At the start of the session, the moderator Silvia BAUR-YAZBECK requested the audience to select cyber security concerns out of a list of six: 1) An employee gains unauthorised access to customer account data; 2) A criminal tricks a customer into revealing sensitive information via a phone call; 3) A customer opens a document of a phishing email and gets his device infected with malware; 4) A credit officer shares sensitive customer information with a third party; 5) A provider’s mobile banking system is down due to a technical glitch; and 6) A provider’s mobile banking system is down due to a cyber-attack. Although 55% of the audience voted for the last option, Baur-Yazbeck explained that all six are cyber security risks and all are occurring.
She added that financial service providers (FSPs) working on financial inclusion, have the responsibility to keep customers safe, to protect consumer data and to ensure that systems work. Baur-Yazbeck explained that cyber security is a bigger problem than we think, MFIs are not too small to be a target and that it is not all about technology. She then invited the panel members to share their own experiences.
Jean-Louis PERRIER, from Suricate Solutions, shared some of his experiences in West Africa. He illustrated that threats increase by 20% each year. Financial institutions are a target for criminal international networks to get cash. Compared to banks, MFIs often have weaker protection making them easier to access by hackers.
Paul MAKIN, an independent consultant, stated that financial services in North America and Europe are generally well protected. However, he added that mobile and digital financial services are vulnerable as this technology is not well-understood by the financial sector. At the same time, there is a growing reliance on mobile networks.
The moderator asked Komitas STEPANYAN to share his perspective from the Central Bank of Armenia. He explained that there is a capacity gap for both policy makers and supervisors. Policy makers have no advanced knowledge of technology and what the effect is on customers. At the same time, good supervision is crucial to reach positive results with policy. Security needs to be examined both on and off-site. Stepanyan concluded that many small digital financial service providers take too many risks as they’re keen to earn more money.
Perrier added that in general, consumers are protected from cyber security risks. However, if institutions like MFIs are attacked and lose money, or if their services are disrupted, it is difficult for them to recover. Makin concluded that no institution is too small to be a target.
Makin therefore presented a model of generalised risk, including risks such as reputational, operational, technology and strategy risks. He demonstrated how these are all interrelated and how all are underpinned by cyber security. Makin urged that all FSPs need to set up a framework of cyber control before they launch to limit cyber risks, including small MFIs. They should make it more difficult for hackers to get in, assuming no element can be trusted, both internally and externally. FSPs should not rely on anyone else to provide security.
Cyber security starts with technology, which needs to be well understood and secure. However, processes, people and a national framework are just as important. All elements need to work together. Stepanyan concurred, adding that proper cyber security hygiene by focusing on control points can shut down 80% of all attacks. Although Perrier supported this view, he also warned that hackers are well-organised. If they wish, they can get in anywhere. He stressed that security supervision was key to at least detect incidents and limit their impact.
Stepanyan presented a regulatory perspective on cyber security challenges and solutions. He shared a model showing that cyber security needs to include confidentiality, integrity and availability. These elements are embodied by people, process and technology, all needing to work together. He warned against trying to achieve complete security as preventive controls are never 100% effective in blocking all attacks. The key is to timely detect intrusions and problems. Some of regulators’ and supervisors’ greatest challenges are to understand what cyber risk means, have the ability to challenge supervised institutions, assess their defence functions, know the risk profile of institutions and understand the bank’s dependencies.
The moderator questioned whether regulators should place liability on financial service providers. Stepanyan countered that even if the liability is elsewhere, a central bank is still responsible for the financial stability of a country.
Perrier concluded the session by presenting Suricate Solutions’ cyber security resource centers in Sub-Saharan Africa to identify, protect, detect, respond and recover cyber risks. He presented the cyber security situation in Africa, where cyber-attacks increase and target FSPs, awareness from ecosystem is low, skills are limited and turnover is high, and where there is a lack of financial resources.
Perrier explained that Suricate Solutions aims to provide users and institutions in developing countries with the same level of protection of financial and information assets as in more advanced countries. The organisation focuses on security supervision and aims to adapt international best practices to the context and resources in Africa. It has set up a central coordination organisation, the CyberSecurity Resource centre. This centre oversees (sub-)regional incident response teams and operation teams. The project is a breakthrough for financial inclusion, building and mobilising a comprehensive, inclusive and sustainable cyber security ecosystem in 3-5 years. The resource centre will reach 8 countries, 47 MFIs and 1.2 million end customers by the end of 2019. One of the key lessons learned so far has been that capacity building is key to ensure protection from cyber-attacks. Perrier finished by demonstrating how their efforts in Sub-Saharan Africa contribute to the UN’s Sustainable Development Goals (SDGs), such as quality of education (SDG 4), gender equality (SDG 5), and peace, justice and strong institutions (SDG 16).
The moderator opened the floor for questions from the audience. One participant was curious to know whether financial service providers were aware of the exact costs of cyber security. He commented that digital financial services are commonly presented as cheaper solutions but may not take full costs of cyber security into account. Perrier agreed that these costs are often underestimated. Makin added that good platforms are indeed expensive, and that MFIs need to determine what risks they are willing to take and how much their security is worth. Stepanyan added that as a central bank, he does not see cyber security as a luxury, because they cannot do without.
Several audience members were keen to learn from real-life examples of cyber security issues in MFIs, and how likely it would be for MFIs to shut down because of cyber-attacks. Although the panel could share some examples from their own experience, they explained how many MFIs do not share these problems as they are afraid of harming their reputation. Baur-Yazbeck confirmed that very little reporting is done on cyber-attacks. She reiterated that cyber-security is a much bigger problem than we think. Perrier added that MFIs are particularly vulnerable to such attacks, and that preventing and particularly detecting cyber-attacks is crucial. Makin concluded that every FSP needs to take steps for cyber security.