By Sammy Chivanga
Savings and Credit Co-operative Societies (SACCOs) are being challenged to review their IT systems and also take insurance covers on the back of cyber-attacks that have in the recent spate of attacks cost them Sh106 million.
The money was lost in the 17 months to March 2021, meaning that Saccos were losing an average of Sh6.23 million per month or Sh208,000 daily in the review period, underlining the vulnerabilities of a sector that holds over Sh800 billion customer deposits.
Fresh disclosures in the latest financial sector stability report by Central Bank Kenya and Sacco Societies Regulatory Authority (SASRA) and other key financial institutions shows that the vulnerabilities have risen as Saccos continue to embrace technology.
The report says that the cyber-attacks were through software vendors engaged by the Saccos and has led to higher operational risks among cooperatives.
The attackers were targeting weak controls of the Sacco systems, given the minimal verification of members’ identities when seeking services.
SASRA and other financial sector regulators now want Saccos to review contracts signed with software vendors and compel such vendors to be compensating co-operatives when such losses occur.
In addition, the Saccos are being asked to take insurance so that members’ deposits are not exposed to losses and that Saccos do not collapse due to losses of deposits.
“All Saccos must now review and enhance their IT security including their service level agreements to ensure that affected Saccos are compensated by the vendor in the event of an attack where the vendor is culpable. Saccos are also encouraged to undertake indemnity covers to safeguard against attacks,” says the report.
However, without proper contracts, Saccos may struggle to measure performance and hold their vendors responsible for service delivery.
Saccos, especially the Deposit-Taking ones, will have to up their game in protecting themselves from cyber fraudsters to boost their chances of joining the national payment system without becoming the weak link in cyber-attacks in the financial services sector.
The disclosure on the amounts lost due to cyber-attacks lifts lid on the level of vulnerabilities for the Saccos, many which lag behind their counterparts such as banks in investing in strong systems.
Many financial players are usually reluctant to disclosing information on how much they lose through cyber-attacks. When such disclosures are made, the reports avoid mentioning names of affected institutions in order to guard against eroding customer confidence.
Cyber security consulting firm Serianu said in a report released mid-August that the number of Saccos spending between Sh500,000 to Sh1 million on modernizing IT systems had risen by 27 percent last year from 14 percent in 2019.
The percentage of Saccos that have a cyber-security strategy has also improved from 38 percent in 2019 to 55 percent in 2020.
However, just 22 percent of Sacco boards discuss cyber security monthly. Just slightly over half (58 percent) of the 110 Saccos surveyed by Serianu have dedicated resources for dealing with cyber security.
This trend is an indication that more Saccos are upping their game in strengthening their IT systems to safely accommodate the rising demand for digital services among customers.
Serianu report attributed the increased investment in IT systems on increased awareness on the cyber security, increased attacks and the shift to digital transactions.
“IT risk profiles are increasing due to increased mobile banking adoption, growing complexity of IT factors, including those driven by the types and numbers of systems used, expanding branch networks and increased connectivity to external IT networks.
“Our research indicates that there are increased targeted attacks on Sacco mobile transaction infrastructure. Additionally, weak IT infrastructure is exposing Saccos to attacks,” read the report in part.
When Saccos face system hacks, the report adds, it is the knowledge, capacity and maturity of the system vendors that count most in terms of the possibility of recovering the money lost.
Saccos are also being asked to put in place adequate governance and risk management processes to address risks associated with outsourcing of IT services including cloud services.
The co-operatives are heavily reliant on vendors for key services but attackers are exploiting loopholes that exist within the vendor management processes. Many Saccos do not retain partnership with vendors once the purchase of system is completed.
Deposit-Taking Saccos are responding to digital finance revolution through array of products such as mobile banking but many are not quick to upgrade their banking platforms.
Relatively, few Saccos are using established but more expensive core banking systems such as Banker’s Realm, partly driven by high acquisition costs, support costs and highly skilled staff for running the system.
Leading Saccos such as Kenya Police Deposit-Taking Sacco and Unaitas have spent hundreds of millions of shillings on their IT platforms in quest for safety and roll out of new capabilities for serving customers.
However, many are spending the vast majority of their limited IT budgets on acquiring and rolling out IT systems but leave so little to secure and maintain networks.
According to the report, about 21 percent of Saccos never carry out cyber security audits while 48 percent carry out the audits once a year, leaving them unaware of weaknesses on their network system. Just eight percent carry out quarterly audits.
Yet, 22 percent of Saccos do not conduct any due diligence on vendors before engaging them. Some 58 percent said they only conduct due diligence on major vendors while just a fifth carry out due diligence on all vendors they intend to work with.
Information Security Manager at Harambee Sacco, Amos Ndung’u says third parties such as vendors have exposed organizations to a myriad of risks and in some cases, found complicit or used as conduits to execute a cyber-heist.
“Organizations ought to take its time and define to the granite atomic detail the scope, deliverables and milestones in the contract. This ensures the terms of engagement are explicit and there are no grey areas,” he says.