Five commercial banks plan to invest N248.21 billion in technology upgrades over the coming months, but cybersecurity appears to be receiving a smaller portion of these funds.
This underinvestment comes at a time when fraud losses have grown by 496.96 percent in Africa’s most populous nation over the past five years, fuelled by the rise of electronic payments.
Between 2019 and 2023, Nigerian bank customers lost N59.33 billion to fraud, with over 80,658 customers scammed in 2023 alone — a slight decrease from 84,130 in 2022.
“The amount lost to fraud has increased over the past five years along with the growth of financial transactions in the digital payments sector,” the Nigeria Inter-Bank Settlement System (NIBSS) recently stated.
Read also: Banks’ credit to businesses up N19.04trn in one year
A study titled, ‘Cybersecurity in the Financial Sector: A Comparative Analysis of the USA and Nigeria,’ by Philip Olaseni Shoetan and Babajide Familoni, underscored the risk posed by cybersecurity threats to the financial sector, jeopardising the confidentiality, integrity, and availability of financial services and data.
Despite this documented growth in fraud cases, the five banks, currently in the middle of increasing their capital base, have allocated just 24.05 percent (N59.69 billion) of their total intended tech spend (N248.21 billion) on cybersecurity, based on an analysis on the offering documents of the banks.
In March, the Central Bank of Nigeria (CBN) announced new capital requirements, directing banks to increase their capital bases to N500 billion for international banks, N200 billion for national banks, and N50 billion for regional banks. These institutions were given a two-year window to meet these targets through capital raises, mergers and acquisitions, or license adjustments.
This report focuses on the following banks: Guaranty Trust Holding Company (GTCO), Access Holdings Plc, Fidelity Bank Plc, First City Monument Bank (FCMB), and Zenith Bank Plc.
“They (banks) are not spending enough, not because they don’t have enough but because they do not realise how important it is yet,” said Nanbaan Pwapo, a digital security professional at Resilience Technologies.
Banks’ allocation:
Access plans to spend N85.77 billion on new ATMs and PoS Machines, network infrastructure, and cyber security over the next 24 to 36 months, with cybersecurity accounting for 31.99 percent of this budget.
Fidelity intends to allocate N21.86 billion over 48 months, with 41.30 percent earmarked for cybersecurity.
Read also: Directors ask FG to review banks’ windfall tax
FCMB will spend N16.22 billion over the next 36 months, with cybersecurity comprising 32.25 percent of the budget.
GTCO plans to spend N104.50 billion over 12 to 24 months, with only 14.35 percent dedicated to fraud prevention and detection software.
Zenith Bank anticipates spending N19.85 billion over six months, with 15 percent going towards cybersecurity.
Most of these banks expect an increase in cyberthreats due to new expansion.
Zenith Bank stated in its offer prospectus that international expansion could expose it to new and more complex cybersecurity threats in different countries.
GTCO noted that the number of cyber incidents has increased overall. It stated that many countries, including Nigeria, lack strong security and consumer protection measures, which could leave people vulnerable to such cyberattacks.
It noted, “The GTCOPLC Group’s systems for protecting against cybersecurity risks may not be sufficient. As cyber incidents continue to evolve, the GTCOPLC Group will likely be required to expend additional resources to continue to modify or enhance its protective measures or to investigate and remediate any vulnerability to cyber incidents…”
Adedeji Olowe, founder and chief executive officer of Lendsqr, who once worked at UBA, Access Bank, Fidelity, and FCMB, said banks spend significant amounts on cybersecurity.
According to their financial statements, six commercial banks—Wema, Stanbic IBTC, UBA, Zenith, GTCO, and Access—increased their tech budgets, including cybersecurity, by 44.66 percent to N205.34 billion in 2023.
However, Olowe questioned the effectiveness of this spending, stating, “There is a difference between spending enough and making good use of what you have. Banks spend a good deal of money on cybersecurity. Many use Israeli-based platforms like Imperva. So, they spend a lot of money. Is it enough, maybe from my point of view.”
Pwapo of Resilience Technologies, earlier quoted, noted that overlapping roles within the banking sector create conditions conducive to fraud. Earlier in 2024, a First Bank staff member made away with N44 billion.
She stated, “Cybercriminals almost always beat the system because they are more prepared. We need to be more prepared. We also need to invest in improving cyber knowledge, which is a lot.”
She also warned that as technology advances, so do threats. “With every development comes an equal or greater threat. In the next few years, we are talking about deep fakes and AI, which means that hackers or cybercriminals will put in more effort because they can now automate more. We are doing well, but we can do better.”
Read also: Stock deals jump 44% on banks recapitalisation
Social Engineering, the use of deception to manipulate individuals into releasing confidential information, was the most common technique employed by fraudsters in 2023. However, phishing and website/server hacking are on the rise.
The most exploited payment channels were mobile, web, and PoS, with the ratio of total reported fraud value to the total value of transactions increasing from 0.0019 percent to 0.0022 percent over the last five years.
Olowe of Lendsqr further highlighted that the growing fraud issue is due to gaps in competence and accountability within the banking sector. He noted that many skilled professionals have left the country, affecting the fight against fraud.
“Some people have come around to suggest the use of Machine Learning (ML) and Artificial Intelligence (AI) etc. But the use of ML and AI only makes sense if the banks acknowledge they have a problem in the first place. If you report fraud to your bank today, the response will most likely lack the urgency that shows an understanding of the seriousness of the issue from the jump. So is it really the tech that’s lacking?” he also argued.
