+233--302-667-138 / +233-302-670-629   No. 12 Tafawa Balewa Avenue,GA-029-4444

GHANA’S CYBERSECURITY ACT, 2020 (ACT 1038); THE BANK OF GHANA CYBER AND INFORMATION SECURITY DIRECTIVE: IMPLICATIONS AND THE ROLE OF BOARD OF DIRECTORS OF BANKS

1ST DEPUTY GOVERNORS REMARKS

PRESENTED BY ISMAIL ADAM, DEPUTY DIRECTOR,

BANKING SUPERVISION DEPARTMENT ON BANK OF GHANA

The Council Executives – Ghana Association of Banks (GAB)

The Management – Ghana Association of Banks (GAB)

Chief Executive Officers and Managing Directors of Banks

Executives of the Cyber Security Authority

Invited Guests

Distinguished Guests, Ladies, and Gentlemen

1.            I am honoured to be invited to this august occasion. I bring you warm greetings from the Management and staff of the Bank of Ghana. We are delighted at the resoluteness GAB has displayed over the years, and would like to commend the leadership of the Association for its efforts.

2.            Business of banking has evolved significantly from traditional banking to a more technology driven banking over the past decade. This requires leveraging on high-end computers and advanced hand-held devices that are equipped with ultra-fast internet connections.

3.            Mr. Chairman, Customers’ taste and preferences as well as technological advancements are the major drivers of the changes we are experiencing in the banking industry today.

4.            Whilst the technological advancement in banking provides convenience and faster service delivery for consumers, it also introduces risks for all stakeholders which must be managed.

5.            Mr. Chairman, the advancement and increased reliance in the use of technology has come with its own risks and vulnerabilities. In recent times the concern is not about the capabilities of ICT to simplify lives, but the risks that these capabilities pose to personal and corporate assets. The challenge therefore is how to ensure that technology remains a tool for further development and not a risk.

6.            As alluded to earlier, the relevance and dependency of information technology has increased in the Ghanaian banking sector, as banks have sought a medium through which they serve their clients more efficiently, effectively and conveniently, while remaining competitive and profitable.  Mr. Chairman, but this also creates a critical role for an Association such as yours and the respective Boards and Senior Management of the banks

7.            In this regard, let me enumerate a number of emerging trends and issues that could impact the Association’s member banks’ risk profiles:

a.            The lack of expertise at various managerial levels required to deal with information technology and cybersecurity risk facing the banking sector;

b.            Increasing demand for IT infrastructure that is scalable, flexible and interoperable, both within banks and across the banking sector, whilst ensuring the confidentiality, integrity and availability of information assets and services;

c.            Increasing opportunities for cyber criminals to perpetuate digital financial fraud;

d.            The threat to customer privacy and the associated risks which could be legal and reputational that may  emanate from the collection, storage and frequent sharing of significant quantities of customer data; and

e.            A greater reliance on outsourcing to third party service providers, including the use of cloud services, and the challenges this poses for service quality, reliability and cost efficiency, to mention a but a few.

8.            Mr Chairman, the foregoing makes today’s meeting very relevant. The Board and Senior Management of the Member Banks have a responsibility for setting the right “tone at the top” The board and Management hold the key to ensuring the adoption of the appropriate technologies in the financial services.

9.            In recent times, global reports on digital financial fraud, cyber-attacks on bank’s ICT infrastructure, and cyber-related scandals are on the increase. The extent to which similar cybersecurity threats and attacks are occurring domestically is unclear, however, there are enough evidence to indicate that Ghana has not been spared.

10.         Ladies and Gentlemen, in the year 2020, the value of reported attempted fraud was estimated at GH¢1.00 billion, as compared to GH¢115.51 million recorded in 2019. This was as a result of a number of electronic products and services introduced by banks as a measure to curb the spread of COVID-19. However, the value of losses incurred as a result of fraud for 2020 was GH¢25.40 million, as compared to an estimated loss of GH¢33.44 million in 2019. This could be as a result of effective controls that have been deployed by the member banks of this association.

11.         Mr Chairman, The Bank of Ghana, as far back as October 2018 was proactive and took steps  to issue the Cyber and Information Security Directive in a bid to enhance and protect the security of this critical sector of our economy. The Directive was aimed at creating a secure environment within the cyberspace for the financial services industry and thus serve to generate adequate trust and confidence in Information Communication and Technology (ICT) systems.

12.         The Directive covers banks, SDIs, Financial Holding Companies, Dedicated Electronic Money Issuers, Payment Services Providers and other Stakeholders in the banking industry including Third-Party Service providers.

13.         The aim of the Cyber and Information Security Directive is to protect consumers and create a safer environment for online and e-payment products, among others. The directive seeks to achieve a number of benefits, including, but not limited to, the following:

a.            To create a secure environment for transactions within the cyberspace and guarantee trust and confidence in ICT systems

b.            To provide an assurance framework for the design of security policies in compliance to global security standards and best practices by way of cyber and information security assessments, and

c.            To protect banks, customers and clients against the potential devastating consequences of cyber-attacks.

14.         Mr Chairman, the Directive mandates banks to implement Security Information and Event Management Systems (SIEMs) to correlate cyber threat incident alerts. Whilst the SIEM enhances the Cyber Security incident detection and analysis as well as the provision of real time alerts for timely incident response, it is also important to complement the SIEM with a Security Operations Center (SOC) which would offer real time monitoring of cyber security alerts and provide Information Technology teams with cyber threat information to deal with any threat actors identified at the SOC.

15.         Following the issuance of the Directive, the Bank of Ghana has introduced many initiatives to strengthen and secure the information security architecture of the banks and also to ensure that the systems are robust and resilient. In pursuing a successful implementation of the Cyber and Information Security Directive, the Bank of Ghana has embarked on the Financial Industry Command Security Operations Center (FICSOC) project to equip the industry with an aggregated visibility (through cybersecurity monitoring and threat intelligence sharing) on the cyber threat landscape confronting the sector. The FICSOC is a banking industry SOC implemented by Bank of Ghana to integrate all banks’ SIEMs for real time cyber threat intelligence sharing across the banking industry.

16.         Mr. Chairman, to further ensure the cyber space of the Ghanaian banking industry is protected, Bank of Ghana mandated banks to integrate their respective SIEMs to the FICSOC. So far, The Bank of Ghana has successfully integrated over 12 banks whilst we are in the process of integrating the remaining banks. The Bank of Ghana shall further integrate the other classes of institutions after successfully integrating all banks by the end of this year. We encourage the Board of your member banks to ensure adequate resources are made available for successful implementation of this project.

17.         The Directive also require banks to attain certification for ISO 27001:2013. This provides reasonable assurance to interested parties that confidentiality, integrity and availability of information and information processing facilities are preserved in banks by applying risk management processes.

18.         The Directive also requires all institutions that handle, process, transmit and store Credit Cards, Debit Cards, Prepaid Cards, eWallets, ATMs and PoS to obtain PCI DSS certification. This would provide some comfort and reasonable assurance that customers’ payment card information is protected from unauthorized persons.

19.         The Bank of Ghana through its monitoring process has seen significant improvement in ISO 27001:2013 and PCI DSS certifications among banks in the industry.

20.         Ladies and Gentlemen, Board of Directors of banks play a major role in the management of Cyber and Information Security risks as the Board provides the overall risk appetite of the bank which in turn provide the direction for the bank’s Cyber and Information Security function.

21.         The Board of Directors have the responsibility to approve all Cyber and Information Security related policies and procedures including policies for Third-Party Service Providers under outsourced Information Technology and Security services.

22.         The Board is therefore required to have a fair understanding of Cyber and Information Security risks  in order to provide the required direction in respect of the Cyber and Information function of the bank. Additionally, the Board shall also appoint a Committee on Cyber and Information Security to discuss Cyber and Information Security incidents on regular basis.

23.         Mr. Chairman, having monitored the implementation of the Directive for four years, the Bank of Ghana has identified some few areas that require improvements due to rapid changes of the Cyber and Information Security landscape. We have therefore initiated a process to review the Directive which would include requirements for Blockchain technology, Machine Learning and Artificial Intelligence among others.

24.         The overall implementation of the Cyber and Information Security has been impressive by banks. Notwithstanding this, we urge all banks who are yet to achieve full compliance to fine tune their internal processes to safeguard their respective banks and the digital financial ecosystem and the Board is expected to provide the needed support to facilitate this process.

25.         The Cyber Security Authority was set up to protect Ghana’s cyberspace and critical databases. In December 2020, Ghana’s first Cybersecurity Act, 2020 (Act 1038) was assented to by the President. The Act was passed to regulate cybersecurity in Ghana and also regulate owners of the Critical Information Infrastructure in the country, in respect of cybersecurity activities, service providers as well as practitioners.

26.         The Bank of Ghana will ensure strategic alignment of the Cyber and Information Security Directive to the Cyber Security Act to achieve a common goal. The Bank of Ghana would strengthen collaboration with other industry players such as the Cyber Security Authority, Data Protection Commission and the Ministry of Communication for a safer digital environment in the country.

27.         Mr. Chairman, permit me to end my remarks by reiterating that cyber security is one of the most urgent issues facing most, if not all, organizations. Computer networks will remain the target of cyber criminals, and it is likely that the danger of cyber security breaches will continue to increase in the foreseeable future as these networks expand. Fortunately, there are appropriate precautions that organizations can take to minimize losses from those who seek to do harm.

28.         I wish you very fruitful deliberations at this workshop and thank you all for the kind attention.

Thank you.