Despite known risks, some saccos still not budgeting for cybersecurity

What is cheaper? Investing Sh500 million annually to hire cybersecurity top talent or waiting to lose Sh50 billion in a ransomware attack?

This is the question Kenyan saccos have been asking themselves this week after a report first published in the Nation exposed how ill-prepared they are in thwarting cybercrime.

Through bulk text messages, social media postings and emails, some saccos are now urging members not to withdraw their deposits after the article raised concerns about the security of their savings.

“Be cyber smart! Did you know what you are at risk of when transacting online? Stima Sacco, empowering you for life,” the sacco posted on Twitter on Tuesday.

But while other savings and credit societies dismissed the report’s findings, more evidence points to a growing risk of cyber-attacks.

The latest Financial Sector Stability Report from the Central Bank disclosed that the sector lost Sh106 million in the 17 months to March 2021 to attacks coming in through their software vendors.

That is equivalent to a monthly loss of Sh6.23 million, while the total assets in the deposit-taking sacco system grew to Sh627.68 billion in 2020 from Sh556.71 billion in 2019, according to the Sacco Regulatory Authority’s (Sasra) 2020 Sacco Supervision Annual Report.

“The total number of members in the 175 deposit taking saccos in Kenya was 5.47 million persons in 2020 compared to 4.5 million persons reported in 2019.”

Weak controls in systems

But even with so many Kenyans trusting saccos with their hard-earned cash, the Nation’s calls and messages seeking comment from Sasra’s chief executive Peter Njuguna went unanswered.

What is the regulator doing to safeguard depositors’ money against the increasingly sophisticated cyber-attacks that now employ Deep Learning techniques to break into firewalls?

The attackers, the report notes, target weak controls in the systems. It advises saccos to undertake indemnity covers to safeguard against attacks.

“All saccos must now review and enhance their IT security including their service level agreements to ensure that affected saccos are compensated by the vendor in the event of an attack when the vendor is culpable,” the report notes.

In many cases of successful cyber-attacks on sacco systems, not only do they lose money but also critical and classified data on which the business runs.

Some 110,898,069 cyberthreats from malware, web applications, botnets and system vulnerabilities were reported in the 2019/2020 financial year, the Communications Authority said.

In the last financial year, the threats declined to 90,814,623, with the majority again being malware attacks.

Check Point Research’s Global Threat Index for December 2021 alone shows that ‘Apache Log4j Remote Code execution’ was the most exploited vulnerability, affecting 48.3 percent of financial organisations globally, with Trickbot the most prevalent malware.

Cybersecurity readiness

“Log4j is one of the most serious vulnerabilities we have ever witnessed, and due to the complexity in patching it and its easiness to exploit, it is likely to stay with us for many years to come unless companies take immediate action to prevent attacks,” said Maya Horowitz, VP of research at Check Point Software.

Studies also show that the attacks happened even before the Covid-19 pandemic struck and that despite all warnings and evidence, many saccos are still not budgeting enough for their cybersecurity.

And although most saccos have insured their businesses against potential loss of money, cybercrime cuts across the board, with hackers also targeting insurance companies that insure sacco businesses.

A survey on the cybersecurity readiness of saccos revealed that five of the 18 saccos reviewed had suffered a cyber-attack in the past, with four of them having no systems for transaction monitoring.

The survey was conducted by the World Council of Credit Unions (WOCCU) through the USAid Co-operative Development Program (CDP) in partnership with the Kenyan Union of Savings and Credit Cooperatives (KUSCCO) and IRNet Coop Kenya (ICK).

But the saccos declined to divulge details about the nature and level of losses incurred in the attacks, notes KUSCCO on its website.

In eight cases, saccos did not have a digital transformation strategy; in five, there was no cybersecurity policy; and in nine, there was no cybersecurity budget.

“Think of it as going shopping without a shopping list only to buy things that do not meet your needs and are costly to maintain,” KUSCCO notes. 

Apprehending fraudsters

The surveyed saccos listed the high cost of acquiring and maintaining ICT hardware and software and the dynamic nature of cyber-attacks as their leading cybersecurity concerns.

“Some members, due to illiteracy or trust, openly share their personal identification numbers with family members or close associates. Members are also susceptible to social engineering and phishing attacks,” KUSCCO adds.

Last March, Sasra activated the Sacco Societies Fraud Investigations Unit (SSFIU) with support from the Directorate of Criminal Investigations.

The unit, similar to the Anti-Fraud Unit at CBK that polices bank activities, was established following a directive from President Uhuru Kenyatta to the Ministry of Industry, Trade and Cooperatives to tame graft.

But it is also mandated with helping in daily investigations and detection of fraud, money laundering and false accounting, as well as detecting, preventing and apprehending fraudsters.

“The unit staffed by specialised staff drawn from the Directorate of Criminal Investigations are now in-charge of detection and investigation of criminal activities within the sacco subsector,” Sasra chair Mr John Munuve notes in the latest annual sacco supervision report. 

The illegal activities include embezzlement, cyber-attacks and “fraudulent schemes perpetrated by illegal entities posing as saccos”. 

It also investigates, collects and analyses relevant criminal intelligence and recommends cases for prosecution in order to improve confidence among sacco members by protecting their deposits that amount to over one trillion shillings.

[email protected]; [email protected]