In late December last year, as most Rwandans, like the rest of the world, were in a festive mood, a local bank woke up to an electronic heist targeting billions of francs.
By the time the heist was detected, the fraudsters had already moved about Rwf900m to fraudulent accounts which were later frozen following intervention by Rwanda National Police and the Central Bank.
Before that, another local bank had to put to halt some critical operations for about a day, after an attack by the so-called Ransomware.
Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
These are just a few examples of the rising cybercrime incidents which are increasingly keeping bankers up at night.
According to experts, the growth of the financial sector as well as progress towards a cashless economy has heightened cybercrime vulnerabilities calling for financial institutions to review approaches.
Central bank statistics indicate that last year, they recorded about 150,000 network attacks and about 8 million suspicious connections.
Over the last 5 years, Rwanda’s financial sector has recorded 705 fraud cases amounting to Rwf5.7B, according to the Central Bank.
Police last year registered 80 incidences involving about Rwf2.6bn, most of which they said was successfully recovered through joint efforts between Police and Central Bank.
However, last year’s figure doubles the 2016 amounts which were about Rwf 1.3bn which points at increased vulnerability and threats by fraudsters.
This problem is not unique to Rwanda.
A recent study showed that African countries are reported to have lost at least $2bn in cyber-attacks in 2016. In the region, Kenya recorded the highest losses at $171 million while Tanzania lost $85 million and Uganda $35 million.
Experts say that approaches deployed by fraudsters include accessing and hacking into bank systems, electronic money transfers while others connive with bank staff.
Other common fraudulent activities also involve point of sale machines and identity theft among others.
Not mere IT issue
Central Bank governor John Rwangombwa said that the state of affairs called for more proactive actions by stakeholders and addressing it as not just an ‘IT issue’.
“With all these cyber-attacks going on, we need to be reminded that cyber security is not an “IT” issue. It is not a risk that can be addressed by simply having a strong IT team or infrastructure in place. It is not a risk that just affects a company’s technology; it affects the institution’s business and reputation and even much more,” he said.
Rwangombwa was speaking at a one-day consultative meeting which convened leaders of security agencies, heads of financial institutions and telecoms as well as concerned agencies.
As the regulator of the financial sector, the central bank, he said, was rolling out different measures through laying out legal and institutional framework.
For instance, the bank is in the final stages to issue a cyber-security regulation for all banks to establish cyber security disciplines across the sector.
The Central Bank also requested financial institutions to carry out audits to address multiple aspects of IT security and systems including vulnerability assessments, detection capacities among others.
Among the approaches being considered to reduce the vulnerability is building capacities and skills across financial sector.
During the same meeting, Bank of Kigali Chief Executive Dr. Diane Karusisi said that introduction of a basic module among bank staff with regular refresher courses would serve to improve the preparedness among staff.
“It can incorporate skills and knowledge needed around cybercrime. This can be made mandatory for everyone working at the bank and back with a sort of certification,” she said.
Karusisi said that banks also have a role to raise awareness among their clients to reduce their vulnerabilities when transacting to avoid being victims.
Rwanda Utilities and Regulatory Authority Director General, Patrick Nyirishema said that there ought to be joint effort to educate the general public about various ways through which they can be defrauded to reduce vulnerability.
“Security is as good as the weakest link, if you look at a number of the cases that have happened, the weakest link has been the people. It is important to have awareness campaigns. We ought to work together to educate the population of the various ways they can be defrauded to make them better equipped,” he said.
There are also plans by government to establish a cyber-security agency in the coming days.
The Permanent Secretary in the ICT ministry, Regis Gatarayiha said that with attacks likely to increase in coming years with the growth of the finance sector and cashless economy, it is important to have continued research and development going forward.
“It is important that we stress continued research and development and develop the institution that is going to help us address it in a coordinated manner,” Gatarayiha said.
The Inspector General of Police (IGP) Emmanuel K Gasana said that a National Cyber Security Strategy is already in place as well as an established National Cyber Security Agency that links security organs, public and private sector agencies.
Gasana said that going by the response to some of the attempts and attacks, police has capabilities and are further building capacities.
“Cybercrime investigation centers have been established to focus on building national capabilities to investigate cybercrimes retrieve and analyze digital evidence from variety of sources,” he said.
To develop its capacities to respond to cybercrimes, Police has introduced Information Security Faculty at the National Police College (NPC), while an African Regional Center of Excellence on fighting cybercrimes is in the offing.
Police has also enhanced regional and international policing partnerships.