Impact of Cybercrime on the Finance Sector: a Case of Banks in Nairobi County, Kenya (2008 - 2022)

Abstract

This study examined the impact of cybercrime on Kenya’s banking sector. The expansion of the internet and generalization of its use in all domains of activity, has come with challenges especially internet assisted crime which has attracted a lot of public debate with politicians, policy persons and individuals firms from the private sector proposing and enacting sound policies and laws to deal with cybercrime. These laws have however, proven insufficient, with phishing and other related cybercrimes continuing to occur globally. Kenya has also enacted a battery of legal frameworks but the country has not been spared as the Communications Authority stated that cyber threats in Kenya had gone up by 10% in the first three months of 2019. In Kenya, over 56 million cyber threats were recorded. This was an increase from 37.1 million in 2019. This study therefore assessed the financial impacts of cybercrimes on Kenya’s banking sector; assessed the impacts of cybercrimes on bank data in Kenya’s banking sector; identified cyber security measures put in place by Kenya’s banking sector; and lastly examined the challenges facing cyber security measures utilized by Kenya’s banking sector. This study covered the period between 2008 and 2022 and it adopted the Routine Activity Theory. This theory states that the occurrence of a crime is informed by the presence of a motivated offender, suitable target and lack of a capable guardian. This study was a case study which was conducted in Nairobi County. The researcher targeted commercial banks and microfinance banks. Further to this, Banking Fraud and Investigation Department (BFIU), Financial Reporting Center (FRC), Communications Authority and cyber security firms were sampled for inclusion in the sampling frame. Data was collected using questionnaires and key informant guides. The qualitative data was analysed using content analysis while quantitative data was analysed using Statistical Package for Social Sciences (SPSS). From the findings of this study, we conclude that Hacking, Mobile banking breaches, identity theft using email compromise/account take over, SIM-swap and collusion with bank staff are major cyber security threats that banks and MFIs face. Secondly, the study concludes that Cyber-crime has a financial cost on financial institutions but Banks and MFIs do not reveal some of the cyber-crime cases and also the figures presented by financial institutions may not be accurate. The study concluded that Ransomware, Phishing and Business Email Compromise (BEC) are the most common data targeted cyber-crimes; some of the measures used by financial institutions against cyber-attacks include use of advanced softwares; use of online and offline security applications; use of personalized accounts with login key; and use of limited access rights feature. One Time Password and Know Your Customer features are also applied to protect clients. Additionally, conclusions show various measures mentioned have not effectively managed cyber-attacks. This is associated with lack of adequate training of staff and disregard for cyber-security structures. Financial institutions are also dissatisfied with implementation of cyber-crime prevention measures by sector regulatory institutions. In another finding, the legal frameworks do not sufficiently cover cyber-crime related issues. Lastly, a lax environment inhibits implementing of sector cyber-security regulations within the banking sector.