NextBillion - An Initiative of the William Davidson Institute at the University of Michigan

Cybercrime is growing in emerging economies, and it has proliferated during the COVID-19 pandemic, threatening progress in building more inclusive financial sectors. As the developed world deploys ever-stronger safeguards against cyber attacks, criminals are increasingly targeting low-capacity countries with scams and account hacking. And the poorest people tend to be the most at risk – and the least able to afford losing money.

Additionally, the poor are more likely to conduct financial transactions on insecure digital channels via older model mobile phones that rely on SMS or USSD. They also have lower levels of literacy and technological sophistication, so are more vulnerable to scams. In the Philippines, for example, 83% of people surveyed by CGAP and the International Telecommunication Union in 2016 reported receiving mobile phone frauds and scams, and 17% reported that they had lost money, while in Tanzania the rates were 27% and 17% respectively. And new virus-related scams have emerged during the coronavirus pandemic.

Many government and industry bodies are aware of the need to develop responses. However, cyber security management and monitoring require new expertise and resources that are often not available in developing countries. This is due to the lack of: personnel with sufficient background and experience, training programs, and providers of cyber vulnerability assessment and penetration analysis. While cybersecurity support services can be found, they seldom offer the specialized and affordable advice and services required by financial sector stakeholders hoping to protect low-income populations’ assets and accounts against relentless cyber challenges. With limited resources and in-house expertise, financial regulators and providers are finding it increasingly difficult to keep up with cyber criminals.

A Viable Solution: Regional Cybersecurity Centers

However, possible solutions do exist. In resource-constrained environments, governments and industry could partner to form regional cybersecurity resource centers, allowing several countries and their financial sectors to pool knowledge and expertise, and to leverage economies of scale to offer a shared information and support hub for cybersecurity. In addition to regional centers, small local cybersecurity support teams could provide some basic services along with direct contact with users, while the most challenging problems could be escalated to continent-wide centers, which would also need to be established.

Cybersecurity resource centers could operate at the continental, regional and country-level

Regional centers could be a knowledge resource, while providing support services on cyber threats and risk management. They could offer timely, accessible and affordable information on best practices, capacity building and emergency response to financial service providers, payment systems operators and financial sector regulators and supervisors – who themselves need to protect their own sensitive information. The more entities that participate, the richer the pool of threat information that could be collected and shared, giving the center a comprehensive overview of the cyber threats posed. To avoid potential private sector concerns about information-sharing with the government, the regional centers could be privately operated while still facilitating public-private collaboration, including threat information sharing.

Regional centers would build on and complement, rather than supplant, existing cybersecurity service structures. They would advance consumer protection, which is critical to the expansion of digital finance and financial inclusion. A key component of this would involve education: teaching individuals about how to avoid falling for phishing attacks, as well as letting industry and government know what needs to be done to protect their vital systems and assets.

In addition, regional centers could also be platforms for innovation and local talent development. By taking a fresh look at technology, these centers could enable emerging countries to leapfrog developed countries’ approaches. For instance, they could promote the use of open source software for the prevention, detection and remediation of cyber threats instead of using traditional, off-the-shelf software. Centers would offer a platform for testing cybersecurity solutions for the financial sector. To recruit qualified talent, they could collaborate and partner with local and regional universities and advocate for training women, who are often underrepresented in the IT field, giving them access to high-paying jobs in the tech sector.

The Role of Development Funders in Cybersecurity

Over time, the centers would work to establish self-sustainable business operations covered by membership and service fees paid by their users. Based on CGAP’s research, there is a strong demand for cybersecurity support services, and a clear business case for regional cybersecurity resource centers. Potential customers would include finance-related firms as well as regulators such as central banks, many of whom told CGAP that they would be willing to pay for such services. Fees could be scaled based on the size and risk exposure of particular firms. Our projections indicate that there’s a good chance centers could break even in three to four years, and have a positive cash flow starting in their fifth year. Development funders could play a critical role in getting the centers up and running by helping to cover the startup funding gap.

Development finance would be essential in order to successfully launch regional cybersecurity centers, because set-up would be capital intensive. This would include establishing physical centers, purchasing software licenses, and outfitting computer labs and training facilities. In some cases, establishing a large geographical coverage footprint for a regional center would require initiating and maintaining relationships with multiple local partners and customers through convenings and other outreach activities.

The financial support required for the first three to four years of operation could take the form of patient capital, equity, debt or grants, as well as technical assistance. During this time, the centers could raise awareness among government and private sector players, hire experts, and build up staff skills – all of which would be needed to build trust in the centers and expand their customer base.

Foundational work to move the centers from concept to operation would also involve identifying initial regions to house the centers, and convening regional and international stakeholders and funders. To avoid duplicating efforts, it would be important to identify existing cybersecurity initiatives that could be leveraged and complemented. Starting with one or two regions as a proof of concept would make sense, generating learnings that would allow these efforts to be replicated in other regions. Variations in market size and complexity, language requirements, culture, capacity, and skills would all have to be factored in. As trust is developed, over time there could be collaboration and coordination between regional centers – a practice which would ultimately be key to ongoing information and threat sharing.

Funders and other sector support organizations could assist in the creation of regional cybersecurity centers by conducting market research, holding in-person or virtual regional convenings, helping establish public-private partnerships, and supporting the dissemination of calls for proposals and the development of sustainable business plans and impact strategies. They could also help document lessons learned, develop training materials and guidance notes, support research and development, and promote the adaptation and replication of the cybersecurity center concept in other regions or continents. Regional and local policymakers and convening bodies could also be important partners in an effort to create regional centers, because they are institutionally focused on protecting financial systems. They also have existing standing in the sector, and they often have the regulatory tools to encourage or mandate financial institutions’ use of cybersecurity resource centers.

The biggest challenge is just getting started – which is where funders and governments could jump-start the process. The first step would be to assess local and regional cybersecurity defense capacity and stakeholders’ willingness to support and run the cybersecurity centers. Building on existing entities and filling in the gaps, an interconnected structure of centers could be designed to help protect financial institutions.

Measures of Success

Key metrics of success for regional centers would include:

• Improving cyber protections for the millions of financial consumers in developing countries who have adopted electronic financial services – including those who have gone digital in response to the threats of in-person transactions due to the global pandemic;
• Expanding gender inclusion – not only by providing training for women in a high-paying technology field, but also by offering employment after that training has been completed;
• Becoming self-sustaining after five years.

Developing countries will need to step up their cyber defenses – regional cybersecurity centers can help strengthen those defenses. Stakeholders in the sector throughout the region should begin discussion and planning around this and other potential solutions to cybersecurity risks, as the problem is only likely to grow in the coming years. The following CGAP resources can help inform these discussions:

Blog Series: Cybersecurity and Financial Inclusion: Protecting Customers, Building Trust

Paper “Cybersecurity in Financial Sector Development:  Challenges and Potential Solutions for Financial Inclusion,” by S. Baur Yazbeck, J. Frickenstein and D. Medine, Nov. 2019

David Medine is a Senior Financial Sector Specialist at CGAP.

Photo courtesy of Blogtrepreneur.