Risk Alert: Development Community Support Needed for Cybersecurity

Cybercrime has become a key concern in developing countries’ financial markets and is threatening global advances in building more inclusive financial sectors. Enhancing cyber-resilience must be a critical part of the development community’s agenda as it promotes financial inclusion through digital financial services.

In a recent study, CGAP and the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) identified cybersecurity trends and challenges in financial-sector development. Our research found that markets with higher volumes of digital financial transactions are particularly affected by the global rise in cyber-incidents and data breaches. Markets in Asia are recording the highest use rates of mobile banking and digital payment applications. At the same time, they are experiencing the highest volume of cyberattacks on financial institutions.

One explanation for these trends may be the fact that digital financial transactions are often carried out using insecure devices and over transmission lines that were not designed to protect the security of financial transactions. Furthermore, with developed economies building up their defenses against cyberattacks, cybercriminals seem to be shifting their attention to easier targets in emerging digital financial services markets.

Developing and emerging economies are struggling with three major challenges:

• There is a huge resource and capacity gap among regulators, supervisors and providers to monitor, protect and defend their information systems. Technical cybersecurity specialists, qualified analysts and auditors, threat information sharing platforms, sector-wide advisory services, IT-security training and funding are scarce and expensive. The high cost of cybersecurity services could increase the cost of digital financial services, leading to less inclusive financial markets.
   
• There is little cooperation among stakeholders due to competitive thinking or fear of revealing a vulnerability to supervisors. Stakeholders agree that cybersecurity is a shared responsibility of all players in the ever more fragmented financial services value chain. Malware can spread easily due to increasingly interconnected financial services systems. Attacks that threaten one player today may target another player tomorrow. However, the lack of accessible, trusted threat information-sharing platforms makes it difficult to warn and learn from each other.
   
• There is little clarity around responsibilities between the public and private sectors and between financial service providers and mobile network operators regarding cybersecurity processes, liabilities and consumer cybersecurity education.

These challenges need to be addressed in a collaborative manner. Regulators and supervisors, private sector associations, financial and IT services providers, funders and development partners all play important roles. In partnership with Luxembourg’s Directorate for Development Cooperation and Humanitarian Affairs, CGAP and GIZ, on behalf of BMZ, organized a stakeholder workshop in November 2019 to discuss cybersecurity threats and potential solutions for the financial sector (see presentations from the event here).

Our conversations with stakeholders highlight that there are at least four ways development partners and funders can provide support:

• Foster dialogue and collaboration among international and regional financial-sector stakeholders. Dialogue is essential for promoting a common understanding of cybersecurity and cyber-resilience within the financial sector and for exchanging best practices and lessons learned. International organizations and development partners can facilitate public-private dialogue within a single country, regionally and globally. Sector-specific and cross-sectoral dialogue will be crucial for including various perspectives on cybersecurity. In an increasingly globalized and interconnected financial market, harmonized cybersecurity efforts across sectors and countries have proven more effective and efficient than disconnected efforts. A network of regional cybersecurity resource centers could provide a neutral platform for public-private collaboration, including the exchange of threat information, international best practices, guidelines and training.
   
• Encourage adoption of international cybersecurity guidelines and support adaptive regulatory reform systems that enable the sector to keep pace with rapidly evolving cyber-risks. Regulators and supervisors already have a hard time keeping up with innovations in the financial sector. Cybercrime is threatening the integrity and soundness of the sector and requires the adoption of new skills, processes and regulations. The development community can help governments identify effective regulatory and supervisory approaches by building on international standards and best practices, while promoting a more effective and adaptive regulatory reform system. Support for building law enforcement capacity to combat cybercrime on a national, regional and global level is also critical.
   
• Fund and carry out research to deepen our understanding of the threat and scale of the risks posed by cybercriminals. Metrics and data are needed to assess the threat that cybercrime poses to the public and private financial sectors, along with its impact on consumers.
   
• Promote educational programs and campaigns to build cybersecurity awareness and capacities among users of the internet and digital financial services, in partnership with policy makers and providers in developing and emerging markets.

The development community is becoming increasingly active in promoting and supporting cybersecurity. Because cybersecurity is complex and requires national and international collaboration, funders and development organizations must work together to help the financial sector improve its cyber-resilience.

Judith Frickenstein is head of Financial Inclusion and Digital Finance - Cluster Financial Systems Development and Insurance at GIZ. Silvia Baur-Yazbeck is a financial sector analyst at CGAP.