Financial institutions breach Cybersecurity Act — Only 28% registered their infrastructure

BY: Emmanuel Bruce
John Awuah — CEO, Ghana Association of Bankers

ONLY 28 per cent of financial institutions operating in the country have registered their information technology (IT) infrastructure as a critical information infrastructure with the Cyber Security Authority (CSA), an official from the authority, Benjamin Ofori, has disclosed.

This is in clear breach of the Cybersecurity Act, 2020 (Act 1038), which identifies the IT infrastructure of financial institutions as one of the critical information infrastructure that must be registered under the Cyber Security Authority.

The Cybersecurity Act, 2020 (Act 1038) defines a critical information infrastructure as a computer system or computer network that is essential for national security or the economic and social well-being of citizens.

Cyber-attacks against Critical Information Infrastructure are increasing, the magnitude, frequency and impact of such security incidents can impede the pursuit of economic activities, generate substantial disruption to critical services, financial losses, undermine public confidence and cause major disruption to our economy.

Recent attacks on the power grids, electoral systems, payment systems and healthcare systems around the world bring to bear the imminent threats to Ghana’s critical information infrastructure.

As a result, the Cyber Security Authority gave banks up to end of last month to register their IT infrastructure with the authority.

Mr Ofori said although the banks were generally doing well with their compliance to the cybersecurity regulations, the only worry was their inability to register their IT infrastructure with the authority.

Mr Ofori was speaking at a breakfast meeting which was organised by the Ghana Association of Banks (GAB), in partnership with the CSA, as part of events to mark National Cybersecurity Month.

The breakfast meeting was held on the theme; ‘Ghana’s Cybersecurity Act, 2020: The Bank of Ghana Cyber and Information Security Directive; Its Implications and the Role of the Board of Directors’.

“I would say the banks have done a lot right; their maturity level when it comes to cyber security is high and I would like to commend them for that.

“The only concern is with the current registration of critical systems; we are lagging behind, so this is an appeal for you to raise your level.”

“So far, we have only 28 per cent of you who have registered with us; the pending 72 per cent remains very high. So I would like to encourage you as we have extended the deadline to October 30, and I do not think we can extend it beyond that. This is the only challenge we have with you now,” he added.

Also speaking at the meeting, the Director at the Information Security Office at the Bank of Ghana, Samuel Senyo Okine, urged the board of directors of financial institutions to make cyber security issues a priority in their board meetings.

“I am talking about board meetings on cyber security issues only. If we want to keep the environment safe, then we need to think in this direction,” he stated.

He also urged senior management members of financial institutions to establish an information risk strategy and make sure to see to its implementation and maintenance.

He said they must also formulate the cyber security policies of their respective banks, review the adequacy of the policies at least once a year and adequately resource the development of the cyber security framework and policies.

“So what we are saying is that, after you put in place the policies, provide the funding and human resource to make them work.”

“To be successful with cyber security, we need to understand that there are three things; you need the people who are doing the work for you; the technology to ensure you achieve your objectives and you must ensure you have put in place the right processes,” he explained.

Extremely critical

For his part, the Chief Executive Officer of the Ghana Association of Banks, John Awuah, said banks transition from brick and mortar to digitisation had made cyber security issues extremely critical.

“As transactions are moving to digitisation, the people who used to rob banks with guns have also moved to attacking the banks in the digital space.

“So it is important that directors and board members who have oversight responsibilities for these institutions have the basic understanding of the kind of threats faced by banks now, so that if bank managing directors or executives present their solutions, they can better appreciate the rationale and justification for investing in protective infrastructure to secure their networks,” he stated.