Savings and Credit Cooperative Societies (SACCOs) are being challenged to tighten their systems and take insurance covers on the back of rising cyber-attacks in the era of digital transactions.
Cooperatives are increasingly gaining prominence among formal and informal workers and currently hold over Sh800 billion customer deposit—a sum that makes them a target of cyber criminals.
This calls for SACCOs are to review their IT systems and also take insurance covers coming on the back of a report showing they lost Sh106 million the 17 months to March 2024.
According to the report recently released, the loss, captured in the financial sector stability report—a product of key financial regulators including Sacco Societies Regulatory Authority (Sasra) shows SACCOs were losing an average of Ksh6.23 million per month or Sh208,000 daily in the review period.
The report said the cyber-attacks were through software vendors engaged by the SACCOs and has led to higher operational risks among cooperatives.
ALSO READ:
Government calls for structured cooperative savings to shield economy from political instability
The attackers were targeting weak controls of the Sacco systems, given the minimal verification of members’ identities when seeking services.
Sasra and other financial sector regulators now want SACCOs to review contracts signed with software vendors and compel such vendors to be compensating cooperatives when such losses occur.
In addition, the SACCOs are being asked to take insurance so that members’ deposits are not exposed to losses and that they do not collapse due to deposit losses.
“All SACCOs must now review and enhance their IT security including their service level agreements to ensure that affected ones are compensated by the vendor in the event of an attack where the vendor is culpable. SACCOs are also encouraged to undertake indemnity covers to safeguard against attacks,” says the report.
However, without proper contracts, Saccos may struggle to measure performance and hold their vendors responsible for service delivery.
ALSO READ:
Ushirika Day 2025: Ruto commends Sacco stakeholders’ contribution to economic growth
Saccos will have to up their game in protecting themselves from hackers to boost their chances of joining the national payment system without becoming the weak link in cyber-attacks in the financial services sector.
Cyber security consulting firm Serianu said in a report released mid-August last year that the number of SACCOs spending between Ksh500,000 to Ksh1 million on modernizing IT systems had risen by 27 percent in 2023 from 14 percent in 2022.
The percentage of SACCOs that have a cybersecurity strategy had also improved from 38 percent in 2023 to 55 percent in 2024.
This trend is an indication that more SACCOs are upping their game in strengthening their IT systems to safely accommodate the rising demand for digital services among customers.
Serianu report attributed the increased investment in IT systems on increased awareness on the cybersecurity, increased attacks and the shift to digital transactions.
ALSO READ:
Gov’t embarks on comprehensive review of Sacco legal framework to restore accountability
“IT risk profiles are increasing due to increased mobile banking adoption, growing complexity of IT factors, including those driven by the types and numbers of systems used, expanding branch networks and increased connectivity to external IT networks,” said the report.
“Our research indicates that there is increased targeted attacks on Sacco mobile transaction infrastructure. Additionally, weak IT infrastructure is exposing SACCOs to attacks.”
However, just 22 percent of Sacco boards discuss cyber security monthly. Just slightly over half (58 percent) of the 110 SACCOs surveyed by Serianu have dedicated resources for dealing with cybersecurity.
When SACCOs are hacked, the report adds, it is the knowledge, capacity and maturity of the system vendors that count most in terms of the possibility of recovering the money lost.
Yet, many SACCOs do not retain partnership with vendors once the purchase of system is completed, leaving them vulnerable when hacking happens.
SACCOs are also being asked to put in place adequate governance and risk management processes to address risks associated with outsourcing of IT services including cloud services.
ALSO READ:
Police DT Sacco unveils modern gymnasium in kiganjo to boost officers’ wellness
But the weak link in cybersecurity is the fact that SACCOs are heavily reliant on vendors for key services. But attackers are exploiting loopholes that exist within the vendor management processes.
Another challenge for SACCOs is the budget required to invest in using established but usually more expensive core banking systems such as Banker’s Realm.
The high acquisition costs, support costs and highly skilled staff required to run such systems has seen just few large SACCOs invest in such high end systems.
Many SACCOs are spending the vast majority of their limited IT budgets on acquiring and rolling out IT systems but leave so little to secure and maintain networks.
SACCOs will also have to enhance audits on their systems with Serianu report showing about a fifth of them never carry out cybersecurity audits while 48 percent carry out the audits once a year.
Just eight percent carry out quarterly audits, meaning majority are unaware of weaknesses on their network and hackers’ can change tact and hit them.
Serianu report further found out that 22 percent of SACCOs do not conduct any due diligence on vendors before engaging them.
Some 58 percent said they only conduct due diligence on major vendors while just a fifth carry out due diligence on all vendors they ident to work with.
Mwiti Munyua
Get more stories from our website:Sacco Review.
For comments and clarifications, write to: Saccoreview@
Kindly follow us via our social media pages on Facebook:Sacco Review Newspaperfor timely updates
Stay ahead of the pack! Grab the latest Sacco Review newspaper!
