According to New Telegraph, the Central Bank of Nigeria (CBN) has made conscious efforts to draft a cyber-security framework, in its bid to step-up its fight against cybercrime in Nigeria.
The lagos-based newspaper said that if available data is anything to go by, cybercrime is clearly on the rise around the globe. For instance, a 2017 International Data Corporation (IDC) report, showed that up to 62 per cent of firms are attacked weekly, resulting in huge financial losses.
Also, in its 2017 Africa Cyber Security Report, cyber security firm, Serianu Limited, disclosed that five African countries-Nigeria, Tanzania, Ghana, Kenya and Uganda – together lost $3.5 billion to cyber crooks last year.
The firm said: “Further analysis of cybercrime for the countries: Nigeria, Kenya, Ghana, Uganda and Tanzania was estimated at $3.5 billion a year, which includes direct damage and loss, post-attack disruption to the normal course of business and reputational loss.”
According to the study, banking and financial services were most affected in the five countries with $248 million losses during the period under review. They were followed by the government, which lost $204 million, while e-commerce, mobile-based transactions and telecommunications lost $173 million, $140 million and $119 million respectively.
Similarly, the 2017 Nigeria Cyber Security Report compiled by Serianu Limited and Demadiur Systems Limited indicated that financial losses to cybercrimes in Nigeria increased by 35 per cent between 2016 and 2017. Thus, while the losses stood at N127 billion yearly as at 2016, they had increased to N198.6 billion ($649 million) as at the end of last year.
The report revealed that the banking and telecommunications sectors were the worst hit, with insider threat accounting for the highest loss with 30 per cent ($194million).
It further showed that attacks on computer systems (unauthorised access and malware) accounted for 20 per cent ($130 million); Social Engineering and Identity Theft at 15 per cent, amounted to $97 million losses). Others are eMail spam and phishing 12 per cent ($78 million); data exfiltration with 10 per cent loss amounted to $65 million; online fraud scams had eight per cent with $52 million losses and ransomware attack with five per cent, cost the country $33 million.
In addition, the study noted that over 90 per cent of Nigerian organizations were operating below the security poverty line, thereby significantly exposing themselves to cyber security risks. It pointed out that 81 per cent of cyber security incidents either go unreported or unresolved.
Shedding light on the report, the Chief Executive Officer of Demadiur Systems Limited, Mr. Ikechukwu Nnamani, disclosed that the financial loss would have been higher than the N198.6 billion if many of the individual and corporate victims had agreed to participate in the study.
He stated that the country ranks lowest in terms of cyber security per person, adding that there was serious dearth of cyber security personnel in the country.
Indeed, experts believe that as malware becomes more advanced with encrypted ransomware, the security breach on organisations would increase, leading to more substantial financial losses for firms and the economy as a whole.
The paper went on to say that it was obviously with this concern in mind that Chief Security Officers (CSOs) of banks in the country, in March last year, called on the CBN to establish an internal framework within the banking system to prevent cybercrime fraudsters from operating bank accounts.
The CSOs, which stated this at Nigerian Financial Sector Global Cyber Security Conference that held took in Calabar, urged the Apex Bank to implement the anti-cyber crime policy in the banking industry as a means of curbing the activities of Internet fraudsters who use the banks to perpetrate their criminal activities.
The Leader of the CSOs told journalists at the event that the expected framework should anchor on the Bank Verification Number (BVN).
“The idea is that when the framework comes out from the CBN, the BVN will become a major tool to fight fraudsters,” he said.
“Our recommendation from this conference is that it should become an instrument to kick fraudsters out of the banking system. So, those who defraud individuals in banks, and other customers of banks; once the investigation fully proves that they are fraudsters, we believe that the other legal consideration will be taken care of by that framework.”
Apart from the CSOs, bank auditors have also expressed concern over rising cyber crime in the country. In May last year, for instance, the Association of Chief Audit Executives of Banks in Nigeria (ACAEBIN), agreed to partner with the CBN to tackle the issue and improve digital banking.
Speaking during a visit by members of the association to the CBN Director, Banking and Payment Systems, stressed the urgent need for the CBN and the association to collaborate and tackle cybercrime in the interest of the banking industry
Apex bank to collaborate with CIBN
Significantly also, the CBN’s Deputy Governor, Financial System Stability, Dr. Okwu Joseph Nnanna, recently revealed that the regulator was worried about rising cybercrime in the banking industry. Nnanna, who stated this during the investiture/swearing in ceremony of the Chartered Institute of Bankers of Nigeria’ (CIBN) new President, Dr. Uche Olowu, in Lagos, revealed that the banking watchdog was planning to collaborate with the CIBN towards finding a solution to the problem.
He stated that Nigeria was currently grappling with cybercrime more than ever before, stressing that partnership with the CIBN was needed to tackle the menace.
It was thus against this backdrop that the CBN on June 27, unveiled the exposure draft of the risk-based cyber-security framework and guidelines for Deposit Money Banks (DMBs) and Payment Service Providers (PSP).
The framework, which was posted on the CBN’s website, according to the banking watchdog, is: “designed to provide guidance for DMBs and PSPs in the implementation of their cybersecurity programmes towards enhancing their resilience.”
It stated that DMBs and PSPs should submit their comments/inputs on the framework on or before July 31 2018, adding that these institutions, should however, note that for a cybersecurity programme to be successful: “it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.”
The framework comprises six parts: Cybersecurity governance and oversight; cybersecurity risk management system; cyber resilience assessment; cybersecurity operational resilience; cyber-threat intelligence and metrics, monitoring and reporting.
Specifically, the document stated: “The responsibility for the provision of oversight, leadership and resources to ensure that cybersecurity governance becomes an integral part of corporate governance rests with the Board of Directors of the DMB/PSP. In this regard, the Board shall ensure that cybersecurity is completely integrated with business functions and, well managed across the DMB/PSP.”
It further proposed : “the Board shall ensure that cybersecurity governance not only aligns with corporate and Information Technology (IT) governance, but is cyber-threat intelligence driven, proactive, resilient and communicated to all internal and external stakeholders.”
Where do Mobile Money Operators and PTSPs come in?
In addition, a few days after releasing this exposure draft framework, the CBN, through a circular, directed Mobile Money Operators (MMOs) and other electronic payment service providers to comply with the collection and remittance of levy for the national cybersecurity fund.
Director, Banking and Payments System Department at the CBN, Dipo Fatokun, who signed the circular, directed that the MMOs and payment service providers should comply with the statutory provision for collection and remittance of the 0.005 per cent levy on all transactions by businesses specified in the second schedule of the Act.
He said the 0.005 per cent levy was service charge exclusive of other taxes from all electronic financial transactions occurring in a bank, a mobile money scheme or other payment platforms.
Fatokun also stated that the directive applied to all electronic transactions, including financial transactions occurring in a bank or on mobile money schemes and other payment platforms that had accompanying service charge, adding that the effective date for collection was July 1.
“Operators shall remit the levy on a monthly basis using the effective date of commencement of business as the base month.
“For this purpose, fifth business day of every subsequent month shall be the latest date for remittance,” Fatokun said.
However, while industry stakeholders have generally welcomed the CBN’s release of the exposure draft on risk-based cyber-security framework, the consensus in financial circles, last weekend, was that this was just a first step in addressing the menace of cybercrime and that Nigerian banks still have to do a lot of work in terms of securing their processes to deter cybercriminals.
As the head of the IT department of a Tier 1 bank, who did not want to be named, stated: “Cybercrime is a global problem that all countries are still grappling with. Given that the Internet has made the world a global village, we will also continue to face this challenge.”