By Roy Hezron
Savings and Credit Co-operatives (Saccos) in the country are increasingly investing more resources in technology and security in efforts to protect members’ funds from cyber criminals, a recent survey report has shown.
According to Serianu Ltd, a business consulting firm, the percentage of Saccos that have a cybersecurity strategy improved by 44.7 percent, rising from 38 percent in 2019 to 55 percent in 2020. The Sacco Cybersecurity Report covered 2020/2021.
The survey further found that about 50 percent of the 110 Saccos that took part in the survey were found to have documented their cyber security policies; only 28 percent had no documented policies.
However, 19 percent of all the 110 Saccos had their cyber security policies still in draft forms while a paltry 3 percent knew nothing about the policies.
The survey realized further that there has been a consistent increase in cyber security budgets in the Sacco industry over the last three years. Saccos whose budgets on cyber security was about Sh.1 Million increased by 20 percent, whereas it was only 6 percent increase in 2018, three percent in 2019 and 18 percent in 2020.
The increase was attributed to increased awareness about the importance of cyber security in an industry that has seen increased attacks.
Majority of the Saccos as per the survey findings spent between Sh.1 to Sh.100, 000, with 54 percent in 2018, 44 percent in 2019 and 36 percent in 2020 having budget allocations to deal with cyber security.
Those that spent between Sh.100, 001 to Sh.500, 000 in 2018 were 10 percent, 36 percent in 2019 and 19 percent in 2020. An allocation of between Sh.500, 001 to Sh.1 Million to fight cyber crime in 2018 accounted for only 6 percent, 14 percent in 2019 and 27 percent in 2020.
Regarding how often the Sacco Boards of Management discussed cyber security and technology-related (IT) issues during board meetings, the survey found out that majority (at 26 percent) discussed the matter twice a year.
Most of the boards disccused quartely and ad-hoc at 22 percent, while only 18 percent and 7 percent of boards discussed cyber security and IT issues as their agenda once a year and monthly respectively.
The survey findings also revealed that 5 percent of boards in Saccos never discussed the cyber security and IT in their board meetings.
It attributted this variation to the Sacco boards agenda being crowded by issues such as continuity of operations, adoption of new working models and compliance with regulators to cope with emerging trends such as the Covid-19 pandemic.
Wambui Mbesa, the Chief Executive Officer at Infrasoft International East Africa, notes in the survey report that whereas many financial service players have invested heavily in digitization and deployment of secure Core Banking Systems (CBS) with seamless intergaration to front-end technologies, omni-channels, cloud and other emering technologies, Saccos continue to rely on customized Entreprise Resource Planning Systems (ERPs) for their banking needs. She notes that as an entry level intervention, the setup was sufficient in yesteryears but is no longer adequate for the digitization era.
“In my view, since core banking systems are capital intensive, they have the option of adopting micro-service architectures because these make applications easier to scale and faster to develop thus enabling innovations. For Saccos to optimize their potential in this digital era, they need to deploy Core Banking Systems (CBSs) inherently built to serve their core business,” states Mbesa in the survey report.
She adds: “In recent years, digitization has become a high priority conversation among Sacco ICT managers, CEOs and their Boards. Some already have a Digital Strategy and a well-defined roadmap for digitization in execution. However, many are moving slowly, adopting only mobile banking, yet mobile banking and digital payments are only part of digitization and their adoption without strategy may be even more dangerous if the holistic fundamentals of a successful digitization strategy and process are not undertaken.”
According to the report, Saccos are struggling with five fundamental challenges to cyber security governance: cyber security strategy and goals, enforcement and accountability, Budget acquisition, continuity and incident response, and information sharing where Saccos are facing hurdles on how to engage across multiple organizations to share cyber security-related information without compromising organization’s reputation.
Message to Sacco Directors
The survey also highlighted some basic guidelines that Sacco directors should consider to help inform their cybersecurity governance frameworks.
According to the survey report, in order to establish a good cyber security governance programme, Sacco Boards must clearly define their risk management policies, strategy and goals; and in particular determine the greatest threats and risks to the Sacco’s highest-value cyber assets, and human and finacial capital set up to protect those high-value assets. Sacco’s volume of cyber incidents should be monitored on a weekly or monthly basis, taking into account their magnitude and severity, as well as evaluating the time taken and costs in response to incidents.
Others include determing the worst case cyber incident the company has experienced in terms of lost business, engagement of parts of the Boards to handle cyber security risks, period taken for the Sacco Boards or Committees to receive briefs on cybersecurity, and adopting in whole or in part the Cyber Risk Quantifiction framework as a way showing affirmative action to protect the Sacco assets.
There are over 22,000 registered co-operatives in the country, out of which about 13,000 are Saccos and 175 are deposit-taking Saccos.
