BY VICTOR ADAR
Michael Mutiga knows too well how 300 million Rand ($19 million) that was withdrawn from South Africa’s Standard Bank through Automatic Teller Machines in different areas in Japan (last year) complicated banking big time. What went wrong in just 20 hours; when all necessary internal controls were in place, is something that not only him but also other individuals in the financial sector were not able to fathom. The worst was only confirmed when millions of shillings were already lost thanks to counterfeit cards that were used by the perpetrators.
Mr Mutiga, who occupies the seat of managing director for corporate and investment banking at Citibank says that the creation of a shared industry reporting structure was the next phase in the evolution of Cyber-security awareness in Kenya pointing out that some of these cyber criminals are well funded, becoming much more organised, targeted, know about the systems and most likely using the best tools.
Citi has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, transaction services, and wealth management.
Since he understands how frustrating cyber attacks can be, he is particularly not impressed by the fact that there is a lot of secrecy in the market with more and more players failing to report even slightest of attacks thereby making it a little too hard to understand what is happening (in a broad perspective) as far as insecurity is concerned.
“Human element is involved in these crimes,” says Mutiga. “Breach notification is an important factor in the entire process of cyber-risk management. We have seen other markets develop mechanisms to share this data, within set parameters for the benefit of the industry and overall economy.”
A qualified advocate of the High Court and a Certified Public Secretary holding a Bachelor degree in Law (LLB, Honours) and a Masters Degree in Law (LLM), his eyes are now set on what is pushing governments, non governmental organizations as well as individuals into a very tight corner: cyber security.
Prior to banking, he started off his career as a pupil at the law firms of Hamilton Harrison & Mathews (Nairobi) and later worked at Holland & Knight LLP (Atlanta). Following the acquisition by Barclays of Absa in 2005, between December 2005 and September 2006 he was the regional head for East Africa for the investment banking division of Absa Capital, also based in Johannesburg. His wealth of corporate and investment banking experience in Africa has covered multiple capital and debt transactions on the continent, including numerous sovereign and corporate bond issues, syndicated loan, acquisition and structured finance transactions, for corporate and public sector entities. As the head of the corporate bank he is additionally responsible for management of the client base and asset book.
Mutiga, the man who joined Citi in October 2006, and was a director in Citi’s South Africa based corporate finance division up-to August 2011 when he transferred to Kenya as head of corporate banking, boasts of an impressive experience. Before joining Citi, he worked for Barclays as a management associate in 2002, and later on as a manager in their debt capital markets division based in Johannesburg covering Africa. He believes that the impact of cyber attacks on businesses is huge.
In 2019 for example, it is projected that about $2 trillion will be going up, with statistics further showing that cybercrime could on a global scale cost the economy up to $575 billion in 2017. These mind boggling figures are coming after the Kenya Cyber Security Report 2016 by Serianu indicated that about 44% of financial institutions run on a cyber-security budget of a paltry $1 to $1,000 annually whilst another 33% of financial institutions in Kenya have zero spending on all matters cyber security.
In addition, the landscape is ugly with the Serianu report further showing that a whopping $175 million has been pilfered from Kenya’s economy by savvy cybercriminals, perhaps the main reason as to why the government is fighting to build confidence by reassuring the public (through the Ministry of Information, Communication and Technology) that the government computer systems and networks are secure following the recent WannaCry Ransomware attack that hit the world one grey Friday, May 14.
Cabinet Secretary Joe Mucheru speaking during the recent Cyber-Security & Banking Forum organized by Citibank and the ICT Authority affirmed that the government is keen following developments on the encryption malware, which effectively disabled over 200,000 computers running the Windows operating system in over 150 countries.
“We have heightened our cyber monitoring and surveillance mechanisms to prevent and eliminate any remote possibility of attack,” Mucheru explained, challenging the financial services sector to improve information sharing and reporting on Cyber-security breaches.
Citing the current more than 75.3% of Kenyan citizens in the formal financial services, he says that together with other players in the sector like ICT Authority, pushing up cyber security investments especially in banking is vital. As always the case, financial services sector relied on various ways to link to each other and the larger economy. The industry is yet to reach higher heights in terms of understanding of cyber security landscape as well as Cyber-risk preparedness.
Although it is still tough detecting new type of attacks, thought leaders on cyber security are saying that collaboration is taking place on an international level- attacking a global threat through combining the capabilities of companies and banks across the world. The information Sharing and Analysis Centers (ISACs) for instance, share information not only internationally, but also across sectors, according to Edward Kiptoo, Citi’s Lead Information Security Officer for Middle East and Africa.
Kenyans tend to create room for cyber criminals by overlooking the most of basic “dos and don’ts.” That is why players in banking sector are looking into a future where criminal activity is prevented, and perpetrators prosecuted if possible.
“You need to wipe it (malware) out completely –– ensure that you are not backing up virus. Back up has resulted into a situation where individuals are copying data in real time,” says Mutiga.