The Secretary General of the Banking Commission of Central Africa (COBAC) Halilou Yerima Boubakary, addressed a circular letter to all directors general of banking institutions in the CEMAC zone regarding the need to implement an IT security policy meeting international standards to address IT security challenges.
With the onset of the Covid-19 pandemic, financial institutions in the CEMAC zone were forced to adapt to market developments by accelerating their digital transformation in order to better meet the needs of their clients. However, these technological developments have substantially contributed to increasing cybercrime-related risks within credit and microfinance institutions.
Increasingly recurrent cyberattacks
It is thus that in recent months, credit and microfinance institutions have been subjected to several increasingly sophisticated cyberattacks resulting in enormous financial losses, as noted by COBAC. "These, given their scale and recurrence, are likely to jeopardise the stability of our banking and financial system", laments the banking regulator. These criminal acts very often result from negligence and/or improper application of basic IT security rules.
Glaring IT security gaps
COBAC's control missions have highlighted gaps in IT security, notably the absence of password management and access rights policies. Furthermore, penetration tests that assess the vulnerability of information systems are rarely conducted. Given the challenges related to cybercrime, the Secretary General urges credit and microfinance institutions to exercise constant vigilance and to implement an adequate IT security policy aimed at "protecting the entirety of your information system against breaches of its confidentiality, its integrity and its availability", as recommended by COBAC.
COBAC encourages the implementation of a specific anti-fraud mechanism, the identification and adequate assessment of the operational risks to which your institution is exposed, namely cyberattacks, with a view on the one hand to preventing them, and on the other hand to strengthening your institution's capacity to ensure business continuity in the event of a major incident. COBAC invites institutions to implement measures for detecting unauthorised transactions as well as to provide for measures to respond to attacks and restore the functioning of your information system.
Have your information system audited by 30 June 2022
In the COBAC circular letter, the financial regulator strongly urges institutions to have their information systems audited by independent security and/or IT audit experts no later than 30 June 2022, in order to establish an in-depth diagnostic identifying vulnerability points. A copy of the mission report must be submitted no later than 15 July 2022, along with the measures taken by the institutions to remedy the identified deficiencies. Failure to comply will expose the institution to sanctions.
The COBAC recommends that banking institutions adopt IT security policies aligned with ISO/IEC 27001-02 standards, the payment card industry data security standard (PCI-DSS), as well as the regulations in force regarding internal control. "The operational resilience of credit, microfinance and payment institutions is an essential factor in the soundness of the banking and financial system", reminds the COBAC. Given the proliferation of cyberattacks and the scale of losses recorded, it is becoming more than imperative to take all necessary measures to raise awareness among the staff of your institution about IT risks, to design and implement robust security mechanisms, to promote interbank platforms for sharing IT security information, to integrate cyberattack scenarios into the business continuity plan, and to regularly conduct penetration tests.
As a reminder, the Banking Commission of Central Africa (COBAC) is the supervisory body for all credit institutions and microfinance establishments in the Economic and Monetary Community of Central Africa (CEMAC). The COBAC's mission is to ensure the integrity of the banking system and guarantee its resilience. It is responsible for "ensuring compliance by credit institutions with the legislative and regulatory provisions issued by the Authorities, by the Central Bank, or by itself (…) and for sanctioning any identified breaches".