It took a medium-sized MFI in West Africa more than two months to realise that their cyber security had been compromised by hackers last year. Lacking the necessary detection capabilities, it was only after the organisation received invoices for goods ordered fraudulently that the alarm was raised. Investigations revealed that the breach had been achieved through use of a simple, easily-available hacking tool named Trireme NanoCore - just one of the estimated 1 million malwares available to cyber attack perpetrators, who affected 400 million people globally last year.
Cybercrime is a growing global security concern for governments and public and private institutions of all sizes. As microinsurance coverage spreads across the globe and capital inflow into the sector increases, financial inclusion institutions and their schemes for ensuring livelihoods and security too find themselves in the crosshairs of global hacking networks. Half-hearted responses to these threats will have huge implications not only for the data, policies and investments of microinsurance institutions, but for institutional trust in the industry itself. Repeated exposure to data theft or denial of services among the poorer sections of society that microinsurance targets poses real danger to the future of the micorinsurance sector and its ability to attract future investment in the developing world.
This topic was the theme for the Microinsraunce Network's Expert Forum on 28 February 2018 entitled 'Why does cyber security matter for financial inclusion?' On the panel were Jean-Louis Perrier, co-founder of Suricate Solutions, an electronic banking and cyber security company based between Luxembourg and West Africa, and David Medine, Senior Advisor at CGAP.
Lessons from West Africa
Knowledge gained from working with Suricate's partners in West Africa has shown that while much institutional energy has been geared towards improving customer experience, cyber security has not received corresponding attention. This imbalance arises from a lack of institutional capacity and technical knowledge and shortfalls in funding - problems which plague financial institutions of all sizes across West Africa. For example, the Senegal Post lost 1.5 billion Euros last year as a result of cyber attacks, while in the Ivory Coast, money transfer hijacks increased by 207% and mobile payment fraud by 74%.
In a high-paced environment where hackers' tools are constantly evolving, Perrier said solutions were urgently required that went beyond the usual checklists and lengthy staff training programmes. The initial detection and response process had to be prioritised ahead of putting in place a regulatory framework, while difficult and lengthy technological transfers should be phased out in favour of knowledge transfers to local staff that ensure maximum and swift applicability.
Last year, Suricate began putting these ideas into practice and launched a Regional Cyber Security Operations Center (RCSOC) in Dakar, Senegal, the first in sub-Saharan Africa. With funding from the European Investment Bank and the Luxembourg government, the Center draws on support and collaboration from private and public stakeholders and universities in Senegal and Europe to deliver state of the art, cost effective cyber security services to financial institutions in Senegal. The Centre's operational security team in Senegal is on call 24x7, and staff in Luxembourg are on hand to provide support and training - a model that Perrier believed could be scaled up to other countries, or rolled out on a Pan-Africa level.
Perrier said mutualisation schemes also offered ways for resource-strapped financial institutions to achieve greater cyber security through combining resources and sharing secure data storage platforms, as CTISN, a mutualised MFI Cloud Data hosting initiative is showing in Senegal. Models like the CTISN save time and money by storing data collected from various institutions under one system, which also cut out the need to visit scattered and smaller institutions in the field. Medine thought that Centres such as the RCSOC in Dakar offered possibilities for the mutual sharing of technical knowledge on combating cyber crime and rapid dissemination of information on new viruses as they emerged. Centres could also become focal points for the training of computer scientists and technical staff.
In response to a question on the costs and processes involved in setting up cyber security, Perrier responded that for Suricate, outlays were limited to purchasing special servers and software, which then extracted the log details from the client's computers and analysed the data to determine whether the network was under attack. Medine also pointed out the direct link between consumer data and finance protection and wondered how this could better be utilised to formulate stronger responses to cyber risk, giving the example of credit card companies in Europe and North America that had assumed liabilities for any losses arising from fraud, and subsequently made significant achievements in cutting fraud rates.
As its reach and clout grows, the microinsurance sector will face further threats from cyber criminals, and effectively responding to these issues will require sustained and meaningful collaboration among stakeholders.
This blog was written by Ross Adkin.