Nigeria -- Banks, PSPs race to comply with CBN risk-based cyber security framework

Central Bank of Nigeria (CBN) has released a risk-based cybersecurity framework and guidelines for Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) which they must comply with by January 1, 2019.
This is in line with its new licensing regime as well as in compliance with Nigeria Cyber security act of 2015.

In a circular to the concerned organisations which accompanied the framework and guideline, CBN noted that the framework represents the minimum requirements to be put in place by all DMBs in their respective cybersecurity programmes.

In the guideline made available to Nigeria Communications week, CBN stated that: “In recent times, cybersecurity threats have increased in number and sophistication as DMBs and PSPs, use information technology to expedite the flow of funds among entities.
“In this regard, threats such as ransomware, targeted phishing attacks and Advanced Persistent Threats (APT), have become prevalent; demanding that DMBs and PSPs remain resilient and take proactive steps to secure their critical information assets including customer information that are accessible from the cyberspace.
“DMBs/PSPs should note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.”
Ahmed Adesanya, IT Security and Connectivity Consultant, commended CBN for rising to the occasion of protecting the country’s economy with this regulatory framework.
He said that the risk-based cyber security framework and guideline have lifted the responsibility of cyber security from the IT departments of banks to board and top management issues.

“This framework will increase banks cyber security readiness in the event of any cyber-attack or electronic fraud and stakeholders in the highest authority of banks and payment service providers are now involved in addressing cyber security issues. This is a move in the right direction by CBN to protect customers of Deposit Money Banks and PSP,” he noted.
Engr. Ike Nnamani, chief executive officer, Demadiur Systems – a cybersecurity firm, said that the involvement of senior management in cyber security policies in organizations as contained in the CBN framework was listed in the 2017 Nigeria Cyber Security Report published by Demadiur Systems Limited.
“This became necessary because in the survey done in 2017 and even 2016 it was discovered that over 95% of the Nigerian business do not have a specific budget for confronting cyber treats.
Only when there is a problem that the IT team makes request for cyber security solutions and often it is not approved based on the fact that it not in the annual budget.
This has led to a situation where most organizations suffer cyber security losses that are avoidable if given priority.
“The decision by the CBN is therefore a welcomed development that will create a more secured cyber space for the country. It is recommended that other agencies and organizations adopt this policy also,” he said.

Microsoft challenges Nigeria to use technology to address unemployment

Global tech giant, Microsoft, has challenged Nigeria to take advantage of technology to address the endemic problem of unemployment in the country.

Public Sector Government Leader, Microsoft Middle East and Africa, Salwa Smaoui, threw the challenge in an interview with our correspondent on the sidelines of a summit with government official titled ‘Re-imagining the future of Nigeria.’

Smaoui said instead of seeing emerging technologies such as Artificial Intelligence as a challenge, Nigeria could take advantage of such technologies and position its youthful population to be relevant in the emerging global knowledge economy.

 She listed cybersecurity as one of the areas where Nigeria could help to fill the gaps existing in the global pool of experts.

 According to the Microsoft egghead, a gap of 3.5 million people currently exist in cybersecurity and Nigeria can possibly exploit the opportunity through training and positioning of its youthful population to take advantage of the global skills gap in the field.

 Smaoui said that Nigeria could also be part of the forthcoming Fourth Industrial Revolution by repositioning its universities to train products that could take up opportunities that were available all over the world.

 She identified the management of energy as another area that technology could help Nigeria to reposition its economy, adding that through adequate deployment of technology, Nigeria can introduce transparency in the management of its oil and gas resources.

Smaoui said, “Digital transformation can enable a lot of Nigerians. When we talk about energy and oil; how can technology drive transparency? How can technology drive better management of subsidies to the oil companies? How can we diversify the economy so that it doesn’t stay on oil and gas?”

 She added, “Sixty five per cent of the population – they are going to school today – will work on jobs that we don’t even know. How do we prepare for that? How do we make sure that we are preparing a smart nation that will not only serve Nigeria but also serve the world?

The Microsoft leader also listed tax collection as another area that technology could help Nigeria to improve its economy. She said Nigeria could borrow a leaf from Zimbabwe which she said had leveraged the power of technology to transform its tax collection process.

She also advocated the use of cloud resources as a viable alternative to investing in data centres, adding that hybrid cloud could help any nation to safeguard its sensitive data resources.

Speaking at the event, Director- General of the National Information Technology Development Agency, Dr Isah Ibrahim, said that the Federal Government had recorded some successes in the deployment of technology to solve local challenges.

He said that the unflinching commitment of the government to stamping out the menace of corruption led to the implementation of Treasury Single Account driven essentially by information technology.

Nigeria -- Banks lose to cyber-crime globally, says CIBN

Banks’ loss to cyber-crime globally has risen to $700 billion yearly, President/Chairman of Council, Chartered Institute of Bankers of Nigeria (CIBN), Uche Olowu, has said.
Speaking during the roundtable on information security meeting in Lagos, he said despite the benefits provided by financial technology (Fintech), there are equally heightened risks of cyber threats and fraudulent activities with Nigerian banks alone losing N198 billion to the threat annually.
He said criminal activities such as credit card fraud, phishing, Automated Teller Machine (ATM) fraud and identity theft have increasingly become threat to banking operations.
“Statistics put the cost of cyber-crime globally at $700 billion annually, a figure projected to rise to about $2 trillion by 2019, due to the rapid digitisation of consumer lives and company records. In the case of Nigeria, about N198 billion is said to be lost to the ever-increasing cases of cyber-crimes per annum usually perpetrated through the financial system,” he said.
Olowu explained that while a variety of organisations are exposed to cybercrime, the financial sector is particularly vulnerable given its crucial role of financial intermediation in a highly connected global financial system.
He said: “Nigerian banking or financial services sector company should no longer ask if they are going to be hacked and instead when Cybersecurity is no longer just about protecting a business’ information. It is critical to maintaining trust with the public and customers, building company reputation, as well as safeguarding data, and critical infrastructure. This can all influence higher-level issues like maintaining competitiveness in the market, stock price, and shareholder value.
“For financial sector institutions, cybersecurity has become an issue from the top down. Board of Directors, Chief Executive Officers and Senior Executive must ensure that they are making the right decisions about cybersecurity for their institution. Shareholders and company Board of Directors are now asking questions about companies’ approach to cybersecurity and readiness to face an attack and CEOs must make it clear that security is not just an IT problem – it is a priority for the business. CEOs need to be able to answer tough questions and prove that they are working with the senior leadership team to develop a cybersecurity strategy and that they understand the cybersecurity landscape and how it can affect key business function in the company.”
He said it is incumbent upon CEOs to learn more about cybersecurity to ensure that their company is taking appropriate actions to secure their most valuable information assets. “This does not mean that every CEO needs to become a cybersecurity expert. Rather, CEOs should increase their knowledge of core cybersecurity concepts and leverage their own leadership skills to conceptualise and manage risk in strategic terms, understanding the business impact of risk. Most executives want to manage cybersecurity risks in the same thoughtful and intelligent way as they manage other aspects of their business,” he said.
Speaking on data security, he said banks are privy to an immense amount of data, which if put in the wrong hands could be harnessed for illicit activities. The most popular example being Facebook data and the data harnessed by Cambridge Analytica through the Application Programmable Interface (API) and the interference in the 2016 American Elections.
“As a solution, I implore intermediaries such as Payment Solutions Service Providers (PSSP) to efficiently act on data breaches. Furthermore, I believe that Data Privacy challenges could be effectively tackled with adequate legislation, which would enforce best practices in data protection. Also, a constant review of compliance with global standards such International Standard Organisations (ISO) and Payment Card Industry Data Security Standards (PCI-DSS) are ensured by the players in the financial service industry,” he said.
He said identity theft is on the rise due to the adoption of digitised platforms globally. The ease at which personal data could be illegally harvested is now more sophisticated than ever. “As a suggestion, I implore all banks to invest further in user education of customers on possible threats with remedies for mitigating such threats. I, also implore banks to further employ the use of intelligence systems and tools such as Predictive Analytics solutions to determine irregular activities on bank accounts, which have been compromised or inconspicuous fraudulent activities.”

Nigeria-- Banks, Fintechs Urged to Invest in Cyber Security Solutions

Banks and financial technology companies have been urged to invest in innovative solutions in combating cybercrimes.

The charge was given at a breakfast meeting organised by Best of Breed Business Solutions Limited (BBBS) in conjunction with its Partner, Barac Uk, to address enterprise fraud and cyber security challenges in the Nigeria market.

 

Speaking at the event, the Chief Executive Officer, Best Business Solution Limited, Mbama Ethelbert, said to address issues around the fraud and cyber threats, it was important for companies to understand the kind of data that was being generated by organisations such as banks and telecommunication companies.

“Most organisations, especially, service oriented organisations like banks, telecoms, fintech companies are moving toward digital transformation as a key strategy. “This means opening up of its platforms to third party vendors/partners, using multiple channels to offer services to their customers such as social media channels, mobile, web, PoS and others.

“These generate massive volumes of data and expose the organisations to threats,” he noted.

He also stated that presently, there are two kinds of data known as structured and unstructured data, “and a third one that sits between both data types known as semi-unstructured data.”

He stated that structured data can be stored in a relational database such as Oracle, MS SQL and other, “here, data is stored in tables with rows and columns. They have relational key and can be easily be mapped into pre-designed fields. Thus, they are highly organised information that uploads neatly into a relational database.”

In his remarks, the Chief Executive Officer, Barac Uk, Omar Yaacoubi, noted that there are various measures which the banks has to put in place, so that when hackers change their behaviours, the solutions that they are using can also change their behaviour as well.

He explained that modifying the rules was complex, noting that solutions such as artificial intelligence, machine learning and behaviour analytics, would help solve part of the challenges.

Continuing, Ethelbert added: “Structured data concerns all data which can be stored in a Relational Database like Oracle, MS SQL etc. Here, data is stored in tables with rows and columns.”

Unity Bank Wins Award

Unity Bank Plc has won the Central Bank of Nigeria (CBN) 2018 sustainable banking award.

Specifically, the financial institution won the ‘Sustainable Transaction of the Year in Agriculture’ award.

The bank won the award for its compliance with the sustainable banking principles as it relates to the management of environmental and social risk set out by the CBN for adoption by Nigerian banks, discount houses and development banks.

A statement explained that at the recently held Bankers’ Committee held in Lagos, the CBN had while presenting the award commended Unity Bank’s efforts in promoting the Anchor Borrowers Program (ABP), Rice Farmers Association of Nigeria (RIFAN) project.

According to the statement, the regulator had added that the lender deserved the award because of the role it played in actualisation and management of this audacious projects.

The active involvement of the bank in various financing schemes had resulted in creating huge social and economic impact on the income of households involving over 270,000 participating small holder farmers thereby boosting not only the gross domestic product but also helping to achieve self-sufficiency in food production.

Commenting on the development, the Managing Director/Chief Executive Officer of Unity Bank Plc, Mrs. Tomi Somefun, dedicated the award to all farmers and businesses in agriculture value chain, adding: “we have successfully on-boarded over 90,000 hitherto financially excluded farmers and generated bank verification number for them to facilitate financial and banking transaction.”

She added: “Capacities of about 60 agro input suppliers were expanded through provision of facilities and financial advisory services.

“The bank’s environmental and social management program covers comprehensive business operations that minimises adverse impact on the environment in the scope of its business activities.”

According to Somefun, the bank’s environmental management policies and strategies comprehensively covers priority areas that encourages bio-diversity, green initiatives, recycling of waste, reduction of carbon emission geared towards promoting sustainability, conservation and environmental protection.

Unity Bank Plc is a niche player in agricultural financing in Nigeria, with active participation in most government intervention schemes and support for key policy initiatives.

These are aimed at driving growth and transformation of Nigeria’s agricultural economy.

Marriott: Good news. Hackers only took 383 million booking records ...

Hotel megachain Marriott International has gone into further detail on the cyber-raid on its reservation database, including the number of payment cards and passport details siphoned off by hackers.
In an update today to its November 30 disclosure, Marriott now says the (allegedly Chinese) miscreants who broke into its Starwood guest database made off with a total of 5.25 million unencrypted passport numbers and 20.3 million encrypted numbers.
While the passport numbers would be considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be enough for a criminal to create a forged passport. Still, Marriott will be covering the cost for anyone who has had to get a new passport as a result of the data theft.
In addition to the passport numbers, Marriott says the criminals made off with 8.6 million encrypted payment card numbers. While there would be the chance for fraud should those numbers be decrypted, most would be useless by now as, according to Marriott, all but 354,000 of the lifted numbers were expired by September 2018, which was when the heist was discovered. On the other hand, the hackers were in Marriott's systems from 2014 to that date, so many of those cards were likely active during the database infiltration, we reckon.
"There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott said in its statement.

Book 'em, Danno

If there is some good news to be had for Marriott, it is that the total number of stolen records is a bit lower than first feared. The resort chain has revised its original estimate of 500 million hacked records to a slightly less-catastrophic 383 million. That's 383 million reservations, not 383 million unique people: some folks obviously stayed in the hotels more than once during the mega-hack.
Those stolen records potentially include: unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences.
"Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated," the chain was keen to stress.
"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.
"The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database."
The security breach will mean the end of the road for the Starwood Reservations system at the center of the hack. "The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018," Marriott said.
"With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system."
Anyone who believes their personal information to have been involved in the data theft is advised to visit Marriott's support site. The biz is also offering to cover a year of identity-theft monitoring service.

Germany hacked: Angela Merkel's colleagues among mass data dump victims

German politicians, journalists and other prominent public figures have been doxxed by hackers who distributed their personal data on Twitter, according to local reports.

A slew of prominent figures and organisations were seemingly targeted for the data dump operation.
"Contact details such as hundreds of mobile phone numbers and addresses of politicians from the Bundestag and partly also from state politics were reported," according to one version of events from German TV Die Tagesschau (natürlich auf Deutsch).
"There is no system for selecting published data and information," it continued. "Rather, it seems as if everything that came into the hackers' [hands] has been posted on the internet."
The dumped data, which started slipping out onto the internet the week before Christmas, ranged from internal political party communications to photographs of ID cards, letters, emails, invoices, chat transcripts, mobile phone numbers and credit card information, as well as other miscellaneous categories.
Nobody appeared sure where the data came from, though the sheer breadth and depth of it suggests a sustained operation that was ongoing for some years, judging by other reports. While Die Tagesschau presented the hack as motivated by right-wing political beliefs, other outlets looked closely at the data dump and saw that the ruling centre-right party, Chancellor Angela Merkel's Christian Democratic Union, had also been targeted – something that suggests the motive may not have been entirely political.
Oddly, the only political party whose data had not been released ("yet", as tabloid Bild reported) was the right-wing Alternative für Deutschland, Germany's answer to UKIP.
The perfunctory "Russia did it" spiel hasn't yet been wheeled out, though the initial modus operandi of leaving the AfD alone is clearly intended to point inquiring minds in their direction. Russia generally supports right-wing populist political parties in the West, either through rhetoric or murkier methods.
Bild quoted deputy government spokesperson Martina Fietz as warning that fake material could have been introduced into the data.
A spokesman for the far-left Linke party told newswire Reuters: "I can confirm there has been an incident," adding that the party's Parliamentary leader had been one of the victims.
Defiantly, the Social Democratic Party's secretary-general, Lars Klingbeil, told Bild: "Any possible political motivation for this attack must be clarified. Whoever is responsible wants to intimidate politicians and [they] will not succeed. The competition between democratic parties takes place through the competition of ideas – not through the publication of sensitive, personal data."
Although the information was being broadcast on Twitter before Christmas, the world only woke up and noticed it this year. Twitter has now reportedly deleted one of the accounts posting links to the data dumps.

Marriott Revises Breach Scope to 383M Records

The hotel giant said after de-duping, the breach appears to be smaller than it thought.

Marriott has revised downward its estimate on the number of guests whose passport numbers and payment card data were impacted in its recent data breach.
After the hospitality giant confirmed in November that there had been unauthorized access to its Starwood guest reservations database from 2014 up to September 2018, it said that up to 500 million guests were potentially impacted. However, after de-duping the information, Marriott said that 383 million records – not guests – were involved in the incident, with multiple records associated to the same individual in many cases.
Breaking the information down further, 5.25 million unencrypted passport numbers were included in the breach, along with 20.3 million encrypted passport numbers.
“Compromise of those passports is historic,” said Tom Kellermann, chief cybersecurity officer at Carbon Black, via email. “[Millions of] individuals are essentially exposed to cybercrime and economic espionage. The lines between the physical world and cyberspace are blurring as we see signals intelligence-gathering and human intelligence-gathering merging. The Chinese have taken a page from the Russian cyber playbook. The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them. This breach is the tipping point that the new Congress may use to mandate federal data breach reporting.”
Also, about 8.6 million encrypted payment cards were involved, with 354,000 payment cards that the hotel chain said were unexpired as of September 2018. Marriott also said that it believes that there may be fewer than 2,000 15-digit and 16-digit numbers that guests may have entered into other fields in the input form that might be unencrypted.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s president and CEO, in a website statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
The company also said that it has taken its Starwood reservation system offline and migrated all reservations to a separate in-house Marriott system.

Happy New Year