NRB not keen on learning lessons from cyber heistIt is appalling that the Nepal Rastra Bank (NRB), the central monetary authority, is treating cyber heist at NIC Asia Bank lightheartedly.
It is appalling that the Nepal Rastra Bank (NRB), the central monetary authority, is treating cyber heist at NIC Asia Bank lightheartedly. At least three high-ranking central bank officials that the Post talked to said the issue was not “very big” and “funds stolen from the bank would be recovered”.
NIC Asia Bank became the victim of the biggest-ever cyber heist in Nepal last Thursday, with cybercriminals reportedly fleeing off with around Rs460 million. The money was stolen by “issuing around 31 fake instructions” via SWIFT, the global interbank payment system.
The stolen cash, according to central bank sources, landed in banks of China, including Hong Kong, Germany, Japan, Malaysia, Singapore, Turkey and the United States. Since then, the central bank has sent “stop-payment requests” to banking entities and central banks of fund-recipient countries to ensure the money is not withdrawn, albeit around Rs110 million is said to have been pulled out from accounts in foreign countries.
Good news is that “stolen funds are gradually being recovered”. “So, there is nothing to worry about,” central bank officials said.
The demeanour of central bank officials indicates they only want to see quick recovery of funds so that the case can be shut down. They do not seem much interested in finding out whether other banks have taken measures to avoid stumbling into the pitfall that brought troubles to NIC Asia. This is simply an attempt to undermine the gravity of the issue. First of all, recovery of the stolen amount is not going to be easy if the experience of Bangladesh is anything to go by.
In February 2016, cybercriminals, like in the case of Nepal, hacked into the computer of a Bangladeshi central bank official to make illegal payments of $81 million via SWIFT. But even after over one-and-a-half years, only a fifth of the stolen money has been recovered, according to Bloomberg.
The possibility of this history repeating in Nepal cannot be ruled out, as some of the foreign banks and central banks still have not responded to “stop-payment requests” made by the NRB to prevent withdrawals, central bank officials said. It is therefore not surprising that a US-based bank allowed withdrawal of around $45,000 of NIC Asia’s illegally transferred funds on Tuesday, two days after the “stop-payment request” was sent, according to a reliable NRB source.
This is an indication that fund recovery is not going to be an easy process. And if the money is not recovered on time, NIC Asia’s profit will be hit, which will lower dividends for shareholders. This, however, is not a very big issue in the great scheme of things.
What is alarming is consequences that Nepal might have to face if cyber security is compromised time and again due to banks’ failure to build robust IT infrastructure and follow measures to guarantee safety of money. This is one of the areas that the central bank has not looked into. This short-sightedness to acknowledge cyber theft as one of the emerging threats to the country’s banking sector may have severe repercussions.
NIC Asia was hit by cybercriminals because of severe breaches of security protocols, like use of personal e-mails on computers attached to servers meant for SWIFT transaction. Fortunately, hackers could not steal depositors’ money. But if preventive measures are not taken on time, hackers can sneak away with Rs2,384.8 billion of deposits parked in banks and financial institutions of the country.
Who knows, cybercriminals may be devising ways to steal a portion of that cash, as Nepal is a country where banks are not subject to IT audits and many banking entities are said to be using outdated and even pirated software.