In January, Kaspersky security researchers observed that there had been numerous cyber-attacks on major banks in Sub-Saharan Africa (SSA). Based on the malware being used for the attacks, the researchers attribute the attacks to the Silence hacking group, one of the most active Advanced Persistent Threat actors in the world. The playbook of such attacks typically involves sending a phishing email to a bank employee. Once opened, the malware in the email quietly infects the employee’s system, operating in the background and gathering information on the inner workings of the bank. Once the attackers have all the information that they need, they activate the full functionality of the malware, and cash out, taking large sums of money and sometimes sensitive information. The researchers noted that the pattern of the attacks on the African banks indicated that the threat actors are preparing for the cash out.
The banks have been advised to ramp up their cybersecurity by taking a number of measures including training employees on cyber threats, particularly how to recognise phishing attempts; deploying anti-phishing and anti-malware applications; monitoring their systems for malicious activity; providing the bank’s cybersecurity teams with access to the latest intelligence on the manner in which known threat actors operate; and preparing an incident response policy for use in the event they are attacked. However, none of these recommendations are new.
In 2018, the Central Bank of Nigeria (CBN) issued in draft a risk-based cybersecurity framework and guidelines for deposit money banks and payment service providers. The draft framework sets out proposed minimum requirements for banks’ cybersecurity programs and contains sections dedicated to each of the recommendations made to combat this imminent threat. Unfortunately, the CBN is yet to adopt and issue the final framework. Therefore, Nigerian banks are not under any obligation to comply. As regards those banks, including Zenith, First Bank and UBA, that rank amongst the top 20 banks in SSA and as a result are potential prime targets of the Silence group, it would be foolhardy not taking some measures to protect themselves.
A successful cyber-attack can destroy the trust that customers have in a bank. If the attack is of sufficient severity, it may lead to a run on the bank, and because of the interconnectedness in the banking system, cause a systemic crisis. In Nigeria, with our tendency to propagate stories of doom and gloom and red alerts, both true and false, this scenario is not farfetched. While law enforcement have wide ranging powers of investigation under the Cyber Crimes Act and through the Attorney General of the Federation can obtain assistance from foreign agencies to investigate and prosecute foreign threat actors, the likelihood that the perpetrators would be successfully prosecuted is low, and the bank would have suffered reputational damage regardless.
Indeed, all Nigerian banks, not just the major ones, must take cyber threats seriously. They may be well-served to proactively implement the recommendations in the draft CBN framework or review existing processes and technology to ensure they meet the minimum requirements set out in the draft framework. Doing so would be capitalising on an opportunity to obtain or maintain their competitive advantage.