On a chilly Thursday morning, Anil Shah, president of Nepal Bankers’ Association, the umbrella body of commercial banks, walked to the podium during a conference and warmed up the audience by asking a sort of “don’t-ask-don’t-tell” question. “Tell me honestly, how many of us use genuine software at our offices?” the CEO of Mega Bank asked.

The audience was made up of over 150 bankers. They were there to attend the conference on ‘Cyber Security and Swift Hacking’ organised by the National Banking Institute, a national-level banking and finance academy.

As soon as the question dropped, guilty smile appeared on faces of bankers. This was an acknowledgement that many were using pirated software, including operating systems such as Microsoft Windows and applications like Microsoft Word.

This set the tone for the conference.

Use of pirated software is quite rampant in financial institutions in Nepal. This has prevented these institutions from installing new patches developed by IT companies to upgrade the software, making them vulnerable to cyber attacks.

“Banks spend quite a lot to purchase cash vaults for offices. But physical banknotes stored in these vaults account for a tiny fraction of the total cash stock. Meanwhile, a big portion of our cash can be accessed electronically. Yet we hesitate to spend money to purchase genuine software and build a robust IT infrastructure,” Shah said.

His comments come at a time when memories of the biggest cyber heist in Nepal are still vivid in the minds of many bankers.

NIC Asia Bank became the victim of the biggest-ever cyber heist in Nepal in October, with cybercriminals issuing fake instructions to steal a little over Rs460 million. A total of 31 fake instructions were issued at that time via Swift, the global interbank payment system, to steal the money.

NIC Asia was hit by cybercriminals because of severe breaches of security protocols, like use of personal e-mails on computers attached to servers meant for Swift transaction. This enabled hackers to infect the bank’s IT system with malware. A source of the bank said hackers were watching the activities of the bank for two months before launching the final attack.

It is not exactly known how the malware entered the bank’s IT system. But NIC Asia Bank had found that some of the software it had purchased from “reliable vendors” were pirated.

Although the bank did not suffer huge losses from this episode, it is yet to retrieve all the money that was stolen.

The experience of Bangladesh shows that recovery process of money stolen by cybercriminals is not simple.

Bangladesh’s central bank came under the attack of cybercriminals in February 2016. Like in the case of NIC Asia Bank of Nepal, cybercriminals infected the computer of Bangladeshi central bank prior to making illegal payments of $101 million via Swift.

“Till date, we have not been able to recover $66.4 million, although we are still trying [even after almost two years],” Debaprosad Debnath, consultant at Bangladesh Financial Intelligence Unit at Bangladesh Bank, the central bank, told the conference.

All of the money that the bank is yet to recover had disappeared after reaching the Philippines, which was one of the two countries, including Sri Lanka, used by cybercriminals to illegally transfer the funds.

Fortunately, Bangladesh and the Philippines have entered into mutual legal assistance agreement. “Otherwise, we would have to spend quite a lot of money to hire lawyers to fight the legal battle,” Debnath said.

The biggest lesson that Bangladesh Bank has learnt from this episode is that “cost of compliance is generally high, because building a proper IT infrastructure is capital-intensive, but the cost of non-compliance is even higher.”

This should serve a lesson to Nepali banks and financial institutions that generally hesitate to invest in IT infrastructure and building a team of quality human resources that can thwart attempts to bring down the entire system.

It is said that around 84 percent of cybercrime, knowingly and unknowingly, occurs because of human factors. Many have the tendency to become complacent after installing anti-virus software on computers and servers. But these software may not be of much help, according to Debdulal Roy, general manager of Information System Development Department of Bangladesh Bank.

Right after Bangladesh Bank found out about the heist, the “signature” used by cybercriminals to break into the system was sent to McAfee, a US-based computer security software company. “But it took 45 days for McAfee to identify the signature as a threat,” said Roy. “So, the only way to tackle the problem is by investing in IT infrastructure and making human resources capable enough to remain vigilant about possible threats and risks.” It is high time Nepali banks buckle up because McAfee has said ransomware outbreaks of 2017 offer just a taste of what’s to come, as hackers are developing “new strategies and business models”.

The security firm has predicted online attackers to become even more destructive in 2018, as “attackers dramatically innovate and adjust to the successful efforts of defenders”.

“Considering the latest developments, banks should start conducting cyber stress test, as IT security risk is posing as big a threat to the banking sector as credit risk,” said Laxmi Prapanna Niraula, NBI chairman and head of the Currency Management Department at the Nepal Rastra Bank, the central bank.