Suspected cyber-criminals stole an estimated Rwf289.5 million from Rwandan financial institutions in 22 incidences in 2018. Of the sums reportedly stolen, Central Bank officials say that about Rwf208.4m was successfully recovered. The amount involved in 2018 were considerably lower when compared to 2017, where there were about 80 incidences involving about Rwf2.6bn. In 2016, the amounts involved were an estimated Rwf 1.3bn. Central Bank statistics further show that there were over 50m suspicious connections detected and dropped, indicating the growing popularity of the vice. In 2017, there were about 8 million suspicious connections. The majority of the amount involved in cybercrime in local financial institutions last year was through internet initiated payments whereby about Rwf 256m was involved in 6 incidences. Through counterfeit, lost or stolen cards used at terminals such as point of sale machines, ATMs, or online, Rwf 25m was reported stolen. Experts say that the main threats in cybercrime in Rwanda include fraudulent activities, internal cyber-crimes by internal personnel (either deliberately or erroneously) as well as external cyber-attacks. Central Bank cyber-security personnel say that criminals have been exploiting vulnerabilities such as weak oversight by senior managers, weaknesses in monitoring and securing of IT vulnerabilities by IT security staff which they say is common among many institutions. Other persistent vulnerabilities among Rwandan financial institutions were found to be inadequate systems for monitoring and detecting abnormal activities within the network as well as a low level of security awareness by customers and institutions. According to the Director of Financial Stability at the National Bank of Rwanda, Peace Uwase, there has been a general improvement among local financial institutions following new regulations issued by the regulator. “In terms of the volume of incidences, it is reducing, we did not have any significant cases as was the case in the previous year,” she said. Following an assessment among banks, she said that they had established that the major gaps were around privacy of customer information as well as strengthening controls. “In terms of readiness of financial institutions, we had an assessment done in all banks. The assessment helped identify the major gaps. There are no significant gaps other than strengthening controls around cyber-security and privacy of customer information. Banks are working to close those gaps,” Uwase said. Last year, the Central Bank issued regulations which among other things require banks to conduct feasibility studies, assessments and testing of their systems regularly. The trend of cyber-crime in the financial sector is not unique to Rwanda, Africa is estimated to have lost a $3.5bn in cyber-attacks in 2017, up from $2bn in 2016, statistics from Serianu, an information technology services firm show. In the East African region, Kenya is said to have lost some $210 million in 2017 and $171 million in 2016 to the vice while Tanzania lost an estimated $99 million in 2017. Nigeria faced the biggest threat on the continent in 2017 with a loss of an estimated $649 million. Cyber-security professionals in Rwanda say that increased digitisation of systems has created a need for banks to develop and adopt cyber-security policies. Kevine Bajeneza, Chief Operating Officer of Cyberteq Rwanda, a subsidiary of a Singaporean ICT global consulting company, told The New Times that financial institutions ought to regularly perform technical assessments to understand the levels of protection they have in place. “It is important to perform regular penetration testing and vulnerability assessment,” Bajeneza said. The cyber-security expert also emphasised the need to train staff of the financial institutions on the subject for them to be able to detect and respond to incidences with ease. Other ways include making reviews of software and creating proper backups and data-storage to ensure data safety. Among the common incidences include malware attacks, ATM skimming, tax fraud, ransom demands, credit card fraud and SIM card swiping. There has also been a reported shortage of cyber-security experts in Rwanda and the region in general with estimates putting the number of professionals in the area at around 3000 across the East African region. editorial@newtimes.co.rw
