CRITICAL DATA SECURITY ISSUES IN THE NIGERIAN BANKING SECTOR

By: Victoria Oloni

1.0 INTRODUCTION:

In recent times, the Nigerian banking sector has been hit with several waves of rumours of data breaches most recent of which is the alleged data breach suffered by Unity Bank and Access Bank in August and September 2020 respectively[1]. Although these rumours have been vehemently denied, they have drawn nationwide attention to the importance of Data Security within the sector. In a recent survey by Sophos Group PLC, a British security software and hardware company, it was revealed that 86% of Nigerian companies fell prey to cyberattacks in 2019; the second highest percentage recorded globally after India and much higher than in South Africa with 64%.[2] In the digital age, various sectors of the economy both private and public are involved in massive data collection activities and the banking sector is not spared by this data/information revolution.

Notable developments in the industry include the adoption of the KYC (Know Your Customer) scheme alongside the use of information and communication technologies (ICT) in providing banking services and goods. Examples of ICT-based products include Automated Teller Machines (ATMs) transactions, pay-by-phone systems and personal computer banking, POS (Point of Sale) terminals, mobile banking, which form the subject of electronic banking, or Electronic Funds Transfers (EFTs) and most recently Fintech platforms. The banking sector currently sits at an information control crossroads. Advances in information technology have fundamentally altered the business environment[3] and created a marketplace suffering from a data control paradox: on one hand, aggregation. Due to this, commercial leveraging of data is easier than ever before. On the other hand, protecting proprietary information is becoming increasingly difficult[4].

1.1 REGULATORY FRAMEWORK

All over the world, confidentiality and integrity are recognized as one of the cardinal principles of Data Protection. The Nigerian Data Protection Regulation is not left out in this regard. The regulation provides that personal data must be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire or exposure to other natural elements.[5] Section 3 of the Draft Data Protection Bill also provides that data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss, destruction or damage, and the data controller and data processor shall use appropriate technical and organizational measures to ensure the integrity, confidentiality and availability of the personal data.[6] In addition to the general laws that provide for the security of data, there are other laws that deal specifically with Data Security in the banking sector. They include:

      a. The Cybercrimes Act 2015

The Act provides an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria. The primary objective of the act is to “promote cybersecurity and protection of computer systems and networks, electronic communications, data and computer programs intellectual property and privacy rights”.[7]

Section 30  of the Act provides that any person who manipulates an ATM or POS terminals with the intention to defraud shall be guilty of an offense punishable by up to five years Imprisonment or N5,000,000.00 fine or both. The Act also criminalizes phishing with the conviction of up to  3 years imprisonment or a fine of N1,000,000.00 or both. Section 22 recognizes the offense of identity theft and impersonation. The Act also places a responsibility on Financial institutions to put in place effective counter-fraud measures to safeguard their sensitive information.[8] The Act also prescribes a term of imprisonment of not more than 7 Years or a fine as high as  N5,000,000.00 or to both.[9] Financial institutions are also mandated to verify the identity of its customers carrying out        Electronic financial transactions. The Act also provides that Service providers shall take appropriate measures to safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement.[10]

     b. Nigerian Payments System Risk and Information Security Management Framework 2020:

The CBN introduced the Nigerian Payments System Risk and Information Security Management Framework (“this Framework”) to guide the management of risks associated with the payments system in Nigeria. This Framework is designed to guide the operators and users of the payment systems across Nigeria.[11] The Framework  covers basic risks in payment systems including information security risks resulting from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction of information assets and information systems.[12] Furthermore, the Framework provides that System operators, Participants and Payment Service Providers (PSPs) shall establish and implement Information Security policies that are in line with ISO 27001 standards or subsequent standards and ensure the confidentiality, integrity and availability of all information, systems and networks that are critical to the success of the scheme.[13] Scheme Boards shall also recommend minimum fraud prevention requirements for participants in its scheme.[14]

        c. Central Bank of Nigeria‘s Consumer Protection Framework 2019:

The Central Bank of Nigeria (CBN) in furtherance of its mandate to promote a stable financial system embarked on the development of a Consumer Protection Framework (CPF) to among other things engender public confidence in the financial system.[15] The Framework was unveiled on the 7th of November 2016 for consumers of financial services in Nigeria.The Framework formulates nine (9) key principles for consumer protection one of which is Data security and privacy[16]. The Guidelines cover the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

Para 5.4.1 of this framework imposes a burden on financial institutions to maintain the confidentiality and privacy of all financial services customers – present or past.   It further provides that appropriate data protection measures and staff training programmes should be put in place to prevent unauthorised access, alteration, disclosure, accidental loss or destruction of customer data.  Financial services providers are also required to obtain the written consent of consumers before their data is shared with third parties or used for promotional offers.

     d. Risk-based Cyber-security Framework for Deposit Money Banks 2018:

In June 2018 due to the increasing focus on cybersecurity worldwide and the rise in cyber threats both in and outside Nigeria – the Central Bank of Nigeria (CBN) issued a draft risk-based framework and guidelines on cybersecurity for Deposit Money Banks (DMBs) and Payment Service Providers (PSPs), which came into force on 1 January 2019.[17] The Framework  complements and builds on the Cybercrimes (Prohibition, Prevention) Act 2015 (the Cybercrimes Act), which the National Assembly passed into law in May 2015, by promoting cybersecurity and protecting computer systems and networks and electronic communications.

The framework places the responsibility of ensuring that cybersecurity is completely integrated with business functions and well managed across the DMB/PSP on the Board of Directors.[18] The Board also appoints the “Chief Information Security Officer” (CISO) who shall be responsible for overseeing and implementing its cybersecurity programme. The Framework then lays down the responsibilities of the CISO. [19] The Framework also mandates DMB/PSP to ensure consistent conduct of risk assessments, vulnerability assessments and threat analysis to detect and evaluate risk to the DMB/PSP’s information assets and determine the appropriateness of security controls in managing risk.[20] DMB/PSP are also required to possess an objective knowledge – based on fact – of all emerging threats, cyber-attacks, attack vectors, mechanisms and indicators of attack/compromise to its information assets which shall be used to make informed decisions.[21] DMB/PSP are also obligated to report all cyber-incidents whether successful or not immediately after such an incident was identified to the Director of Banking Supervision, Central Bank of Nigeria using the report format in Appendix VI of the Framework.[22]

  e. Regulatory Framework For The Use Of Unstructured Supplementary Service Data (USSD) For Financial Services In Nigeria 2018:

Pursuant to its mandate of promoting a sound financial system in Nigeria, the CBN issued Regulatory Framework for the Use of Unstructured Supplementary Service Data (USSD) for Financial Services in Nigeria[23] on the 1st of June 2018.

The framework provides that financial Institutions which includes banks shall ensure at least, radio encryption between users’ SIM-enabled device and base stations, ensure encryption of USSD information within its environment by an auditable process and that Data stored by the USSD application at Financial Institutions shall be encrypted and the NCC shall define a minimum security standard for MNOs and aggregators, as may be required.[24]

The framework highlights the Participants in the USSD ecosystem to include Financial institutions, Mobile Money Operators (MMOs), Mobile Network Operators (MNOs), Value Added Service Providers/ Aggregators (NCC Licensees) and Customers.[25] Financial institutions include Switches, Application vendors and Payment Service Providers providing products and services using USSD protocol[26].

  f.  Regulatory Framework For Bank Verification Number (BVN) Operations And Watch-List For The Nigerian Banking Industry 2017:

The Regulatory Framework For Bank Verification Number (BVN) Operations And Watch-List For The Nigerian Banking Industry (“Framework”) was issued by the CBN in the exercise of the powers conferred on the Central Bank of Nigeria (CBN), by Sections 2 (d) and 47 (2), of the CBN Act, 2007, to promote and facilitate the development of efficient and effective payments systems for the settlement of transactions, including the development of the electronic payment systems.[27]

This framework was released to define access, usage, and management of the BVN information, requirements, and conditions.[28] This objective simply encapsulates the objectives of data protection in a single sentence. The framework further provides that parties involved in the BVN operations, shall put in place, secured hardware, software and encryption of messages transmitted through the BVN network, BVN data shall be stored within the shores of Nigeria and shall not be routed across borders without the consent of the CBN, Users of the BVN information shall establish adequate security procedures to ensure the safety and security of its information and those of its clients, which shall include physical, logical, network and enterprise security, and Parties to the BVN operations shall ensure that all information that its employees have obtained in the course of discharging their responsibilities shall be classified as confidential.[29]

   g.  Guidelines on Mobile Money Services in Nigeria 2015:

This guideline was released in 2015 to address business rules governing the operation of mobile money services, and specifies basic functionalities expected of any mobile payment service and solution in Nigeria.[30] One of the objectives of the Guidelines is to promote safety and effectiveness of mobile money services and thereby enhance user confidence in the services.[31] The Guidelines provide minimum security standards for Mobile Payments solutions[32] and it lays down requirements to mitigate risks arising from the operations of MMOs.[33]

     h.  Guidelines for Card Issuance and Usage 2014:

The CBN Guidelines for Card Issuance and Usage 2014 place a responsibility on banks to guarantee the security of cards issued to cardholders. It states that ‘The security of the payment card shall be the responsibility of the issuer and the losses incurred on account of breach of security or failure of the security mechanism shall be borne by the issuer, except [where] the issuer establishes [responsibility for the] security breach on the part of the card holder.’[34] It further provides that ‘Issuers should ensure that the process of card issuance is completely separated from the process of PIN issuance, and done in accordance with best practices thus minimizing the risk of compromise.’[35]

    i.  Guidelines On Electronic Banking In Nigeria 2003:

The Guidelines were issued in August 2003 following the findings and recommendations of the Technical Committee on e-Banking. The guideline covers the 4 categories recommended by the committee which are Information and Communications Technology (ICT) standards, to address issues relating to technology solutions deployed, and ensure that they meet the needs of consumers, the economy and international best practice in the areas of communication, hardware, software and security, monetary policy, to address issues relating to how increased usage of Internet banking and electronic payments delivery channels would affect the achievement of CBN’s monetary policy objectives, legal guidelines to address issues on banking regulations and consumer rights protection, and Regulatory and Supervisory, to address issues that, though peculiar to payments system in general, may be amplified by the use of electronic media.

The guidelines place an obligation on banks to maintain secrecy and confidentiality of customer’s accounts. Banks should, therefore, institute adequate risk control measures to manage such risks.[36] The guidelines provides that Banks should protect the privacy of the customer’s data by ensuring that customer’s personal data are used for the purpose for which they are compiled, consent of the customer must be sought before the data is used, data user may request, free of cost for blocking or rectification of inaccurate data or enforce remedy against breach of confidentiality, processing of children’s data must have the consent of the parents and there must be verification via regular mail and strict criminal and pecuniary sanctions should be imposed in the event of default.[37]

    1.2  THE DATA SECURITY PROBLEM IN THE NIGERIAN BANKING SECTOR

The banking sector in Nigeria undoubtedly is involved in mass processing of high volumes of personal and financial data of bank customers in respect of numerous financial activities. Disclosure of personal and sensitive information during transactions across various industries, particularly transactions relating to the banking sector, has become inevitable[38]. These disclosures are not restricted to bank account numbers and passwords as they also extend to the realm of non-financial related personal information such as name, residential address, passport number and a host of others. The quantum of personal information that banks process on a daily basis demands an adequate and fool proof protection measure due to the sensitivity of such information.

A report has it that it takes organizations an average of 197 days to become aware of data breaches and an average of 69 days to contain it.[39] A cybersecurity study by Demadiur Systems Limited has revealed that banks, insurance companies, and government institutions in Nigeria spent an estimated sum of $270.22 million in 2018 to prevent cyberattacks.[40] In 2019, Nigerian banks were estimated to have spent about N200 billion to prevent various forms of cyber-attacks on their operations in the country.[41] A 2017 report by Serianu revealed that Africa lost $3.5 billion to cyberattacks.[42] In that report, Nigeria was the hardest hit with losses of $649 million, followed at a wide distance by Kenya with $210 million, and Tanzania with $99 million.

Due to the risks associated with the prevalent threat of breaches in security networks, fraud, theft of identity across various industries, propelled by continuous technological evolution, it has become compelling for banks to focus on the enhancement of data security[43]. The high potential value of data in the banking sector accounts for why it has become a target for cyber-attackers who take advantage of the gaps afforded them by the absence of stronger data security measures put in place by the players in the industry[44].

Various operations within the Nigerian Banking Sector raise a number of security concerns. These operations include:

  1.2.1 Know Your Customer (KYC) Policy:

Nigerian banks have a policy tailored to get to know their customers better called the Know-Your-Customer (KYC) Policy. On January 18, 2013, the Central Bank of Nigeria issued a circular to all banks and other financial institutions and introduced “three-tiered KYC requirements.”[45]

The three-tiered KYC regime seeks to implement flexible account opening requirements for low-value and medium-value account holders, subject to caps and transaction restrictions. It is in line with its regulatory steps to ensure that the socially and financially disadvantaged persons are not precluded from opening accounts or obtaining other financial services for lack of acceptable means of identification.

Banks use the KYC policy to identify and get more acquainted with their customers. Through this process, banks update the personal data of customers regularly. This policy raises data protection concerns as banks can use the accumulated information for purposes other than that for which they were collected. This information can be sold to retailers or direct marketers for the purpose of advertising. The banks can also use the information directly to market their own services through spam messages or junk mails.

1.2.2    The Bank Verification Number (BVN) Scheme:

In 2014, CBN released a circular mandating all bank customers to register for a Bank Verification Number (BVN) [46] as part of the Know-Your-Customer (KYC) policy of banks. As at August 30 2020, CBN had captured 43,222,327 Nigerians in the bank verification project.[47]. During this exercise, bank customers have to fill elaborate forms requesting for various kinds of personal information including photographs and biometric data. With the amount of personal data and information that would be processed during the BVN project and the skeletal data protection framework in place in Nigeria, there was an outcry for the suspension of the BVN registration exercise[48].

A lot of questions have been raised concerning the data protection implications of the BVN Scheme. These questions include: Who do we hold accountable when there’s a breach? How secure is the data processed? Why can’t there be information sharing across the several agencies? Who is CBN accountable to, when it comes to the BVN?

  1.2 .3 Electronic Banking (E-Banking):

Electronic banking may be defined as a means whereby banking business is transacted using automated processes and electronic devices such as personal computers, telephones, fax machines, Internet, card payments and other electronic channels. Some banks practice electronic banking for informational purposes, some for simple transactions such as checking account balance as well as transmission of information, while others facilitate funds transfer and other financial transactions.[49]

In 2003, the CBN, in collaboration with the Bankers Committee, launched the first major initiative to modernize the payment system, granting approval to a number of banks to introduce international money transfer products, telephone banking and online banking via the internet on a limited scale. Today, virtually all banks have introduced Electronic Funds Transfers (EFT), debit and credit cards, internet banking, mobile banking and deployed Automated Teller Machines (ATM).

Over the years, banks and the customers have expressed worries over incessant incidences of fraud occurring in the banking sector due to non- security of financial transactions, basically on the adoption of E-banking platforms and the fact that there have been records of hackers hacking into banks’ websites.[50] There are various E-Banking channels that are utilised by customers ranging from mobile banking, to internet banking, banking applications etc.

  a. Mobile Banking Applications:

It can safely be said that all Nigerian commercial banks have mobile banking applications available on the various application stores (Playstore, Palm play, Apple store etc.). These applications make different services available to customers at their fingertips. Customers can send money, buy airtime, buy internet bundle, pay their bills, request for new debit cards, locate close bank branches and ATMs, apply for loans, check traffic updates, block their cards, request for bank statements, and even forward their bank statements to an embassy/consulate that requests for it. These applications have made banking  easier, reducing the need to go to banking halls to the barest minimum.

However, these applications request for your card pin, your card number and sometimes fingerprint to set up. Unlike when you pay cash, banks can track the customers financial habits, GPS location, and other personal information. While some of these permissions are not harmful but are only necessary for the applications to function properly, when accumulated, they can be used to track customer financial habits, facilitate direct marketing by the bank, and  in the event of a security breach or hack, this data can get into the hands of criminals or identity thieves. Some of these apps have excessive and intrusive permissions that are not necessary for the app to function, and in some cases embedded with trackers disclosing customers data to third parties and capable of profiling the customer. Often than not, their privacy notices do not sufficiently disclose  to customers the nature of the tracking and permissions.

  b. Unstructured Supplementary Service Data (USSD) codes:

The USSD technology is a protocol used by the GSM network to communicate with a service provider’s platform[51]. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#).[52]It is implemented as an interactive menu driven service or command service. It has a shorter turnaround time than SMS, and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone nor on the application. USSD technology is considered cost-effective, more user-friendly, faster in concluding transactions, and handset agnostic.

First introduced into the Nigerian banking sector a few years ago, USSD codes have become a new favourite of bank customers. It provides some of the services applications provide but on a more limited scale. Each bank has a USSD code usually made up of 3 numbers that is unique to them. Once again banking at the fingertips. Customers can perform basic transactions like transferring funds, buying airtime, checking BVN etc. and depending on the bank, these transactions are either instant or take a few minutes to complete. However, customers have to impute their secret number (PIN) to complete this transaction.

The major privacy concern raised by the USSD codes is the fact that the information transfer between the customer and the bank server has to go through the network provider who is a third-party user. There is no notification of a two-way encryption which prevents third party users (i.e. the network providers in this case) from viewing sensitive information transferred on this platform (e.g. Pin, Token and even BVN). Although the regulation creates an encryption requirement, this has not been implemented by the banks or network providers[53].

So, whether a customer is using 737 or 919 or any other USSD code for mobile banking, network providers have access to information transferred through those channels. This is a huge threat to the security of personal data of customers.

 c. Automated Teller Machines:

As a 2016, Nigeria had 17,398 ATMs deployed by banks out of which 73% are owned by 12 commercial banks[54]. In the first quarter of 2018, the total value of Automated Teller Machine transactions rose to N32.48 trillion[55]. According to the CBN, a total volume of 839,819,922 transactions valued at N6.5 trillion was recorded in 2019. Criminal acts against ATMs and bank customers have always been a concern for financial institutions. Over the past few years, the trend has changed from physically safeguarding and securing ATMs to preventing keylogging and ATM skimming where thieves set up skimmers that capture the magnetic stripes and keypad information. Following the increasing cases of ATM fraud in Nigeria, the CBN set up a help desk to deal with cases of ATM fraud. The CBN also advised the respective banks to open and maintain similar help desks to assist their customers who are daily victims of ATM fraud.[56] The use of Automated Teller Machines raise security concerns because of its susceptibility to cyber attacks.

Point of Sale Terminals:

The NIBSS Quarterly Report for 2018 highlighted that the Value of POS Transactions in Nigeria grew by 57% from 1.023 trillion to 1.6 trillion while the volume of POS transactions rose by 63% to 196.83 billion from 120.79 billion.[57] In 2019, there were about 438 million POS transactions valued at over 3.2 Trillion naira.[58] In August 2020, there were over 53 million POS transactions in Nigeria going up by about 14 million since August 2019.[59] While there have been very few reports of large scale data breaches in Nigeria via POS terminals, there have been forecasts that as the POS market grows globally and in Nigeria, the system may become highly susceptible to security and data breach threats in the nearest future. In 2013, retail giants, Target fell victim to one of the largest and most publicized data breaches of all time after attackers infected its POS systems with the Trojan POSRAM malware and stole personal information and payment card information on as many as 70 million target customers. In September 2014, news broke that yet another major retailer, Home Depot had been hit with POS malware and an ensuing breach of POS system data. Up to 56 million customers spanning 2,200 stores were impacted by the data breach. Other POS terminals data breaches include the Mexican Grill POS data breach (2017) Chili’s Restaurant Data breach (2018), the Forever 21 Data breach (2018) and, Applebee (2018).

It is important to acknowledge that all POS systems do have some level of risk when it comes to security. Many attackers are just looking for targets using systems that are vulnerable and launching automated attacks on their POS environments. POS security is challenging because of the sheer volume of both known and unknown threats that exist, coupled with the value that POS system data holds for cybercriminals. In addition, the number of threats facing POS systems continues to rise because new POS malware is being created or updated all the time.

   1.3 Preventing Cyber-attacks and Data Breaches

While there is no foolproof method for 100% prevention of data breaches and cyber-attacks, banks and other Financial Institutions can put in place certain measures to reduce risks to the barest minimum. These measures include:

  1. Classifying data in accordance with sensitivity relative to a potential data breach;
  2. Restricting downloads and external transfer of Data;
  3. Encryption of data;
  4. Software management;
  5. Top to bottom security culture involving C level executives;
  6. Enforcing a “Strong Password” policy and eliminating auto logins;
  7. Educating employees (not limited to security team);
  8. Conducting vendor or third party due-diligence;
  9. Performing periodical information security assessment and ensure its up to date; and
  10. Implementing information security controls and ensuring they are up to date.

 

   1.4 Effects of Data Breaches

a. Loss of revenue and business:

According to the Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” the average cost of a corporate data breach is $3.5 million, a 15 percent increase compared to Ponemon’s findings in 2013.[60] Equifax spent $1.4 billion on upgrading its security in the wake of its data breach.[61] The Nigerian Inter-Bank System (NIBSS) stated in its report that the banking industry lost the sum of N12.30 billion to various frauds between 2104 and 2017 with ATM Fraud accounting for the highest fraud in 2017 with an actual loss of N497.64 million and a fraud volume of 9,823.[62] The 2016 report of the Nigeria Electronic Fraud Forum showed that the number of ATM cards in Nigeria increased to 35 million and the number of attempted ATM fraud increased by 82%.[63] The data leak occasioned by data breaches more often than not result is the perpetration of fraud on data controllers and data subjects which result in Financial losses to both the data controllers and data subjects.

b. Exposure to Litigation:

Data breaches increase directors’ and officers’ exposure to regulatory action and, potentially, securities class-action lawsuits. Data breaches can become subjects of law suits by regulators and class action lawsuits. After its 2013 data breach, Target had to cough up $39 million to settle a class action suit and incurred another $19.9 million in associated legal costs. Home Depot also paid $19 million as settlement for a resulting class action suit due to its 2014 POS data breach. The Yahoo data breach cost the company 117.5 million in settlement with millions of people whose email addresses and other personal information were stolen.[64]

c. Fines and sanctions:

In Nigeria, organisations can suffer regulatory penalties for data security breaches. The Nigerian Data Protection regulation empowers NITDA to impose penal sanctions of up to 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater.[65]  Apart from sanctions by NITDA, banks may also face sanctions from CBN when a breach occurs. These regulatory sanctions are not peculiar to Nigeria. In  Art. 83(5) of the GDPR, the fine framework can be up to 20 million euros, or up to 4 % of the total global turnover of the preceding fiscal year, whichever is higher for very severe violations and fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.[66]

d.  Reputation Damage:

After the Equifax data breach which affected 143 million people, more than 40 percent of the population of the United StatesWall Street investors began to abandon the company in droves and within a week stock prices dropped from $142.72. to $92.98. After nearly two months of non-stop controversy and scandal over its improper use of Facebook data, Cambridge Analytica announced that it was ceasing operations in 2019. AMCA, a collections agency specializing in medical receivables, providing services to customers such as LabCorp also filed for bankruptcy after the data breach which affected millions of individuals in 2019. The breach went undetected for months.  These companies filed for bankruptcy because they could not recover from the effects of the breaches. Banks can suffer from the same fate when faced with a data breach scandal.

e  Erosion of customer trust:

One of the major effects of data breaches on an organisation is loss of customer trust, goodwill and damage to brand reputation.In a survey conducted by Banking dive, 66% of people surveyed said they would stop doing business with a company that had a slow or ineffective response to a data breach and would switch to a competitor and 45% said they would tell their family and friends to stop doing business with the company.[67] The erosion of consumer trust will morph into loss of revenue that could be earned.

1.5. Mitigating the Effect of Data Breaches

The risk of cyber-attacks and data breaches in the banking sector cannot be totally eliminated. Therefore, alongside measures to prevent cyber attacks and data breaches, organisations have to put in place steps to mitigate the effects of such attacks. Some of these steps are:

           a.  Cyber Security Incident Response Plan:

This plan outlines who, when, what how, why and where the organisation will respond to the attack. A good Cybersecurity Incident Plan should involve the following steps:

  • Identification of the attack;
  • Discovery of the nature of the attack;
  • Elimination of all traces of the attack;
  • Review of the attack;
  • Communication and notification of regulatory authorities and customers[68]; and
  • Implementation of new and improved cyber security plans.

    b. Cyber Insurance:

Due to the rapid entry into cyberspace, there has been a significant increase in operational risks and the risk of cyberattacks. This has increasingly become a society-wide concern and it is receiving a lot of attention from governments across the globe. Due to this increase, traditional insurance providers are venturing into providing Cyber insurance covers. Cyber insurance policies usually cover expenses related to first and third parties claims which include cost of the breach, infringement of data protection and privacy laws, and cost of recovery.[69] While many organizations believe that cyber insurance is too expensive or that their cyber risk is low, these assertions are quite false as data breaches have become very prevalent and there exists large potential for losses. In fact, this lack of insurance can prove catastrophic for some companies. Cyber insurance can increase the likelihood that operations hit with a breach like AMCA will be able to weather the storm.[70] While Cyber insurance is not an alternative to implementing appropriate levels of security within an organization, any organization involved in data processing should consider taking out a Cyber insurance policy to mitigate the effect of data breaches. Insurance providers in Nigeria are beginning to venture into providing Cyber Insurance policies.

 

            1.6    Notification and Reporting of Data breaches:

When a data breach occurs, one of the responsibilities of the data controller is to report the breach and notify the appropriate authorities and persons. This responsibility is important not only because it shows transparency, fosters customers trust but also because it is a mandatory regulatory requirement to report data breaches and in certain circumstances to also notify data subjects. Within the Nigerian banking sector, a number of regulatory authorities both within and outside the sector that have to be notified when there is a cyber-attack (successful or unsuccessful) or data breach.

Section 21 of the Cybercrimes (Prohibition, Prevention etc.) Act provides that any person or institution, who operates  a computer  system or a  network, whether  public  or private, must  immediately  inform  the  National Computer Emergency Response Team (CERT) Coordination Center of any attacks on their system or network within 7 days of such occurrence. Failure to do so attracts a sanction of denial of Internet service and a mandatory fine of 2 million naira.[71]The Risk-based Cyber-security Framework for Deposit Money Banks also provides that a  DMB/PSP is required to report all cyber-incidents whether successful or not immediately after such an incident was identified to the Director of Banking Supervision, Central Bank of Nigeria.[72]

Apart from notifying the CERT Coordination Center and the CBN, Data Controllers within the sector also have to notify NITDA. According to the NDPR Implementation Framework, July 2020, Data Controllers have a duty of self-reporting Personal Data breaches to the NITDA within 72 hours of knowledge of such breach .[73] If  the personal data breach will likely result in high risks to the freedoms and rights of the data subject, the Framework mandates Data controllers to immediately inform data subjects about the breach.[74] While the NDPR Implementation Framework doesn’t give a specific time frame for notifying data subjects, the Draft Data Protection Bill 2020 provides that such notifications be carried out within 48 hours after notifying the Data Protection Commission.[75]

 

1.7. CONCLUSION

The banking sector has been classified as one of the high-risk sectors in terms of Cybersecurity and data protection due to the volume of Personal data processed by banks on a daily basis. This volume of information makes banks constant targets of cyber-attacks. It is therefore very pertinent for Nigerian banks to begin to take data security very seriously. In the war against cybercrimes, the roles of players in the financial services industry cannot be overemphasized. As cyber-attacks evolve and become more sophisticated and difficult to identify, banks have to become proactive in their security measures as they cannot afford to play catch-up with the latest techniques and methods employed in cyber-attacks. As shown above, a poor or slow response to a data breach will have devastating effects on banking businesses. It is vital to state at this point that when it comes to integrity and security of data, there is no such thing as too much security and it is always safer to err on the side of caution.

[1] Access Bank and Unity Bank alleged data breach: A lesson to Nigerian institutions,

https://www.google.com/amp/s/www.businessamlive.com/access-bank-and-unity-bank-alleged-data-breach-a-lesson-to-nigerian-institutions/amp/ accessed on 23 September 2020

[2] Emmanuel Paul, “Nigerian companies record 2nd highest percentage of global cyberattacks”, https://techpoint.africa/2020/07/17/nigerian-companies-global-cyberattacks/ accessed on 23 September 2020

[3] Matwyshyn A.M ,’Material Vulnerabilities: Data Privacy, Corporate Information Security, and Securities Regulation’, 3 Berkeley Bus. Law Journal 129 (2005).

[4] For example, by the end of the first quarter of 2005, at least two major data control failures had occurred-the compromise of as many as 170,000 consumers’ data by data aggregators ChoicePoint, Inc. and LexisNexis, as well as the loss of tapes with 1.2 million federal employees’ information by Bank of America. See Associated Press, ‘Choicepoint Says It’s Sorry’, WIRED NEWS, Mar. 15, 2005,

[5] Article 2.1 (1) (d) of the NDPR.

[6] Section 3 (1) (g) of the Draft Data Protection Bill 2020.

[7] Section1 (c) 0f the Cybercrimes Act 2015

[8] Section 19 (3) of the Cybercrimes Act 2015

[9] Section 33 of the Cybercrimes Act 2015

[10] Section 38(5) of the Cybercrimes Act 2015

[11] Para 3 of the Payments System Risk and Information Security Management Framework

[12] Para 6.7 of the Payments System Risk and Information Security Management Framework

[13] Para 8.6 of the Payments System Risk and Information Security Management Framework

[14] Para 8.7 of the Payments System Risk and Information Security Management Framework

[15]https://www.proshareng.com/news/Regulators/Consumer-Protection-Framework-for-Banks-and-OFIs-Regulated-by-the-CBN/32952 accessed on 23 September 2020

[16] Salau O., ‘The CBN Issues Its Consumer Protection Framework’, http://www.odujinrinadefulu.com/content/cbn-issues-its-consumer-protection-framework accessed on 23 September 2020

[17] CBN, “Exposure Draft of the Risk-Based Cyber-Security Framework and Guidelines for Deposit Money Banks and Payment Service Providers”, 25 June 2018.

[18] Paras 2.2 and 2.4.1 of the Cybersecurity Framework.

[19] Para  2.4.5 of the Cybersecurity Framework

[20] Para 3.7 of the Cybersecurity Framework

[21] Para 6.1 of the Cybersecurity Framework

[22] Para 7.6 of the Cybersecurity Framework

[23] Preamble to the Regulatory Framework For Bank Verification Number (BVN) Operations And Watch-List For The Nigerian Banking Industry

[24] See generally Para 6 of the Consumer Protection Framework.

[25] Section 4.0 of the Consumer Protection Framework

[26] Section11.0 of the Consumer Protection Framework.

[27] Preamble to the BVN regulatory Framework.

[28] Para1.2 (iii) of the BVN regulatory Framework

[29] Para 1.8 BVN Regulatory Framework

[30]  Para 2.0 the Mobile Money Guidelines

[31]  Para 2.0 the Mobile Money Guidelines

[32] Para 11.1 the Mobile Money Guidelines

[33] Para 13.1 the Mobile Money Guidelines

[34] Para. 3.21 of the CBN Guidelines for Card Issuance and Usage.

[35] Para. 3.22 of the CBN Guidelines for Card issuance and Usage.

[36] Section3.0 (c) of The Guidelines.

[37] Section3.0 (d) of The Guidelines.

[38] Data Protection In The Banking Industry In Nigeria: what level of responsibility is imposed on the banks? http://ainablanksonblog.com/2018/02/02/data-protection-in-the-banking-industry-in-nigeria-what-level-of-responsibility-is-imposed-on-the-banks/ accessed on 23 September 2020

[39] Study of the Cost of Data Breach conducted by Ponemon Institute on behalf of IBM available at https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses accessed on 2 September 2020

[40] Chidinma Nwagbara “Nigeria spends $270 million on cyber-attacks” https://nairametrics.com/2019/12/15/nigeria-spends-270-million-on-cyber-attacks/ accessed on 23 September 2020

[41] Adeyemi Adepetun “Nigerian banks spent N200b preventing cyber attacks in 2019”, https://www.google.com/amp/s/guardian.ng/business-services/nigerian-banks-spent-n200b-preventing-cyber-attacks-in-2019/  accessed on 23 September 2020

[42] Emmanuel Paul, “Why your employees, not firewalls, should be your first line of defence against cyberattacks” https://techpoint.africa/2020/03/05/employees-defence-cyberattacks/ accessed on 23 September 2020

[43] ibid

[44] Cybercrime and the banking sector: top threats and secure banking of the future. http://www.information-age.com/cyber-crime-banking-sector-123464602/ accessed on 23 September 2020

[45] ‘How KYC determines your banking relationship’ The Punch, 14 Sep 2018 https://www.pressreader.com/ accessed on 23  September 2020

[46] CBN launched the Bank verification Number (BVN) project in February 2014. According to the CBN, the objective of the project is to protect bank customers, reduce fraud and further strengthen the Nigerian banking system.

[47] https://nibss-plc.com.ng/bvn/ accessed on 23 September 2020

[48] Ebije 1.A., ‘BVN and Nigeria’s data management malaise’, Peoples Daily Newspaper, 10th November, 2015.

[49] Report of The Technical Committee on Electronic Banking, February 2003.

[50] Ibid

[51] Regulatory Framework For The Use Of Unstructured Supplementary Service Data (USSD) For Financial Services In Nigeria 2017

[52] Ibid.

[53] Ibid at Regulation 6

[54] https://www.atmmarketplace.com/news/nigeria-remains-woefully-short-of-atms/ accessed on 23 September 2020

[55]https://www.google.com/amp/s/www.vanguardngr.com/2018/05/atm-transactions-hit-n32-48trn-in-q1-20 18/amp/ accessed on 23 September 2020

[56] https://www.pmnewsnigeria.com/2010/08/24/atm-fraud-cpc-nba-set-to-tackle-banks/ accessed on 23 September 2020

[57] PoS transactions rise by 57% to N1.6tr in Q3’18 – Vanguard News Nigeria https://www.google.com/amp/s/www.vanguardngr.com/2018/10/pos-transactions-rise-by-57-to-n1-6tr-in-q318/amp/ accessed on 23 September 2020

[58] E-Payment statistics, https://www.cbn.gov.ng/Paymentsystem/ePaymentStatistics.asp accessed on 23 September 2020

[59] https://nibss-plc.com.ng/pos2/ accessed on 23 September 2020

[60] 2014 Cost of Data Breach Study: Global Analysis.  May 2014. Ponemon Institute. securityintelligence.com

[61] Equifax data breach FAQ: What happened, who was affected, what was the impact? https://www.google.com/amp/s/www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.amp.html  accessed on 23 September 2020

[62] Nigerian banks lose N12.30bn to fraud in 4 years – NIBSS – Vanguard News Nigeria https://www.google.com/amp/s/www.vanguardngr.com/2018/06/nigerian-banks-lose-n12-30bn-fraud-4-years-nibss/amp/ accessed on 23 September 2020

[63] https://techcabal.com/2017/08/21/electronic-fraud-forum/ accessed on 23 September 2020

[64] https://www.google.com/amp/s/mobile.reuters.com/article/amp/idUSKCN1RL1H1 accessed on 6 September 2020

[65] Article 2.10 of the NDPR

[66] Article 83(4) of the GDPR

[67] Dan Ennis, “Banks have more to lose from data breaches than other companies” https://www.bankingdive.com/news/bank-data-breach-timely-direct-response-experian/562209/ accessed on 23 September 2020.

[68] Article 33 of the GDPR provides for notification on the supervisory authority within 72hrs and in case of high risk breach to the freedom and rights of Data subjects, the GDPR in article 34 provides for individual notifications within the same window.

[69] Ibrahim Tijani  and Ridwan Oloyede, “Cyber Insurance in Nigeria: Risk Hedging in an Increasing Threat Landscape” https://aanoip.org/cyber-insurance-in-nigeria-risk-hedging-in-an-increasing-threat-landscape/ accessed on 23 September 2020

[70] Matt Jeweler, Meighan O’Reardon, Curtis Simpson, “From Data Breach to Bankruptcy – A Cautionary Tale for Those Without Cyber Insurance” July 16, 2019 https://www.jdsupra.com/legalnews/from-data-breach-to-bankruptcy-a-17755/ accessed on 23 September 2020

[71] Section 21(3) of the Cybercrimes Act 2015

[72] Para 7.6 of the Risk-based Cyber-security Framework for Deposit Money Banks .

[73] Section 9.2 of the NDPR Implementation Framework.

[74] Section 9.4 of the NDPR Implementation Framework.

[75] Section 17(3) of the Draft Data Protection Bill 2020

Related Posts

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.