…as Oct. 30 deadline looms
With less than 10 days to the October 30, 2022 deadline for banks and financial institutions to register their information technology (IT) infrastructure as Critical Information Infrastructure (CII) with the Cyber Security Authority (CSA), only 28 percent of the nation’s universal banks have done so.
The necessity of registration stems from Section 35 of the Cybersecurity Act, 2020 (Act 1038), which designates Banking and Finance as among the 13 CIIs in the country, since elements of cybersecurity in the Bank of Ghana’s (BoG) activities – and consequently of the entities it regulates – are considered national security issues
This came to light at a breakfast meeting organised by the Ghana Association of Banks (GAB) in partnership with the CSA as part of events to mark National Cybersecurity Month, under the theme ‘Ghana’s Cybersecurity Act, 2020: The Bank of Ghana Cyber and Information Security Directive; Its Implications and the Role of the Board of Directors’.
In a presentation, an official from the CSA, Benjamin Ofori, commended the banking fraternity for its broad adherence to cybersecurity stipulations; particularly with the emergence of increasing digitalisation for their operations and offerings. He however cited the slow pace of registration with the Authority as the only subject of concern.
“I would say the banks have done a lot right; their maturity level when it comes to cyber security is high and I would like to commend them for that. The only concern is with the current registration of critical systems; we are lagging behind, so this is an appeal for you to raise your level.
“So far, we have only 28 percent of you who have registered with us; the number 72 [percent, which is pending] remains very high. So I would like to encourage you as we have extended the deadline to October 30, and I do not think we can extend it beyond that. This is the only challenge we have with you now,” he elaborated.
Responding to concerns that banks are reluctant to give the amid safety concerns, Mr. Ofori gave assurance of the Authority’s ability to safeguard the assets registered with it, while explaining that the exercise will ensure financial institutions are well protected against cyber-attacks and better prepared to respond to any system breaches.
“The benefit is that the regulator will have a 360-degree view of Ghana’s financial sector environment – what type of systems are being run and the type of technology that is being deployed. It is so because when an incident happens the Authority sits at the top of the chain and is able to figure out what happened to help you handle those incidents,” the CSA representative said.
“We have international collaborations and partnerships from which we receive help and are able to pass relevant information to the Bank of Ghana in order to alert you on how best to secure yourself against such attacks. Also, when it comes to our Computer Emergency Response Teams (CERT), if we do not know what system you have and if you have not been registered, how are we going to help you?”
Also at the same event, Deputy Director of the Banking Supervision Department at the BoG, Ismail Adam, disclosed that more than half of the nation’s banks (12) are connected to the Financial Industry Command Security Operations Centre (FICSOC); a collaborative effort between the Bank and the Authority that seeks to provide real-time visibility into cyber-threats and attacks targetting the banking sector. He added that the remaining banks will be gradually onboarded.
These developments have come as the BoG in its 2021 Banking and Specialised Deposit-Taking Institutions (SDIs) and Electronic Money Issuers (EMIs) fraud report revealed that through fraud and other banking malfeasance, the nation’s banking industry lost GH¢61million last year – up 144 percent from the GH¢25million of 2020. Employees of financial institutions were involved in 53.46 percent of the fraud incidents reported last year.
