How IT-Security affects Africa’s financial system
The trend towards digital financial products combined with digital customer interactions increases the financial sector’s exposure to cyber risks. According to PwC, 46 percent of bank customers worldwide made use of digital interactions in 2017, compared with 27 percent in 2012. Customer interaction with bank branches continued to decline, falling from 15 to 10 percent during the same period.
In various countries in Sub-Saharan Africa, Mobile Network Operators (MNOs), financial institutions, Fintechs and other stakeholders have taken advantage of digital solutions. These solutions have resulted in more customers having mobile bank accounts than an account with a traditional bank. According to the Global Findex, Sub-Saharan Africa is the global leader in mobile money with an average of 21 percent of adults in the region having a mobile money account in 2017, with significant differences between countries such as Kenya (73 percent) and Cote d’Ivoire (34 percent) or Niger (9 percent).
Beyond their use for digital financial services (DFS), mobile phones have become the primary point of access to the internet as well. This proliferation of DFS has however resulted in an increase in cybercrime, with some of the most affected populations being in Africa. For instance, 67 percent of South Africans were found to have been victims of online crime according to the African Union and Symantec.
In addition to the MNOs, the Fintech industry have evolved in the African markets providing products such as digital credit. Moreover, traditional financial institutions on the continent are also increasingly relying on digital solutions. While these business models provides great promise for customers, on the other side of the coin is the growing risks of cybercrime. As a result, many financial institutions are investing in their cyber defences. Cyber security products and services for the financial sector are now a fast-growing market.
To assess the relevance and trends of IT/cyber security aspects for financial systems, it is important to understand the challenges for financial institutions and customers. The same is true for regulators and supervisors developing regulatory frameworks to mitigate cyber risks and strengthen cyber resilience.
For the financial institution, the manipulation of insiders to gain access to employees’ accounts and attacks on bank networks has emerged as the main threats. Small and medium-sized financial institutions, particularly in emerging markets, serve as easy entry points for cyber attackers to the global financial system. Cyber threats to financial institutions increasingly originate from unsecure low-cost mobile and Internet of Things (IoT) devices outside their own networks.
For the customer, credit cards and point-of-sale attacks, business email compromises, phishing and mobile malware are among the top challenges. Mobile malware, in particular, occurs more often in developing countries with more than 10 percent of mobile devices infected.
There is also a growing tendency for attackers to adapt their methods in response to new defences. In Africa, the evolution of cybercrime and the proliferation of mobile devices have led to more sophisticated attacks. These attacks happened despite improvements with the EU law enforcement cooperation and increased investment by financial institutions in cyber resilience and cyber hygiene products. A further trend is an increase in attacks originating from African countries.
There are also regional disparities that exist in the regulatory frameworks, and the capabilities of financial institutions to respond to cyber-attacks on their systems and their customers leading to cross-border challenges. In many countries, law enforcement struggle to keep pace with the fast-flexible adaptations to new defence changes adopted by hackers who are becoming more sophisticated and persistent.
Regulators and supervisors face a number of challenges, including weak cyber defences and poor cyber hygiene as well as limited law enforcement capacity. The reasons behind that are manifold, including a lack of technical specialists, qualified analysts, funding, cyber hygiene and resilience trainings for regulators as well as for the private sector. Moreover, procedural hurdles and complex questions with regard to jurisdiction, responsible authorities, and chain of evidence often oppose the development of an enabling cyber secure environment. Beyond that, cross-border challenges prevail such as inconsistent laws governing cybercrime among the different countries, inadequate evidence sharing and the lack of capacity in many countries to investigate cybercrimes.
Protecting financial networks not only requires financial institutions to improve the security of their own systems, but there is also a need to change the security balance of the entire internet environment. This requires new approaches to defence, including developing new authentication and monitoring technologies for bank networks, and supporting the development of security solutions for these new devices outside the banks’ own networks. Improving IT security education, awareness for internet users and supporting efforts to build law enforcement capacity to combat cybercrime around the world, is also critical.
Finally, discussions around IT and cyber security debates in the financial sector must go hand in hand with issues around data protection and the responsible use of personal data. Or to put it differently: how does the best data protection regulation possibly help if the IT systems are insecure? For that reason, it is important to start – or where it has already started, to continue – including IT security aspects when developing regulatory frameworks. Such regulation should require the financial sector to implement adequate IT standards to ensure the secure provision of its products and services, a safe processing of the data by its systems and a responsible use of personal data.
About the author
Judith Frickenstein is a senior advisor at GIZ’s Financial Systems Development Sector Programme, where she is in charge of Responsible and Digital Finance with a strong focus on the support of the G20/Global Partnership for Financial Inclusion (GPFI) on behalf of BMZ. Prior to her current position she coordinated the German contribution on agricultural finance within the Pan-African Partnership Making Finance Work for Africa (MFW4A). Judith led the economic empowerment component of GIZ’s gender sector programme, where she advised BMZ as the champion of the World Bank Group’s Gender Action Plan (2007-2010) and consulted economic development programmes in Albania, Egypt, Jordan, Montenegro and Uganda. Before joining GTZ (now GIZ) in 2007, Judith worked for the Retail Development Group in Cologne, Germany, and for the DEVK insurances. She holds a diploma in economics from the University of Cologne and completed a vocational traineeship at the DEVK Insurance Group.