Cyber-crimes and management weaknesses

From the country’s perspective, a national economy suffering from cyber-security breaches may experience increased equity risk, as potential investors could become hesitant to invest, either making only small investments as a risk mitigating measure or demanding higher, short-term returns. Another serious risk that could arise from widespread digital fraud is the flight of capital, posing threats to economic stability

•  Government risks a crisis of confidence amongst potential investors

Information and communication technologies (ICTs) are the cornerstone for sustainable development, but if they are not appropriately managed, they will impede progress towards the United Nations Global Sustainable Development Goals. Among undesirable impacts, emphasis must be put on the risk of information security (ISec) breaches, as they pose a potential threat to businesses there. Especially for publicly traded firms, they could create a long-lasting influence on their financial performance and, thus, stock investors’ confidence - MDPI (Multidisciplinary Digital Publishing Institute

MDPI (Multidisciplinary Digital Publishing Institute), a major Switanderland-based publisher of over 500 peer-reviewed, open-access journals, founded in 1996, in a review titled The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context of Efficient Market Hypothesis by Syed Emad Aandhar Ali, Fong-Woon Lai, Rohail Hassan and Muhammad Kashif Shad in an MDPI publication in January 2021 ) point out that “Among undesirable impacts, emphasis must be put on the risk of information security (ISec) breaches, as they pose a potential threat to businesses there. Especially for publicly traded firms, they could create a long-lasting influence on their financial performance and, thus, stock investors’ confidence (https://www.mdpi.com /2071- 050/13/3/1066#:~:text=Especially%20 for%20publicly%20traded%20firms, context%20of%20efficient%20market %20hypothesis), In summary, the paper says that when large-scale computer scams are, or are perceived to be, handled poorly or are facilitated by corruption, they lead to a significant loss of both local and international investor reputation, potentially causing capital flight.

Cyber-attacks are on the rise

fDi Intelligence, a specialist division of the Financial Times, in a recent research publication has stated that Cyber-attacks are on the rise as they emerge as the flipside of the global digital economy and they cost the world $8tn in damages in 2023 alone, and that public institutions at the highest level, particularly in developing economies, have proven vulnerable to such attacks. (https://www.fdiintelligence.com/content/aebb2169-e74e-53b6-b6ca-4b3a521cca8c#:~:text= The%20 stakes%20are%20high.,The%20FDI%20risk).  

Terence Toland, a manager at Kearney, a leading global management consulting firm, has stated that “Countries with poor cyber hygiene risk seeing their investment appeal decrease as multinationals limit exposure to such risks and that the reputational damage caused by a big breach, particularly a well-publicised breach, would definitely have a negative impact on the market’s prospect for FDI or being a supply chain destination”. As one would say, it’s not rocket science to say that financial scams pose significant threats to the economic stability and growth of emerging economies. These fraudulent activities undermine investor confidence, distort market efficiency, and divert scarce resources away from productive investments. 

In Sri Lanka, a few IT and non-IT related issues, but primarily large-scale computer scams and high-profile cyber incidents appear to have the potential to severely damage investor confidence by eroding trust in the security of financial systems, weakening the reputation of local markets, and introducing significant financial and operational risks.  It is vital for the Government to address these issues very urgently and expeditiously and possibly considering the engagement of a reputed international entity specialised in this area to undertake an urgent assessment of the adequacy of cyber security measures in the central bank and all local banks, and management measures in place to detect possible scams.

In terms of the three IT related issues, the two Commercial Bank related issues (the scams at the NDB and the one at the Commercial bank), are not directly related to the Government, but related possibly to monitoring shortcomings at the Central Bank which is independent of the Government.  It certainly appears that the monitoring measures and IT guard rails to detect and prevent scams have not been as effective as they should have been, both within the two institutions concerned and within the central bank. However, as investigations are ongoing, speculations will not assist the investigations, but clarity on this serious matter will have to be considered a very urgent matter as the potential damage to confidence in these institutions could become irreversible otherwise.

The challenge for the Government (more the central bank) is to take all possible measures, including obtaining international technical expertise to investigate, strengthen if necessary through legislation, preventive measures and to introduce more fool proof guard rails in all banks so that recurrence of these scams will not happen, and if any attempts are being made by cyber criminals to hack systems, they will be detected before it’s too late, Besides this, punishment for convicted offenders should be made extremely severe so that would be criminals would think twice before committing them.

What is very concerning and perhaps most serious is the theft of $2.5 million dollars from the Government’s own external resources entity which is inseparable from the treasury itself. To the best of the writer’s knowledge based on information publicly released so far, it appears that a serious management shortcoming has contributed to the eventual cyber theft. This being the apparent failure of the external resources/treasury not to have sought an acknowledgement from the recipient of the funds, the Australian Government, way back in January when supposedly, the transfer had been done. Had the treasury assumed that the funds had been transferred on the due date, surely an acknowledgement should have been sought as a matter of routine, or they should have had a management mechanism to identify funds that had to be transferred by a due date but not actually transferred and which would have prompted them to make investigations why the transfer had not taken place. On the face of it, it appears that there had been a clear management failure.

Impact on investor confidence

As mentioned earlier, besides the loss of money, which may be totally or partially recovered, what would be difficult to recover would be the possible dents on investor confidence when Sri Lanka desperately needs direct foreign investments to boost the economy. The IT related scams will result in the erosion of trust in digital finance.

Cyber-enabled fraud, which has tripled recently, erodes trust in the digital channels that modern financial systems rely on. When scams are perceived as widespread, investor trust in digital services decreases, making it harder for financial institutions to maintain confidence. There would be reduced foreign direct investment (FDI), as countries with poor cyber guard rails runs the risk of being characterised as countries with weak governance and not attuned to giving the topmost priority to arresting cybercrime and losing their appeal for FDI as multinationals will take risk avoidance measures and limit their exposure to these hazards. Significant breaches could prompt firms to relocate to jurisdictions with higher security standards. Even if governments are not necessarily weak, investors will view high-scale scams as evidence of inept management or severe operational vulnerabilities within institutions including the central bank. To add to this, the high cost of remediation, along with potential legal and regulatory fines, could impair the institutions’ ability to operate efficiently, making them less attractive to investors.

From the country’s perspective, a national economy suffering from cyber-security breaches may experience increased equity risk, as potential investors could become hesitant to invest, either making only small investments as a risk mitigating measure or demanding higher, short-term returns. Another serious risk that could arise from widespread digital fraud is the flight of capital, posing threats to economic stability. 

fDi Intelligence lists the following as key drivers of reduced confidence 

• The adoption of AI and deepfakes by criminals makes scams harder to detect, leading to prolonged periods of risk for institutions.
• In some instances, regulations requiring data to be stored locally can heighten a country's attractiveness as a target for cyber-criminals, inadvertently raising risks for foreign investors.
• Foreign investors could find their local partners or suppliers as the "weakest link," exposing the overall investment to contagion risks from low-quality local cybersecurity. 

In conclusion, the following  from Research Gate paper titled “Economic Impact Of Financial Scams On Emerging Economies: A Legal Review” is quoted here as it summarises the potential fallout from scams that are becoming quite widespread globally (https://www.researchgate.net/publication/393335164 Economic_Impact_Of_ Financial_Scams On_Emerging_Economies_A_Legal_Review#:~:text=Abstract,) %2C%20and%20financial %20sector % 20integrity)

The rapid advancement of technology has led to significant changes in the global financial landscape. The rise of digital transactions presents new opportunities for financial inclusion and economic growth, but it has also led to a surge in financial fraud. (Lakew & Aandadi, 2020). Financial frauds exert extensive and diverse economic impacts on developing nations. Financial fraud undermines economic stability, distorts markets, and erodes trust in financial institutions (Sajid et al., 2023).  The inadequacy of legal and regulatory frameworks in numerous emerging nations have exacerbated the problem further.  Mitigating the economic impact of financial fraud relies on robust legal and regulatory responses. This encompasses the enhancement of national legal frameworks, the augmentation of regulatory oversight, the promotion of international collaboration, and the empowerment of consumers through protective measures and education. (Babu & Xavier, 2015.  The convergence of information technology and financial services has propelled the growth of financial technologies, necessitating legislative reforms to address the interplay of financial products, services, technologies, risks, and institutions. (Tritto et al., 2020).

One hopes that the Government has taken heed of the urgency to strengthen all avenues that pose threats to cyber security, strengthen management shortcomings via legislation if need be, the utmost urgency to do this as a matter of priority and taking the ordinary people of the country to their confidence by providing open, consistent, accurate updates on the issues concerned and prevent avenues for speculation arising from gaps in what might be known and what is being made known to the public. At present, speculation appears to be ahead and social media proliferation arising from them appears to be getting a foothold about the Government’s ability to meet these and similar major challenges.