The global microfinance market carries a lot of weight: valued at around 187 billion dollars (168 billion euros) in 2022, it is expected to exceed 488 billion dollars (438 billion euros) by 2030. By definition, microfinance is a banking service provided to micro-entrepreneurs who need economic support in order to launch their activity. These individuals, considered too risky by traditional banks, have no access to financial services.
Most microfinance transactions take place in developing countries. In Africa, “only 10 or 15% of the 1.3 billion inhabitants have a bank account,” reckons Jean-Louis Perrier, Program Director at the Africa Cybersecurity Resource Centre (ACRC). Founded in 2020, the ACRC is devoted to creating a working group of African experts, the aim being to provide cybersecurity and information-sharing services relating to microfinance, at a global level. It is a non-profit consortium of public and private partners, based in Luxembourg and Africa, bringing together more than 365 high-level experts.
The objective: to protect the sector (financial services, providers of digital services, central banks, regulatory and supervisory bodies, etc.) and its clients, and to contribute to stability and financial inclusion on the African continent. Jean-Louis Perrier believes that the vast majority of financial actors are far from cyber-resilient. What’s more, the cyber-risks they are facing could jeopardise the financial inclusion of the populations.
In an interview given to InCyber, he provides an overview of the cyber-related shortfalls and challenges in African microfinance, and revisits the solutions recommended by the ACRC to counter them.
What are the cyber-related challenges facing microfinance institutions?
Jean-Louis Perrier: The cybersecurity problems are the same as those faced by banks. Because managing the financial deposits of people who are less wealthy doesn’t provide protection from cyberattacks. These microfinance entities still have severely inadequate defences and very little, sometimes extremely limited maturity. And few of them pay attention to cybersecurity. In Africa, expenditure in this area stands at around 1.4 to 1.5 billion dollars (1.25 to 1.34 billion euros) per year. This is equivalent to the annual spend of the top four banks in the USA.
Consequently, financial services and solutions have to be robust, because even though microfinance institutions loan out small sums, they have, on average, more than a million clients. This means they are still participants in the system. And if these millions of clients lose their savings, their faith in inclusive finance may disappear.
What are the most common cyberattacks in this area?
Jean-Louis Perrier: Most attacks target clients’ accounts, in the financial sector at any rate: theft, misappropriation of funds through ransomware, or fraudulent transactions. Fraudsters, using false names, offer fake loans to people and then get them to pay the money back. This is organised crime, and international.
What are the major cyber-related shortfalls in this ecosystem?
Jean-Louis Perrier: There is very little country-level institutional support, like the national CERTs (Computer Emergency Response Teams) present elsewhere. There are only about fifteen CERTs in the whole of Africa. And their practical effectiveness is still at an immature development stage, even embryonic in some cases. The biggest challenge is really the lack of funding. Because the sums of money at stake are small, and awareness of cybersecurity is low, microfinance institutions aren’t investing in this domain.
The second major challenge lies in the lack of human resources. There are around 10,000 cybersecurity experts in Africa, whereas there need to be 300,000. By comparison, the United States has around 700,000, plus about 300,000 job vacancies in this field.
In this context, it’s hard to make enduring progress, without enormous effort being invested to strengthen current capacities and to introduce curricula for professional training, higher education and doctorate-level study. The objective being to create new profiles of experts who will go on to teach Master’s courses, for example. So all the route engineering needs to be put in place.
What are the top-priority solutions to overcome these shortfalls?
Jean-Louis Perrier: The first one is to develop capacities and education, a really important aspect. The second is to make people aware of this whole ecosystem; supporting three or four thousand financial institutions in 54 countries is a significant challenge in itself.
The third focus area relates to sharing of information and good cyber-practices. Currently, there is little communication between financial entities, which leaves them isolated in the face of cyber-risks. And yet, it would be beneficial for them to share this information, especially about intrusion attempts by hackers, the methods they used, and how the attempted attack was detected and thwarted.
What is the ACRC’s approach to these shortfalls?
Jean-Louis Perrier: To develop the maturity of African institutions by providing skills in cybersecurity. To achieve this, we’re developing a partnership with professional associations in the fields of microfinance, micro-insurance and FinTech.
We are currently focusing on West, Central and East Africa as priorities. However, our ultimate ambition is to apply the approach to the whole continent.
The ACRC was absent from the Cyber Africa Forum, but is organising its own conference. What is this event about?
Jean-Louis Perrier: The ACRC is a non-profit association. Our annual conference proposes subjects focused on cyber-resilience. It seeks to develop an African cybersecurity community for the financial sector. The next edition will take place in Lomé, Togo, in October 2023, during African Microfinance Week.