Systemic plan crucial to dealing with cyber risks

Kenya’s rising reliance on the Internet as a platform for its financial services delivery and transaction is reminiscent of what has taken place in other parts of the world.

Banks, insurance companies and saccos are now moving towards offering their services using self-service internet portals as the population increasingly adopts internet and mobile usage.

At the heart of the evolution however, is the fact that all these financial sector players have to be connected to provide better services to the public, raising the specter of systemic risk. Systemic risk is defined by US Agency for International Development (USAID) as one that ‘could cause collapse of, or significant damage to, the financial system or a risk which results in adverse public perception, possibly leading to lack of confidence and worst case scenario, a "run" on the system’.

Globally, financial sector regulators are already discussing the risks associated with this level of interconnectivity. The European Systemic Risk Board (ESRB) for instance already realised last year that this interconnectedness of the various systems raises a major risk element for the entire financial system.

According to ESRB, the interconnectedness of the various information systems drive the rapid and widespread of cyber incidents as has been shown by recent incidents. They can spread widely across sectors and beyond geographical orders, including to entities which are not the primary target or source of disruption.

Malicious cyber incidents are becoming more persistent and prevalent, illustrating the high level of sophistication and coordination that threat actors are able to achieve.

Chiming into the conversation, Britain’s Financial Stability Board (FSB) last year cautioned that cyber incidents pose a threat to the stability of the global financial system and that with the world increasingly becoming reliant on digital financial services, the number of cyberattacks has tripled over the last decade, with financial services being the most targeted sector.

In their recent report titled International Strategy to Better Protect the Financial System Against Cyber Threats, Tim Maurer and Arthur Nelson warn that one thing is clear: it is not a question of if a major incident will happen, but when.

The IMF is also watching events unfolding closely and analysts at the global institution have sounded the alarm. In the article Cyber Risk is the New Threat to Financial Stability, Jennifer Elliott and Nigel Jenkinson state that with its strong financial and technological interconnections, a successful attack on a major financial institution, or on a core system or service used by many, could quickly spread through the entire financial system causing widespread disruption and loss of confidence.

Transactions could fail as liquidity is trapped, household and companies could lose access to deposits and payments. Under extreme scenarios, investors and depositors may demand their funds or try to cancel their accounts or other services and products they regularly use.

Regulators around the world are weighing how to police the systemic risks across finance and technology. The Bank of England for instance has been reported recently saying that it is working with the UK Treasury and the Financial Conduct Authority on how to tackle these risks.

Cyber risk has become a key issue for stakeholders in the financial system. But its properties are still not precisely characterised and well understood. Yet, safety of funds is a cross-cutting issue for all financial service providers, including insurance, investments and banking.

While it is a central responsibility of financial services regulators to ensure the members’ funds are protected, the continually increase in cybercriminal attacks has given rise to a new interest in new ways of regulation.

Hacking tools are now cheaper, simpler and more powerful, allowing lower-skilled hackers to do more damage at a fraction of the previous cost. The expansion of mobile-based services (the only technological platform available for many people), increases the opportunities for hackers.

Attackers target large and small institutions, rich and poor countries, and operate without borders. Fighting cybercrime and reducing risk must therefore be a shared undertaking across and inside countries.

The key question that regulators are asking themselves is; how can we monitor organizations in real time and to avoid the pitfalls of historic reporting? Are there tools to do so? The answer is yes.

The good news is that closer home in Kenya and generally across the African continent, similar discussions have been going on. The upshot of these deliberations among various regulators and cyber security industry players is that we have reached a point where there is a need to establish a system-wide mechanism for monitoring the financial sector players’ activity in real time.

The good news is that the technology exists and the engineers to set up the systems and do the work are available. But for this to work, it requires a collaborative effort. This means a collated effort by both the regulatory agencies and other sector players.

As the Central Bank of Kenya notes in its draft Kenya National Payments System Vision and Strategy 2021- 2025, the regulator “will evaluate and require industry participants to adopt the latest and relevant global security standards.

This includes the Principles for Financial Market Infrastructure (PFMI) that are issued by the Bank for International Settlement’s Committee on Payments and Market Infrastructures (CPMI), COBIT-5 governance and management of IT frameworks and other guidance on cyber resilience for financial market infrastructures”.