A centralised cyber security system has been set up by the Bank of Ghana (BoG) as part of its enhanced effort to deal with electronic fraud and cyber risks in the banking sector.
Known as the Financial Industry Command Security Operation Centre (FICSOC), the system is to be hooked up to the individual security information and events management (SIEM)/security operation centres (SOCs) of banks and other institutions to receive real-time reports and trigger actions, when necessary.
The Governor of the BoG, Dr Ernest Addison, said at a news conference last Monday that the system would help the BoG undertake real-time monitoring of transactions in all banks and other deposit-taking institutions.
Set up
The establishment of FICSOC was completed this year by Virtual Infosec Africa (VIA), an indigenous company, allowing banks and other institutions regulated by the BoG to start connecting their systems to it.
It is expected that the successful operationalisation of the centralised command centre would help reduce electronic fraud such as theft and duplication of automated teller machines (ATMs), which more than doubled last year.
First bank
To get the system started, the central bank has named the Agricultural Development Bank Limited (ADB) as the first institution to be connected to FICSOC to help check malpractices in electronic and financial technology transactions.
The ADB has thus become the first bank to be hooked up to the system after successfully setting up its SIEM/SOC earlier this year.
Dr Addison, who was answering a question on how the central bank was working to reduce electronic fraud in the financial sector, said FICSOC and the subsequent hooking up of the security centres of financial institutions were a sure way of fighting the canker.
“Our financial services are becoming more technology driven, and with technology, the risks associated with ATMs and point of sale (PoS) fraud also go up. Fortunately, we are looking closely at that,” he said during the press conference to announce the bank’s policy decision for the last quarter of the year.
“We have what we call FICSOC, the security operating centre of the central bank, which monitors our cyber resilience real-time. Currently, we are in the midst of setting up the financial industry SIEM/SOC. I believe the BoG is ready and the ADB is getting connected to that FICSOC,” he said.
Earlier this month, the National Intelligence Bureau (NIB) busted one Bachir Musa Aminou with 656 ATM cards, a development which Dr Addison said was being investigated.
Other banks
To help address some of those challenges, Dr Addison said the BoG directed banks to set up and maintain SIEM/SOCs to be connected to the industry command centre.
The directive was contained in the Cyber and Information Security Directive issued by the BoG in October 2018, which, among other things, mandates banks and other institutions to use the SIEM/SOC for network security event monitoring, compliance reporting and user activity monitoring.
He said after the ADB had successfully been connected to the command centre, other banks and deposit-taking financial institutions would follow, making it possible for the central bank to track electronic transactions in real-time.
“Hopefully, a year from now, we should have all 23 banks in the financial industry SOP and it will allow us to monitor the cyber risks associated with the entire banking system in Ghana,” he said.
ADB MD
When contacted, the Managing Director of the ADB, Dr John Kofi Mensah, said it was out of a desire to provide full-proof services for customers and stakeholders that the bank worked hard to meet the requirement and subsequently became the first to be connected to the industry command centre.
He described the process as tasking, yet fulfilling, and expressed the hope that its full deployment would help minimise incidents of fraud in the banking sector.
Dr Mensah said the ADB used a local firm, the VIA, which built FICSOC, to execute its project, in line with its commitment to grow local businesses.
He added that the SIEM/SOC was linked to the recent granting of an ISO 27001 certification to the bank in recognition of robust cyber security measures put in place.
Peace of mind
The Chief Executive Officer of VIA, Mr Emmanuel Sekyere Asiedu, said the company was proud to be executing the systems for the central bank and the ADB.
He said it was structured in such a way that its full deployment would give peace of mind to the regulator, the banking public and stakeholders.
He said the solution was world class, robust and standard, which that made it impossible for third parties to infiltrate.
BoG’s report on banking industry fraud
In its Executive Summary on the Banking Industry Fraud report for 2020, the BoG reported that many routine activities of institutions, including financial transactions that usually would have been undertaken in-person, were conducted online.
It said customers who were not used to digital/electronic methods of making financial transactions were compelled to use them and, consequently, some sections of the banking sector were exposed to heightened levels of fraud-related risk due to the increased patronage of electronic/digital products and services.
The report also said the emergence of the COVID-19 pandemic propelled the use of digital/electronic modes of transacting business, leading to a higher exposure to fraud.
In the report, the BoG indicated that 2020 recorded a marginal increase in reported fraud incidents, with a minimal decrease in losses.
The reduction in losses was mainly due to a reduction in the rate of success for most fraud types. A total of 2,670 cases were recorded in 2020, compared to 2,311 in 2019.
“The reported value of fraud for 2020 was GH¢1.0 billion, compared to GH¢115.51 million in 2019. The notable increase in the value reported was as a result of high values recorded in attempted correspondent banking fraud (forgery of SWIFT advice),” the executive summary said.
It further indicated that although the banking sector did not suffer any losses from any of the correspondent banking fraud attempts, it posed a reputational risk to some banks, whose staff were found culpable in two of the three reported incidents.