing certain functionalities to third-party providers. It is imperative to note that even in the event of an outsourcing arrangement, the overall oversight responsibility remains with the board.
Processes
Boards must also ensure the organization has robust assurance functions that provide end-to-end oversight over an organization’s processes. The assurance functions would then be charged with driving a culture of a strong culture of compliance and internal controls.
Additionally, it is critical to ensure the organization has adopted sufficient protocols that govern the operations of a payment system. These may include change management procedures, incident management procedures, and transaction monitoring standards among others. This ensures the appropriate layers of protection are put in place across the organization and in the most vulnerable areas. The effectiveness of these protective layers must be reviewed from time to time to ensure they are serving the purpose for which they were instituted.
Governance
Given its increasing criticality, there is a strong case for cybersecurity being on the agenda for board meetings. This would enable a board to consider this risk along with other business risks and ensure the appropriate cybersecurity risk governance frameworks are adopted. A board should adopt a proactive cyber-risk management stance, underpinned by continually reviewing an organization’s cyber risk exposure. Additionally, ensuring cyber-event simulations and recovery plans are implemented and tested regularly, in anticipation of an attack is essential. In so doing, a board would be able to make the right strategic decisions in the interest of the organization.
People
The risk of internally perpetrated fraud is always imminent. Boards must therefore drive a strong culture of accountability from the top, as well as conduct and risk awareness across an organization. The appropriate investments in automation of manual processes susceptible to manipulation should be made, to reduce the risk of systems being compromised.
Crucially, a board must ensure the right expertise is brought on board to enable an organization implement its cyber-risk management strategy. It is imperative to note that talent is scarce and as such, a board must be prepared to make the right investments in motivating, hiring, and retaining talent.
Conclusion
The cyber-attack threat landscape continues to become more sophisticated with advancements in technology. It is therefore important for boards to proactively craft long-term cybersecurity strategies and oversee their implementation.
Disclaimer: “The views and opinions expressed on the site are personal and do not represent the official position of Stanbic Uganda and Khulani Capital.”
