Under the aegis of the Financial Inclusion Global Initiative (FIGI), the World Bank and SecAlliance have jointly published a paper which provides an intelligence-led analysis of the current threat landscape for the financial services sector across Africa and an assessment on future trends. It concludes with recommendations for financial authorities (including central banks) and governments.
African financial services institutions (FSIs) currently face a significant threat from organised criminal groups (OCGs) and financially motivated nation-states conducting high-value thefts in ‘heist’-style operations. These operations build on previous successes against similar systems in the now more cyber mature developed world and focus on exploiting generally inadequate cyber security controls to manipulate the integrity of payment processing mechanisms and internal security controls. Malicious insiders have also shown intent and capability to leverage privileged knowledge and system access and steal from their employer.
Ransomware also presents a prominent and growing threat, given its detrimental impact on the availability and confidentiality of critical systems and data. A growing number of OCGs and individual hackers are showing both intent and capability to direct this activity against African FSIs, with the majority of these attacks opportunistically taking advantage of security issues and infrastructure vulnerabilities.
Furthermore, African FSIs are also impacted heavily by the large volume of low-sophistication scams, thefts and fraudulent activity directed against their customers. Such scams impacting victims abroad may also deter foreign investment, to the detriment of Africa’s long-term economic potential. Such scams generally originate from domestic, grassroots actors, likely compounded by socioeconomic factors like unemployment and economic inequality.
Next to that, African FSIs are currently experiencing high levels of espionage and data theft from nation-states, OCGs, insiders and individual hackers – although these types of attack have less immediately tangible impacts than direct theft or extortion attempts, they can cause future issues such as loss of competitive advantage or loss of customer trust. African FSIs also face a small but growing risk of supply chain compromise from the increasing use of third-party entities within financial services infrastructure, expanding the general attack surface.
Looking forward, the following emerging trends can be identified:
Large-scale, rapid digitalisation of financial products provides new avenues of opportunity for threat actors. Greater levels of digitally enabled financial inclusion, coupled with customers unfamiliar with those products and services, open up new targets for scammers. Digitalisation also comes with an expanded supply chain, which will provide threat actors with new access vectors.
Short-term economic challenges will increase the attractiveness of cybercrime for the young and unemployed. However, sporadic introduction and lax enforcement of cyber security regulations will not deter domestic cyber activity in the short-to-medium-term. On top of that, increased security in the developed world will increase Africa’s attractiveness to an array of threat actors.
Finally, it is to be expected that Africa’s increasing geopolitical relevance will incite more targeting from nation-state threat actors.
The challenge of coping with the serious cyber threats Africa’s financial sector is facing – and with it society in general – is not only with Africa’s banks, payment service providers and financial infrastructures. Financial authorities (including central banks) and governments can help address these challenges by focussing on improving the cyber resilience of both individual financial entities and the financial sector as a collective, on strengthening the cyber resilience and supervisory capacity of central banks and financial authorities and ultimately on bolstering the cyber resilience of African society at large. Central banks and financial authorities should also actively seek to cooperate with their peers in neighbouring countries.
With regards to improving the cyber resilience of individual financial entities and of the financial sector as a collective, authorities are recommended to publish more specific operational guidelines and cyber resilience expectations to help financial entities and their relevant authorities to implement respectively assess the appropriate cyber resilience measures. Next to that, it is recommended that the responsible authorities invite systemically important financial entities to engage in threat-led penetration testing (TLPT) and team up in a cyber information and intelligence sharing initiative (CIISI). The wheel does not need to be invented again, as for these three recommendations practical examples are available which have been published or implemented by other international authorities. (1) The responsibility of being cyber resilient and having enough cyber capabilities is not only with the private sector: central banks and other financial authorities also have to play their part. Therefore, central banks and other financial authorities must comply with their own guidelines and expectations, especially as most central banks are also RTGS payment system operators and thus engage in activities covered by these guidelines and expectations. Furthermore, it will greatly contribute to the cyber capabilities and cyber resilience of the central bank if the senior managers of the supervision, oversight, payment systems, and information systems departments engage in structured internal dialogue, in order to learn from each other and contribute to each other’s policy and operational objectives.
Some of the cyber threats faced by Africa’s financial sector can only be addressed by government action. On the preventive side, central banks are recommended to call for – and contribute to - more focused action by government on improving financial and digital literacy among its citizens and consider expanding the availability of basic cyber security studies to provide for a future career path for unemployed youth. Next to that, the establishment of a national cyber security centre (NCSC) to assist the government and vital industry sectors with cyber advice and CERT (Computer Emergency Response Team) services will greatly contribute to a higher level of cyber resilience within a country’s vital governmental and commercial sectors. Given their crucial institutional role in society, central banks could – and should - play a facilitating role in the establishment of such NCSCs. Unfortunately, cyber threats are here to stay and cyber attacks will continue to happen. An efficient and credible judicial system is needed to prevent cyber-crimes to happen and – if they happen - to follow-up with effective law enforcement actions. Central banks and other financial authorities should urge governments to improve the cyber capabilities of the judicial system (police, prosecutor offices, courts) and should stand ready to make available specific financial or cyber expertise if required.
Finally, cyber risks transcend geographical borders. Therefore, it is recommended that central banks and financial authorities reach out to their peers in neighbouring countries to coordinate follow-up actions regarding the recommendations above and establish and cooperate in joint initiatives where appropriate.
(1) Threat-Led Penetration Testing is also advocated for by the G7: a good practical example is TIBER-EU, the threat-led penetration testing framework developed by the European Central Bank and currently applied in 13 EU countries. The TIBER-EU framework is jurisdiction and sector agnostic and free to be used. Next to that, reference is made to the CIISI-EU initiative, which has been developed under the aegis of the Euro Cyber Resilience Board (ECRB) and the European Central Bank. The CIISI-EU blueprint is sector and jurisdiction agnostic, is free to be used and is currently (being) implemented in several countries and regions, within and outside Europe.
SecAlliance delivers cyber threat intelligence services to banks, central banks, financial market infrastructures, governmental and EU agencies, international organisations, and critical national infrastructure operators (telco, power grid, transport). We help these organisations and their ecosystems to strengthen their cyber resilience and make the right decisions.
We create awareness by delivering threat intelligence assessments, training and advisory. We facilitate collaboration by supporting the establishment and operation of threat intelligence sharing communities.
With our over 35 cyber threat intelligence professionals, we are driven by a commitment to quality and doing the right thing; firmly based in Europe (London and The Hague) but with global reach and presence.