Regional Centers Can Help Low-Income Countries Build Cyber Resilience

As more people turn to digital financial transactions amid COVID-19 (coronavirus)-related lockdowns, the pandemic is underscoring why strong cybersecurity is essential to a twenty-first century financial system. Yet in many emerging markets and developing economies (EMDEs), the capacity of digital financial services (DFS) providers and governments to respond to cybercrime has not kept pace with the rise of cyber threats, putting their systems and customers’ assets at risk.

Recognizing the capacity constraints and limited supply of affordable and relevant cybersecurity services and tools in EMDEs, financial sector stakeholders could consider pooling their resources and establishing shared, regional cybersecurity resource centers.

Cybersecurity resource centers would bring several benefits to financial sector actors. First, they would allow public and private actors to exchange information about cyber threats, lessons learned, good practices and opportunities for collaboration in research and innovation on a greatly increased scale. Second, they would offer cybersecurity services at more affordable prices than what is currently available (primarily from vendors that cater to higher GDP economies), thanks to the sharing of capital expenses and staff salaries. Third, centers would provide specialized expertise and guidance for the financial sector and for providers working with lower-income customers who may be at higher risk for cyberattacks due to their lower levels of digital literacy, cyber awareness and use of less secure transmission channels. Finally, they would facilitate international collaboration.

Shared Cybersecurity Resource Centers

Based on Suricate Solutions’ experience of setting up the Cybersecurity Operation Center for Inclusive Finance in Senegal, CGAP developed a proposed business concept for shared cybersecurity resource centers for the financial sector. The concept lays out six operating principles for the centers:

1. Build on and enhance cybersecurity structures, skills and technology already in place. Instead of substituting or duplicating structures, strengthen and complement them where there are gaps.
    
2. Work toward self-sustaining business operations. Initially, the centers will require capital investments, and the first few years of operations may require financial support until the centers can break even and start to make a profit, as customer bases and revenues grow.
    
3. Offer inclusive and fair pricing to make cybersecurity services accessible and affordable for financial sector customers of all sizes and types. While prices need to be competitive, they also need to be proportional to customers’ risk profiles.
    
4. Represent neutrality and offer a platform for sharing information. Cybersecurity is an area that benefits greatly from collaboration, including among competitors. The centers can facilitate collaboration through a combination of private trust circles, where peers are comfortable sharing sensitive information, and larger communities, where participants share anonymized threat information.
    
5. Strengthen, build and recruit local professionals, especially women, by collaborating with local education and training institutions, offering internships and on-the-job training programs and creating special education and recruitment programs for girls and women.
    
6. Leapfrog other regions and countries with open-source innovation that helps the financial sector prevent, detect, respond to and recover from cyberattacks. Through close collaboration with academia, innovation platforms and hackathons, the centers could lead global innovation in cybersecurity technologies for the DFS sector.

The centers could contribute to several development objectives, including (i) financial inclusion, by reducing the risk of financial and psychological harm caused by cyber incidents and increasing consumer trust and confidence in financial systems; (ii) human capital development and job creation by offering training and employment opportunities for local professionals; (iii) gender equality and empowerment by promoting women’s participation in the IT labor market and (iv) local market systems development by reducing lower-income countries’ dependence on imported services.

Funders can play a role in helping lower-income countries create shared cybersecurity resource centers by facilitating dialogue among regional stakeholders, identifying champions that can drive implementation and crowding in public and private sector users. This is an important first step that needs to happen: all relevant public and private sector actors will need to agree on a shared vision, an implementation roadmap and collaboration process to ensure buy-in. This can take several months, or even years, and requires resources. During implementation, funders can provide support with their technical expertise and funding over the first couple of years until the centers become self-sustaining. In the medium to longer term, funders may also partner with the centers on specialized R&D programs.

While establishing shared cybersecurity resource centers would be a major step in the right direction for many EMDEs, broader interventions will be required to build a robust cybersecurity ecosystem for the financial sector. Funders could support these as well. This includes, for example, efforts to establish regulatory frameworks and supervisory practices that incentivize providers to use cybersecurity support services; educational programs that develop the next generation of cybersecurity trainers and professionals, especially among women; and R&D and entrepreneurship programs that support the development of innovative applications and software solutions and ease their access to a global cybersecurity market.

By facilitating the creation of such centers, the financial inclusion community can take a meaningful step to help EMDEs keep up with growing cyber threats and ensure digital innovations offer safe ways to transact, save and invest and, ultimately, improve the lives of low-income customers.

To learn more about how shared regional cybersecurity centers could make low-income countries more resilient to cybercrime, see the slide deck "Cybersecurity Resource Centers for the Financial Sector: A Proposed Business Concept" (CGAP 2020).