Dissecting the Central Bank of Nigeria Risk-Based Cybersecurity Frameworks and Guidelines for Deposit Money Banks and Payment Service Providers.
According to publicly available data, millions of dollars are lost to cybersecurity threats annually. However, official fraud reports from the Nigerian Inter-Banks Settlement Systems Plc (NIBSS) shows a much lower figure due to the attitude of industry players towards reporting cybersecurity threats.
The NIBSS report as at January 2019, reveals that a total of N46, 000, 000.00 (Forty-six Million Naira) was lost to cyberattacks in 2018. This figure appears to be very low in comparison with the data presented by a spectrum of cybersecurity expert data on the volume of losses due to cyber-attacks.
The Cybercrimes (Prohibition, Prevention etc.) Act of 2015 ("Cybercrimes Act"), which ushered in a regime that criminalized certain acts, which have continued to threaten the security of the cyberspace was however not targeted at defining safety measures. It has neither tackled the problems associated with preventing the occurrence of cyber-attacks nor has it changed the attitude of financial services industry players and other cybersecurity stakeholders towards reporting cybersecurity risks.
In response to the problems identified above, the CBN Central Bank of Nigeria (CBN), pursuant to its regulatory powers under its establishing Act, (the CBN Act) and the Banks and Other Financial Institutions Act (BOFIA), issued the Risk-Based Cybersecurity Frameworks and Guidelines for Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) (the "Guideline"), which became effective on 1 January 2019.
The issuance of the Guideline gave effect to Part 7.5 of the National Cybersecurity Policy, which designates the financial services sector as a National Critical Information Infrastructure (NCII).
This article is therefore aimed at providing a detailed analysis of the provisions of the Guidelines and its possible effect on the Nigerian FinTech sector.
Without adequate information and cyber intelligence on contemporary threats and vectors, it becomes extremely difficult to understand the full-scale of the problem or combat the challenges of cybersecurity in the nation.
In readiness for the challenges ahead for this year, the CBN has put adequate frameworks in place to ensure that the nation's cybersecurity does not suffer for want of intelligence or awareness.
While it may be extremely difficult for businesses to sing the praises of regulators, especially because of the cost implication of executing certain regulations, in a survey conducted by Thales' Data Threat Report 2018,1 64% of respondents around the world are of the view that regulatory compliance is an effective way of keeping data secure. The issuance of the framework is therefore timely and looks promising towards the betterment of the Fintech space going forward.
The CBN Cybersecurity Guideline is divided into five main parts covering: Cybersecurity Governance and Oversight, Cybersecurity Risk Management System, Cybersecurity Operational Resilience, Metrics, Monitoring & Reporting and Compliance with Statutory and Regulatory Requirements. Each part will therefore be discussed below.
Cybersecurity Governance and Oversight
The first part of the framework makes it a duty on the Board of Directors to set the agenda and boundaries for cybersecurity management and controls through defining, directing and supporting the security efforts of the DMBs/PSPs. Accordingly, Cybersecurity governance and oversight functions have been elevated to the Board and senior management level of DMBs/PSPs and is no longer the IT department of respective institutions. This underscores the seriousness the CBN intends to place on the issue of Cybersecurity in the industry.
Additionally, the framework provides that DMBs/PSPs shall appoint a Chief Information Security Officer (CISO) who shall be responsible for overseeing and implementing the cybersecurity programme and policy of respective institution.
Whilst this present job opportunities for qualified Information Security experts, it may also expose the banks to certain risks associated with insider threats. In ensuring that this situation remains malleable, the CBN insists that a person to be appointed as a CISO of a DMB shall meet the educational and experience requirements of Assistant General Managers as provided in the Fit and Proper (Approved Persons) Framework2 while that of a PSP must the criteria to be appointed as a senior manager. This approach to the appointment of CISOs will therefore help to reduce the possibility of insider threats and ensure that only experts are engaged to carry out cybersecurity obligations of relevant Fintech organisation.
Cybersecurity Risk Management System
According to the Guideline, effective risk management serves to reduce the incidence of significant adverse impact on an organization by addressing threats, mitigating exposure, and reducing vulnerability. As such, the Guideline directs DMBs/PSPs to incorporate cyber-risk management with their institution-wide risk management framework and governance requirements, and to ensure consistent management of risk across the institution.
Report3 has it that it takes organizations an average of 197 days to become aware of data breaches and an average of 69 days to contain it. One of the major setbacks in the battle to ensure a secure environment for Fintech in Nigeria has been the attitude of Fintech stakeholders or organisations towards vulnerabilities and risks management. Out of the very few companies that carry out relevant cyber risk assessments or audits on their networks and servers, only a small fraction actually take steps to fix identified cracks or vulnerabilities in their system.
According to Serianu report, over 81% of discovered cyber security incidents in Nigeria are left unresolved, leaving room for the proliferation of cybercrime activities. As a result of this, the framework did not only mandate concerned organisations to develop cyber risk-management programs but insists that such organization shall take necessary steps to develop a detailed roadmap to promptly address identified gaps4 and submit the report of the same to the Director, Banking Supervision Department of the CBN, before 31st March, every year5.
Whilst this remains a plausible move towards ensuring that Fintech organisations take active steps to not only discover vulnerabilities, but ensure that such vulnerabilities are appropriately fixed, there is still the need to find a means of compelling these organisations to disclose true and accurate information.
Cybersecurity Operational Resilience
Knowledge they say is power, and to overcome any challenge, it is important to first understand the nature and extent of that challenge. The same rule applies to building the required doggedness to survive cybersecurity challenges. Fintech organisations must be aware of and understand the intricacies of cybersecurity in the Fintech industry. The interconnectedness of Fintech organisations for effective service delivery can sometimes increase the risk of contagion; this risk is associated with compatibility issues that may arise from the interface between legacy and modern computer systems or software. Additionally, where one entity is the subject of a cyber-attack, it may expose interconnected systems to vulnerability. According to the report of Accenture,6 79% of business leaders are of the opinion that new business models introduce technology vulnerabilities faster than they can be secured.
It is therefore, necessary that companies and indeed Fintech organisations understand, and are careful of the kind of relationships they establish with their service providers and every other player in the Finech ecosystem and to ensure that strict security protocols are adhered to, in order to prevent any form of associated vulnerability or risk. To this end, the Guideline provides that Fintech organisations shall endeavor to be acquainted with its business environment and critical assets and shall devise mechanisms to maintain an up-to-date inventory of authorized software, hardware (workstation, servers, network devices etc.), other network devices, and internal and external network connections.
The Guideline further requires Fintech organisations to possess Cyber-threat intelligence for the prompt identification of vulnerabilities and emerging threats, cyber-attacks, attack vector, mechanisms and indicators of attack/compromise. Consequently, FinTech organisations must establish a Cyber-Threat Intelligence (CTI) programme to proactively identify, detect and mitigate potential cyber-threats and risks, as well as develop relevant CTI policies for the implementation of its CTI programmes.
It is suggested that aside from establishing CTI programs internally, FinTech organisations in collaboration with Nigeria Electronic Fraud Forum (NeFF) should work towards establishing a Sheltered Harbour7 style forum, to provide an additional layer of protection on top of the existing defences that many financial firms currently have or are in the process of implementing. NeFF should create a backup to assist the industry's capabilities to securely store and restore account data, should the need arise.
Metrics, Monitoring & Reporting
Navigating compliance waters in Nigeria may be somewhat complex, this may be due to the sectorial approach that the Nigerian regulators take in regulating the FinTech industry. As such, a plethora of regulations have been issued with the aim of demanding for one form of compliance or the other. In simplifying the compliance needs of FinTech organisations, the Guideline, in paragraph 5 provides that FinTech organisations shall put metrics and monitoring processes in place to ensure compliance and provide feedback on the effectiveness of controls and the basis of appropriate management decisions. The guideline expressly encourages the use of tools which in my view includes regulatory technologies ("RegTech")8 in ensuring that compliance requirements are made simple9.
Furthermore, FinTech organisations are required to report all cyber incidents, whether successful or unsuccessful, not later than twenty-four (24) hours after the incident is detected to the Director of Banking Supervision, CBN in the format provided by the Guideline.
Compliance with Statutory and Regulatory Requirements
The concluding part of the Guideline mandates the Board and Senior Management of FinTech organisations to ensure compliance with all relevant statutes and regulations such as the Nigerian Cybercrimes (Prohibition, Prevention etc.) Act, 2015 and all CBN directives to avoid breaches of legal, statutory, regulatory obligations related to cybersecurity and of any security requirements.
The framework provides the template for filing of the following reports:
- Risk-based Cybersecurity Self-Assessment Reporting
- Cyber-Threat Intelligence Report
- Security Incident Reporting
The issuance of the Cybersecurity Guideline by the CBN is, no doubt, plausible. Not only will it facilitate the security of the FinTech industry, it will also increase investors' confidence. FinTech industry around the world and indeed in Nigeria experienced tremendous investments in 2018, raking-in about US$111.8 Billion in global funding10. If Nigeria is to continue benefiting from the pool of investment available to the FinTech industry, it must be able to guarantee the security of invested funds. The issuance of the Cybersecurity Guideline is therefore a step taking in the right direction.
Although it may be impossible to totally get rid of all forms of attacks or risks associated with the use of technologies in the financial services industry, the issuance of the Cybersecurity Guideline will help FinTech organisations to take precautionary steps in securing its infrastructure as well as gather sufficient intelligence towards understanding its cybersecurity challenge.
1 Thales' Data Report 2018, reported at https://brica.de/alerts/alert/public/123263/top-cybersecurity-facts-figures-and-statistics-for-2018 last assessed 16th January, 2019
2 CBN Revised Assessment Criteria For Approved Persons' Regime For Financial Institutions can be found at https://www.cbn.gov.ng/out/2015/fprd/revised%20fit%20and%20proper%20-%20combined-final%20oct%202015.pdf
3 Study of the Cost of Data Breach conducted by Ponemon Institute on behalf of IBM available at https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses
4 Paras 3.9.2 of the CBN Cybersecurity guideline
5 Paras 3.9.2 of the CBN Cybersecurity guideline
6 Accenture Security, Ninth Annual Cost of Cybercrime Study, 2019 available at https://www.accenture.com/_acnmedia/PDF-99/Accenture-Cost-Cyber-Crime-Infographic.pdf#zoom=50
7 Sheltered Harbor's is an industry-wide collaborative effort to help improve cyber resilience across the financial sector. The Non-Governmental Organization is led by the Financial Services Information Sharing and Analysis Centre (FS-ISAC) in the United States of America to protect customers, financial institutions, and public confidence in the financial system if a catastrophic event like a cyber-attack causes an institution's critical systems - including backups - to fail. https://shelteredharbor.org/about
8 According to Deloitte, RegTech is technology that seeks to provide "nimble, configurable, easy to integrate, reliable, secure and cost-effective" regulatory solutions
9 RegTech may be simply described as a Software-as-a-Service (SaaS), that relies on cloud computing technology to deliver ease in regulatory compliance by FinTech organisations.
10 KPMG report available at https://home.kpmg/xx/en/home/media/press-releases/2019/02/global-fintech-investment-hits-record-in-2018.html
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.