Treasury-CBSL playing blame game over $ 2.5 m cyber theft

A pensive CBSL Governor Dr. Nandalal Weerasinghe (left) and Treasury Secretary Dr. Harshana Suriyapperuma before CoPF 

• CoPF Chair Dr. Harsha de Silva says Treasury report on cyber theft points to significant CBSL responsibility
• CBSL disputes findings, to submit separate report within a week

A dispute between the Treasury and the Central Bank of Sri Lanka (CBSL) over accountability for the $ 2.5 million cyber theft involving public funds has come under scrutiny at the Committee on Public Finance (CoPF), with Chairman Dr. Harsha de Silva warning that weak systems, outdated technology, and unclear lines of responsibility had created a situation where institutions are now shifting blame onto one another.

The Committee recently examined a report submitted by the Finance Ministry on the loss of $ 2.5 million that had been held by the Treasury for the settlement of Government debt obligations.

Speaking to the media following the meeting, Dr. de Silva said discussions revealed sharply differing positions between the Treasury and the CBSL regarding responsibility for the incident.

“Two different viewpoints were presented regarding who should be held accountable for this situation,” he said. “One view, in the Treasury report, was that the CBSL must bear significant responsibility for this. However, the CBSL expressed a different opinion on the matter.”

CBSL Governor Dr. Nandalal Weerasinghe and Treasury Secretary Dr. Harshana Suriyapperuma attended the proceedings, alongside officials from the Sri Lanka Computer Emergency Readiness Team (SLCERT) and other agencies.

According to Dr. de Silva, the CBSL has been provided with a copy of the Treasury report and has undertaken to submit its formal response within a week. The Committee will then review both submissions before preparing a final report to Parliament.

While the question of responsibility remains contested, Dr. de Silva said the proceedings had exposed significant weaknesses in existing procedures governing the handling of Government debt payments and cyber-related incidents.

He said the CBSL had informed the Finance Ministry once suspicions emerged that the incident could involve anti-money laundering concerns, but questions remained regarding subsequent actions taken by officials.

“The dispute lies in the actual actions taken after that notification. Questions remain over whether they informed their higher-ranking officials or not. And if not, why they failed to do so,” he said.

Dr. de Silva argued that a properly designed system with clearly defined responsibilities would have prevented the current dispute.

“If a proper system or clear guidelines had been in place, everyone would have known exactly who held what responsibility. If that were the case, there would be no room to keep shifting the blame back and forth from one side to the other,” he said.

One of the most concerning revelations to emerge from the discussions was the state of the Treasury’s information technology infrastructure.

According to Dr. de Silva, the fraudulent transactions originated through email communications and investigations revealed that the Finance Ministry had been operating an email server without cybersecurity support for approximately five years.

“In an era with this level of cybersecurity risk, serious questions arise as to how a primary Government institution could be using an email server that lacked cybersecurity support,” he said.

The cyber theft has triggered investigations by the Criminal Investigation Department (CID), Police, and forensic auditors.

Dr. de Silva also highlighted the financial implications of the incident, stating that the loss would ultimately be borne by taxpayers if recovery efforts prove unsuccessful.

“There is no doubt that $ 2.5 million was stolen from the Treasury,” he said.

Referring to evidence provided before the Committee, Dr. de Silva said Finance Secretary Dr. Suriyapperuma had confirmed that any funds not recovered would have to be absorbed by the Government and reflected through a future Budget adjustment.

The issue has renewed concerns over cyber resilience across the public sector, internal controls within Government institutions, and the management of public funds, particularly as Sri Lanka increasingly digitises Treasury and debt management operations.

The Committee is expected to revisit the matter after receiving the CBSL’s response, with lawmakers seeking to determine accountability and identify reforms needed to prevent similar incidents in the future.