## I. INTRODUCTION The rapid advancements in Information and Communication Technologies (ICTs), multiple industries and the globalisation of economies have seen an influx of technological innovations. The global financial services sector has undergone significant changes with the rise of Financial Technology (FinTech), including mobile Internet, cloud computing, Big Data, search engines and blockchain technology (Cheng, Li, Wu, & Luo, 2017). The introduction of digital services such as digital government, digital commerce, digital education, digital health, digital environment, and digital banking has enabled commercial banks to reach a wider audience without needing a physical location, albeit against a rising scourge of cybercrime (Chigada & Naailah, 2021). As cybercrimes continue to escalate in complexity and severity, financial institutions have become prime targets for criminals. These institutions offer more significant attack vectors due to the increased online services provided to their clients, making them vulnerable to cyberattacks (Chigada, 2023). However, the growth of online financial services has also led to increased information security and data breaches, which threaten economic interests, national security, and intellectual property (Tisdale, 2015). The increasing frequency of cyber threats and attacks on financial institutions has led to the need for commercial banks to adopt interventions to mitigate these threats and attacks. These interventions range from technical solutions, such as firewalls, antivirus software and encryption, to people-oriented interventions, such as cyber awareness and training, and process-oriented interventions, such as incident response planning, risk management and security governance. While the technical interventions provide a degree of protection against cyber threats, the people and process-oriented interventions build a culture of security within the organisation and ensure that the technological interventions integrate into the bank's overall approach to cybersecurity. Chigada (2020) avers that unacceptable human behaviour requires attention. Individuals operate in a space where they determine what, why, how, and when to act in a specific way. Nyasvisvo and Chigada (2023) state that firms may put in pace cogent measures to curb cyber-attacks and data breaches, but nefarious and threat-actors are always a step-ahead in their acts. Therefore, it is best to implement continuous measures that include a culture of awareness, training and development and others that would deter would be-cybercrime. A review of literature demonstrates the abundance of studies on cybercrime and information security challenges in financial institutions (Mabunda, 2019; Khan et al., 2020; World Health Organisation, 2020; Chigada & Madzinga, 2021). Most of these studies were conducted during the Corona Virus Disease-2019 (COVID-19) period. Post the COVID-19 period, there have been studies on cyber-attacks and threats on financial institutions, forced to pay ransomware, but there is a dearth of reports that suggested how financial institutions in South Africa have mitigated these cyber-attacks and threats. A preliminary investigation showed that financial institutions were not keen to share information security and cybersecurity issues given the sensitivity of clientele information managed by these institutions. We discovered that the South African Bank Risk Information Centre (SABRIC) collated most of the cyber-attacks and threats information for all banks in the country. Other financial institutions such as insurance companies, medical aid schemes etc reported their data breaches to specific sectors other than SABRIC. After engaging some participants, we discovered that institutions preferred to operate in silos for fear of exposing their strategies or company information. It is against this background that the present study examined interventions that are deployed by South African commercial banks to mitigate cyber-attacks and threats. The following research questions guided us to address the study objectives: - What are the main cybercrime typologies are targeted at South African commercial banks? - What are the effects of cybercrime typologies on the performance of commercial banks? - What interventions can mitigate cyber-attacks and threats in South African commercial banks? ## II. LITERATURE REVIEW ### a) South African Banking Landscape The banking landscape in South Africa comprises a central bank (South African Reserve Bank), five large local banks and other smaller banks and financial institutions. The sector is considered well-developed and ranked relatively high compared to developed nations. In 2017, the South African banking sector ranked 11th out of 138 countries in market development in the global competitiveness report. It also ranked 2 out of 138 countries in terms of bank soundness; a sound banking system ensures the optimal allocation of capital resources and efficient management of risks to prevent costly banking system crises and their associated adverse feedback effects on the real economy (Schwab, 2017; Schwab, 2019). Simbanegavi, Greenberg, and Gwatidzo (2015) state that the South African banking sector is monopolistically competitive; however, this does not indicate a lack of efficiency or competitiveness within the market. Moyo (2018) further corroborates this by highlighting that the sector comprised 64 institutions as of 2017, which indicates competitiveness. The five big banks have also started making significant changes to how they do business; in digital innovation, they have had to choose between becoming part of somebody else's ecosystem or becoming a destination. This has led to some of the banks embracing a platform banking approach, which allows banks to offer more than financial services to their customers. Commercial banks such as Nedbank, First National Bank, and Standard Bank have either started this offering or have expressed their intentions to become platform banks (Whateley, 2021; Brink, 2020; BusinessTech, 2021). ### b) Cybercrime Typologies in the South African Banking Industry Zhang, Yanping, Xiao, Ghaboosi, Zhang and Deng (2012) define cybercrimes as criminal activities that use modern information technology, such as computer technology, network technology, etc. The South African definition of cybercrimes further expounds on their definition to include cyber extortion, unlawful acquisition, possession, provision, receipt or use of a password, access codes or similar data or devices, attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding, or procuring to commit an offence, theft of incorporeal, penalties, and competent verdicts (Department of Justice and Constitutional Development, 2016). Brar and Kumar (2018) note that cybercrime's motivations include entertainment, hacktivism, financial gain, and revenge. South Africa has also seen a scourge of cybercrimes; critical infrastructure within the country has not been spared, and in 2021 South Africa ranked 7th globally in cybersecurity exposure and had one of the highest numbers of cybercrimes victims globally (Cyber Exposure Index, 2021) ### c) Hacking ### d) Internet Fraud In 2006 in three months, account user details for clients belonging to three commercial banks in South Africa were compromised; the compromised credentials were then used to transfer money from the victim's accounts into either cell phones or Telkom prepaid accounts (IOL Media, 2006). The threat actor, in this case, found a way to hack into either business accounts or personal accounts belonging to the victims using malicious tools such as spyware, backdoor trojans and keyloggers; this breach cost an estimated USD80000 (Oiaga, 2006). ### e) Unethical Employee Behaviour An attack possibly aided by employees at Landbank and Absa Bank occurred in December 2010; a syndicate hacked into the Landbank's infrastructure and obtained secret passwords that only a select group of personnel had access to. The syndicate then proceeded to set up automated fund transfers to multiple companies. However, the attackers were unsuccessful, as bankers at Absa noticed the suspicious transactions and froze the accounts (Potgieter, 2011). Absa South Africa was a victim of an insider attacker after an employee illegally accessed and shared customer information with third parties; the data accessed by the employee contained a mix of sensitive information and marketing information (Thompson & Farber, 2020). Within the same year, Nedbank suffered a data breach through one of its third-party service providers (Computer Facilities (Pty) Ltd). The compromise involved the leaking of personally identifiable information of some Nedbank clients. The third-party breach affected approximately 1.7 million clients, with 1.1 million active clients (Nedbank, 2020). ### f) ATM Fraud Attack Standard Bank South Africa suffered a massive cyber-attack in 2016, leading to the bank losing ZAR300 million through an ATM fraud attack in Japan. In the coordinated attack, about one hundred people used forges Standard Bank credit cards to withdraw money from 1400 ATMs throughout Japan (Moyo, 2016). It was suspected that hackers broke into the bank's digital infrastructure and obtained about 3000 sets of personal data that were subsequently used in the attack (News24Wire, 2016). ### g) Distributed Denial of Service Attack (DDoS) ### h) Phishing Emails ### i) Identity Theft And Bank Card Fraud Chigada (2020) reports that identity theft and bank card fraud have the highest commission rate in the world. The South African Bank Risk Information Centre [SABRIC], 2020) reports that identity and credit card theft cases are on the rise. Attackers use the internet (online services) to commit fraudulent solicitations, transactions and transmit these fraudulent transactions to financial institutions. Internet fraud has similar trait as cyberstalk (Khan et al., 2020). ### j) Complexity, Frequency and Severity of Cyberattacks Over time, the increasing complexity, frequency, and severity of cyberattacks targeting financial institutions bring forth the inevitability and the impossibility of completely protecting the integrity of critical computer systems and data (Dupont, 2019). The fourth industrial revolution also adds a level of complexity as it represents a fundamental change in the ways humans live and work; it is enabling the merger of the physical, digital, and biological worlds, the combination of cyber-physical systems, the Internet of Things and the Internet of System, smart factories and fusing technologies in ways that create both promise and peril (Schwab, 2015; Marr, 2018). ### k) Insufficient Information Security Expertise and Awareness The European Union Agency for Cybersecurity (ENISA) (2021) identifies some of the challenges in cybersecurity as a lack of sufficient information security expertise and awareness, incomplete organisational policies, reluctance to fund security, lack of accountability, fragmentation of security technical standards, supply chain management complexity, interoperability of devices, platforms, and frameworks, and lack technical capabilities (Malatras, Skouloudi, &Koukounas, 2019). Blum (2020) adds to the list of challenges by identifying ineffective communication, hard-to-change culture, and the lack of solid leadership within organisations. ### i) Lack of Confidentiality, Integrity, and Availability An information security strategy should be employed to meet the requirements of the information security triad: confidentiality, integrity, and availability. Confidentiality is concerned with access controls around information and system permissions. Integrity is concerned with the authenticity of the information being viewed and accessed. Availability entails anyone authorised to access and modify data within an appropriate timeframe. When looking to secure information resources, organisations must balance the need for security with users' need to effectively access and use these resources (Bourgeios, Mortati, Wang, & Smith, 2019). ## III. INTERVENTIONS TO MITIGATE CYBERCRIME AMONG COMMERCIAL BANKS ### a) Computer Security Incident Response Teams The Security Operations Centre (SOC) comprises a Computer Security Incident Response Teams (CSIRT), and other functions form an effective cybersecurity architecture within any institution. The Security Operations Centre and the CSIRT are responsible for dealing with cybersecurity incidents within institutions; they do this by investigating, triaging, responding and remediating incidents (CompTIA, 2021; Cybersecurity & Infrastructure Security Agency, 2007). It has become imperative for firms to establish in-house cybersecurity management teams. In so doing, the teams should develop and implement a governance, risk and compliance framework (Chigada, 2023). ### b) National Cybersecurity Policy Framework Only recently, through the National Cybersecurity Policy Framework, Cybercrimes Bill, and Protection of Personal Information Act, firm cyber security policies were adopted in South Africa. The purpose of the National Cybersecurity Policy Framework was to create a secure, dependable, reliable, and trustworthy cyber environment that facilitated the protection of critical information infrastructure whilst strengthening shared human values and understanding of cybersecurity in support of national security imperatives and the economy (Republic of South Africa, 2015). The policy framework sets out to achieve this through centralising the coordination of cybersecurity activities and establishing relevant structures, policy frameworks and strategies in support of cybersecurity. ### c) The Protection of Personal Information Act (POPIA) The Protection of Personal Information Act (POPIA) had the objective of promoting the protection of personal information processed by public and private bodies; introducing certain conditions to establish minimum requirements for the processing of personal information; providing the establishment of an Information Regulator to exercise certain powers and to perform specific duties and functions in terms of the Act and the promotion of access to Information Act, 2000; regulating the flow of personal information across the borders of the Republic of South Africa as well as to provide for matters connected therewith (Republic of South Africa, 2013). ### d) Adoption and use of Biometric Authentication Chang and Coppel (2020) state that a good intervention strategy to mitigate credit card fraud is the adoption and use of biometric authentication. Customers do not need to carry credit cards or key-in personal identification numbers (PIN) when transacting. Merchants would have invested in biometric technologies that support biometrics authentication. Different biometrics usable in the authentication process are classified as physiological (fingerprint, face recognition, IRIS scan, hand geometry, deoxyribonucleic acid [DNA]) and behavioural (voice pitch, speaking style, typing rhythm, signature, breathe) (Pillay, 2020). ### e) Cybersecurity Risk Assessments Chigada (2023) states that firms should periodic cybersecurity risk assessments to identify security weaknesses and likely risks posed by third-party vendors (Galine et al., 2017). The cybersecurity risk assessment drive helps the firm to keep a detailed register of its assets which are authorised to access the corporate network. There is a proliferation of Bring Your Own Device (BYOD) approach where some organisations allow employees to use their personal devices for work purposes (Chigada & Daniels, 2021). ## IV. METHODOLOGY ### a) Research Design The study employed a qualitative research design which enabled it to explore the social and human aspects of cybersecurity through a conversational approach provided by a qualitative research design. Creswell and Poth (2018) define qualitative research as a research activity that locates the researcher worldwide. It consists of interpretive, material practices that make the world visible. The authors expound on the definition by stating that qualitative research begins with assumptions and a theoretical framework that informs the study to address the meaning individuals or groups ascribe to a social or human problem. Cleland (2017) postulates that qualitative research methods address the "how" and "why" of research questions and facilitate a deeper understanding of experiences, phenomena and context. It further makes it possible for the researcher to ask questions that cannot easily be put into numbers. Our focus was on how reality could be observed and our relationship with that reality (epistemology). By choosing the qualitative research methodology, the intention was to complement the subjective ontological stance and interpretivist philosophical paradigm (Nyasvisvo& Chigada, 2023). In order to address the research problem through direct interaction and personal conversations with participants, the ideal methodological choice was the qualitative one. We probed participants for clarity on issues that were not clear (Creswell & Creswell, 2018). For this study, qualitative data collection was done through semi-structured interviews with employees from commercial banks in South Africa. No-probability purposive sampling was used in this study in the selection of participants from the respective IT departments. We used an inclusion/exclusion approach to select participants for the study. The prerequisite for employees to participate was to be employed in IT, Risk, Compliance, IT Security, or governance within the banks. The interviews were conducted using video conferencing software (Microsoft Teams and Zoom). ### b) Data Analysis As espoused by Kabir (2016) analysing data helps to summarise the findings but in a meaningful way so informed decisions can be made. We were actively involved and participated in the semi-structured interviews, therefore, we understood, described and interpreted the views from the participants' perceptions of events as they occurred in a natural setting. Within qualitative data, we used thematic data analysis (TDA) to identify, analyse and interpret themes which were invaluable to address the research questions (Maguire & Delahunt, 2017). Thematic analysis is a method used to identify and interpret meaning patterns across qualitative data (Clarke & Braun, 2014). Qualitative data analysis is simultaneously an iterative and sequential process that follows a set number of steps to assign meaning to pieces of data (Rossman & Rallis, 2017). This study employed thematic analysis to identify key impediments to the challenges faced by commercial banks in South Africa regarding developing local cybersecurity frameworks. The use of ATLAS. Ti helped us to tease out emerging themes from the transcriptions. We deployed a six -step approach in analysing data and these were familiarisation; generation of initial codes; generating themes; reviewing themes; naming themes and write-up of this report. To ensure accuracy and error-free and easy to read responses, we used the Dragon speech transcription software. Findings were presented in text format. ## V. FINDINGS AND DISCUSSION The data collected for the study was gathered from twenty-one participants, fourteen male participants and seven female participants. The disparity between the number of male and female participants is partly because males dominate the Information Communication Technology (ICT) sector within South Africa. This is supported by Padayachee and Pillay (2018) who state that females are under-represented within the IT sector in South Africa and further evidenced by Malinga (2021) who points out that out of the 236 000 ICT roles within South Africa, females only hold $23\%$ of those roles. Due to this factor, the study has more males than females predominantly. ### a) Cybersecurity Challenges Faced by Banks from Internal and External Perspectives This question explored the challenges commercial banks face regarding cybersecurity, revealing one central theme raised by most participants. The main theme was the lack of IT and Cybersecurity skills. Participant MN14 stated that: "I don't think that we have an all-round. I don't think I don't think the industry has an all-around pool of skilled people that can effectively, you know, defend, to a certain extent, yeah." This was supported by participant HN07 who indicated that: "I think one of the challenges as well is kind of skills, because when it comes to IT security, I don't have the skills and the knowledge" Given the above perceptions, Participant MR11 added the following comments: "They will always face threats internally and externally for exploitation and resourcing. I think resourcing. It's a question of the right skills or the right level of skills to be able to protect the bank." Participants explained how lacking such a fundamental skill is detrimental to an organisation's security posture. Kshetri (2019) mentioned the lack of cybersecurity skills and estimated that by 2020 there would be a shortfall of about 100000 cybersecurity personnel in Africa. The World Economic Forum (2022) and (ISC)2 (2021) stated that there is still a workforce gap of more than 2.72 million positions globally, and the cybersecurity workforce needs to grow by $65\%$ to defend the critical assets of organisations effectively. Participants also noted a lack of resources as one of the driving forces behind the challenges faced by commercial banks. Participant TM02 indicated that: "I think the budget would be one of the biggest challenges. And why I'm saying this is remembered, most of because the organisation is the bank itself. So, for them to properly ensure that the bank is protected, and such, so the question is, do they have enough budget?" In support of Participant TM02's views, MR11 stated that "And under-resourcing leads to a plethora of issues in terms of they can't deal with the vulnerabilities in a timely manner. They can't keep up with technologies; they can't keep up with security training". While BN06 asserted that "And the other challenge or the underlying challenge was lack of resources. So, you have fewer analysts or engineers, looking at a SOC." European Union Agency for Cybersecurity (2021) supports the participant's views by positing that a lack of information security awareness and expertise in organisations often leads to a lack of cybersecurity budget and inadequate staffing. Da Veiga, Astakhova, Botha, & Hersleman (2020) stated that resources are required for successful implementations or changes to information security, with organisations with budgeting and funding being crucial to implementing security practices within organisations. Commercial banks' cybersecurity challenges are industry-wide and not specific to one commercial bank. The first response was obtained from Participant AA19 who stated that: "The second part of it, which is a lot around education and awareness and training for your staff, your staff need to be aware of the type of emails, they need to look out for the type of phishing emails that are being sent. It's very well crafted these days." Participant JP16 further pointed out that in support of Participant AA19: "Yes, we put controls in place to ensure they cannot remove that sensitive data information. But they are our first line of defence. I think of the word now that the attackers use a syndicate, Syndicate, and that's always going to be the main thing." Participant KS12 averred and indicated that "The biggest vulnerability, according to me, right? It's people. Yeah, it's people. And, and by people, I mean end-users, because those are where most of the breaches stemmed from, you know, your phishing and all that." Some of the major cyber incidents that have occurred recently were partly due to incompetent, negligent or users who did not know better. This was evidenced by Van Niekerk (2017) who stated that one of the first successful cybercrime incidents against a commercial bank was a threat actor compromising a user's account by sending malicious mail to the user. Mitnick, Simon, & Wozniak (2002) ultimately state that employees and end-users are the greatest threat to corporate information security, intentionally or through negligence or often due to lack of knowledge. Participants identified the deprioritisation of cybersecurity as one of the contributors to the challenges commercial banks face regarding cybersecurity. Participant JB15 stated that: "The first issue is that executive is primarily focused on generating revenue, as opposed to implementing security controls". This was echoed by Participant SD17 who had this to say: "I think it's because I'm in, I've been put in a position where it's not emphasised, cybersecurity. And when you're given a title, you stick to the title and like expectations, and our theory to sort of know or understand it and things." Participant NM21 asserted that "I mean, a long time ago, not maybe not a long time ago, not a long time ago. But if I were to wrap it up, I'd say it before, it wasn't something that banks traditionally focused on". Security prioritisations help organisations identify the potential risks affecting them and subsequently prioritise the defence of their digital assets (Blum, 2020). Although the participants might occupy high positions of influence, security was still not emphasised in their role, implying that their subordinates also did not see the importance of safety. Keman and Pearson(2019) state that an organisation's lack of a strong cybersecurity culture can make them less resilient against cyberattacks. ### b) Misalignment of Security and Business The response from Participant JB15 was that "If you have too many security controls in place, you're slowing down business and stopping business from happening." Participant KS12 provided a detailed response by stating that: "But remember, security is actually a deterrent to business. To a certain extent. That's why you can't. We can just put encryption on everything because it then degrades the performance of applications and stuff." A different perspective was shared by Participant JP16 who indicated that "You know, and this is the big kind of the elephant in the room with security is that security is always seen to business and project drivers as a blocker." Blum (2020) states that misalignment of security and business could negatively affect any project's security touch. Edwards (2020) notes that a disconnect exists between how businesses understand and manage cyber risk, driven by organisations failing to view cybersecurity as a business strategy rather than an IT problem. To overcome this misalignment Boehm, Curcio, Merrath, Shenton, and Stähle(2019)assert that organisations need to move towards a risk-based approach to cybersecurity. ### c) Cybersecurity Frameworks within your Bank From the question asked, one central theme emerged of the framework employees were most familiar with in their organisation. Three other subthemes emerged from the interview with the participants. #### Theme 1: NIST Cybersecurity Framework Multiple participants mentioned the NIST Cybersecurity framework as one of the frameworks used within their organisations. Participant MR11 was succinct with the response by stating that "So, the NIST I know we are we just at the company that I'm working, for now, we just did NIST, NIST review." An equally precise response from Participant AM09 stated that "Okay. All right. So, what I know is okay, this is the NIST framework." Whereas Participant JB15 weighed in by outlining that "So, for most of everything I've based everything on NIST compliance. Okay. The reason I've chosen NIST is that the American government takes federal law very, very seriously" The National Institute of Standards and Technology's cybersecurity framework is a set of cybersecurity activities that are common across the critical infrastructure sector (Alexander & Panguluri, 2017). With estimates stating that almost $50\%$ of all enterprises use NIST, the framework being the most mentioned by participants shows the popularity and widespread adoption of the framework (Banga, 2020). Theme 2: ISO Frameworks: Participants also cited the International Organization for Standardization (ISO) standards as frameworks they were aware of within their organisations. Short and precise responses were received from three participants. For instance, Participant NT03 said that "Like sort of standard, like, for example, the one that I'm aware of. It's ISO 2700 something". Participant KM05 had this view that supported Participant KM03, "The ISO 27001 That is the only internationally accepted framework. So, meaning that it's an ISO standard, it's accepted everywhere is used everywhere, and that is the accepted norm." While Participant AM09 indicated that "Then your ISO to 27001 And 27002, and then. Yeah, but then now also, with the cloud. This standard is an ISO standard for security in the cloud." The ISO 27001/ISO 27002 these frameworks/ standards describe an Information Security Management System (ISMS) and detail the steps involved in the establishment of such a system, with the ISMS aims to minimise risk and ensure business continuity by limiting the impact of security breaches through creating policies and procedures to manage a business's sensitive information. Theme 3: Do not know: A subtheme from the interview with the participants was that few were unaware of the frameworks utilised within their organisations. Participants gave reasons ranging from cybersecurity not being in the direct scope of the roles to the organisations they are employed within not emphasising cybersecurity enough in day-to-day operations. Participant SD17 outlined that "I'm not really familiar with. I think it's because I'm in, I've been put in a position where it's, it's not emphasised". This was also supported by Participant DM01 who said that "I actually don't know. It's not in my scope. And then I've not really seen or heard anything shared along if the exact frameworks or tools that are being used within the bank." There was concurrence from Participant AB10 who also did not know and stated that "Zero, sorry. I guess more I don't know if I should call front-end or client-facing software; those layers might integrate more directly into our cybersecurity framework. But we are the absolute back end." ### d) Interventions to Mitigate the Threats Faced by the Banks Various interventions that informed the themes of the question emerged during the study; these included implementing controls within the banks, building a more robust culture and awareness around cybersecurity, and continuously monitoring and maintaining the organisation's security posture. The themes identified during the analysis of the captured responses are below. Theme 1: Security Controls: Many of the participants indicated that having controls in place is one of the most effective ways to mitigate the threats and attacks faced by the bank. These controls comprise the three common cyber control types: physical controls, technical controls, and administrative controls (Chapple, Tittel, & Stewart, 2021). "So we had initiatives around secure perimeter and network. And then so obviously, making sure that we don't have any high-risk vulnerabilities that externally facing, conducting pen test remediating vulnerabilities during the configuration. These views were shared by Participant MR11." These views by Participant JP16 differed from what was stated by Participant MR11 above in that: "But, you know, as I said, we have controls in place to ensure that we monitor data flow, and we understand what's happening in the environment." Participant AA19 bridged the gap between what was said by Participants MR11 and JP16 by stating that "You look at the type of access governance that you also have in place, which means only certain individuals are allowed to have access to certain data at any given time." IBM Cloud Education (2019) describes security controls as "parameters implemented to protect various forms of data and infrastructure important to an organisation. Although participants stated that having controls in place is one best ways of mitigating the threats the organisation faces, inadequate controls or control failures are usually the reason behind successful breaches. To adequately put in controls to defend against attackers, organisations need to undertake a risk analysis to determine the necessary controls to be implemented. Theme 2: Security Tools and Assessments: The various initiatives that institutions need to ensure that they are secure to some extent and that they continuously monitor their security posture include the responses. What was considered secure yesterday would not necessarily be considered secure today. Participant MN14 stated that: "You know, interventions are definitely buying the latest and greatest technology, the bank, the banking institutions, or the sector, if you may, they, they hardly spare any expenses when it comes to tools." While Participant AA19 was succinct in their answer by stating that "We do a lot of simulation, penetration testing, continuous routine testing." Comprehensive posture of security tools and assessments was obtained from Participant JB15 "We use IPS, IPS and IDS technologies to do like virtual patching. They using vulnerability scanners to pick up vulnerabilities that exist in the networks and in the infrastructure." From the responses above, it was clear that the organisations use vast and varying tools from different vendors to protect them. Comments from participant MN show that the organisations spare no expense when securing the best tools out there. These tools may be a collection of technical processes and practices designed to protect the institution (Möller, 2020; Sheikh, 2020). Theme 3: Awareness and Training: It was evident from the participants that security awareness and training programs are crucial in educating end-users and employees in organisations to be better aware of security threats and respond appropriately. In view of training and awareness Participant AA19 stated that "There so that it's really important awareness education with the customers as well, ensuring that they know that, you know, ever, if there's any communication that comes from a bank, that they verify that they trust in the source that it actually comes from." Participant VS18 summarised one's response by stating that "We constantly have to do what is this cybersecurity trainings to just make sure that we are aware of, you know, is out there." However, a mode detailed response was obtained from Participant KM05 who indicated that: "The people aspect, I would say the interventions have also been implemented there to ensure that you put people in those processes, that that that they understand their recommendations, that they understand they are role in protecting themselves and their organisations." Awareness programmes further assist in disseminating an organisation's security policy to its employees with the hope that these programmes will encourage a security-aware culture so that good security practices will become the de facto approach to everything in an organisation (Gundu, Flowerday, & Renaud, 2019) Theme 4: Risk Assessments: These assessments were critical drivers to understanding the overall risk the organisations were exposed to and tools for calculating and understanding the risk they would be exposed to when integrating with third-party service providers. Participant BN06's views regarding risk assessments were that: "So, when I can think of taking that high-level risk assessment, being able to understand the risk faced by the bank, and through the process of risk assessment, you then need to make sure you have the right controls or tools, which mitigates those specific risk, and ultimately, threats as well." Risk assessment in terms of contracts was a major issue with Participant KM05 who indicated that "For every third party that we contract, we need to make sure that we do risk assessment, including a cybersecurity risk assessment". A different posture was obtained from Participant MR11 who stated that "Also risk management effective proactive for thinking looking risk management. I think banks have done a pretty good job in terms of trying to resource the risk management department" Participant JP16 had this to say regarding risk assessments: "Like I say, you're always going to have attacks and breaches, but this is exactly why we, we build in our risk appetite into these projects and how we implement controls, and we understand what is material to the bank." Blum (2020) posits that risk management can be a keystone within an organisation's security culture and governance model. Wang, Ding, Sui, and Gu (2021) also support the participants' views by stating that risk assessments are essential to effectively responding to cyberattacks. Their paper demonstrates how risk assessments assist in quantifying and identifying cybersecurity risks and finding attack paths with high cybersecurity threats. ### e) Impact of Cyber-Attacks and Threats on the Operations of the Bank The themes below served to answer the question above about the impact cyber-attacks and threats have on commercial banks. They also sought to meet the research objective of assessing cyberattacks and threats' impact on commercial banks. Four themes were identified from the interviews, and the themes were: Theme 1: Stop Operations: One of the other subthemes from the participants was the impact cyberattacks had on the CIA triad mentioned earlier in this study. Multiple participants noted how attacks could impact either of the triad's pillars, leading to a halt in operations. Participant MR11 stated that "I think from an attack perspective if an attack is successful, the bank cannot operate at all. So, transactions cannot take place. People cannot transact, which leads to a financial impact on the bank." While more detailed responses were obtained from Participants JB15 and A119 respectively: "They, I mean, it can really shut down the bank. You know, if the threat of the attack is big enough, yeah, you know, if you, if you're a small bank, and you get a distributed denial of service, and you're very centralised, the entire bank could be offline you cannot operate" (Participant JB15). "We know ransomware is a massive issue. As you can imagine, you get different types of ransomware, you get ransomware, that encrypts files, and you get ransomware. That encrypts hard drives and systems" (Participant AA19). Theme 2: Reputational Damage: This was summarised by Participant AA19 who stated that "And then obviously, the big elephant in the room is the reputational damage that comes from that because As you know, if your customer doesn't trust you anymore, your customer is $95\%$ of the time going to go somewhere else." Participant NM21 argued in that data breaches caused reputational damage to the brand by stating that: "Reputational damage reputation itself obviously is terrible, this type of attacks and the times will go out to the media." The above extract was supported by Participant TM02 who stated that: "So the implications could be catastrophic for the bank, you know, in a nutshell. And with that said, I think the manner in which the bank would respond to such attacks." Reputational damage and trade name devaluation are real consequences of cyberattacks. Trust between clients and investors is usually eroded when organisations are victims of cyber incidents. Holland (2017), which is an insurance provider in South Africa, states how a cyber incident that occurred at Standard Bank South Africa, which cost the bank around ZAR 300 million, had an impact on the organisation's reputation, not only because of the attack but the downtime associated with these attacks. Agrafiotis, Nurse, Goldsmith, Creese, and Upton (2018) identify reputational harm as one of the cyber-harms that results from cyberattacks; they state that reputational harm adversely affects how the public perceives the organisation, and this might, in turn, an effect on how the media portrays the organisation and the relationship between the organisation and its stakeholders. Theme 3: Financial Losses: It was also evident that participants knew that financial losses faced by commercial banks when dealing with cyber-attacks were not only from the cybercriminals carrying out the attack but from the regulators who could impose fines on the banks for those material breaches. Participant KS12 indicated that "I mean, quoting the words of our CEO, cyber threats, have the potential to bankrupt the bank. And probably even make us shut down in a very short space of time." While Participant OO04 directly pointed that financial losses were highly likely to occur by stating "There is a potential for financial losses, there is a potential for regulatory losses in terms of fines from the regulatory body when there is if it is determined that sufficient controls were not put in place to prevent the incident from happening" A different perspective was shared by Participant VS18 who spoke about investors pulling out of the hacked bank: "If the bank were to be hacked, shame, god forbid, and your traders don't have access to the market, the bank would lose millions because then you won't be able to bid in the market like wouldn't be able to participate." The participants' views are corroborated by an Accenture report (2019), which showed that the annual costs of all types of cyber-attacks are increasing, with the average cost of an attack totalling US$13.0 million in 2018. Within South Africa, the fines are imposed by the South African reserve bank and the Information Regulator depending on the type of infringement. Examples of these fines include a ZAR 1 million to Habib Overseas Bank Limited for inadequate internal controls for detecting suspicious and unusual transactions; Investec Bank Limited was fined R20 million for a similar transgression as Habib Overseas Bank (South African Reserve Bank, 2020). Recent examples of such fines include a possible penalty to the credit bureau TransUnion for a cyber breach that affected data belonging to South African citizens. The credit bureau was facing a potential fine of ZAR 10 million for the breach (My Broadband, 2022). Theme 4: Loss of Investor and Customer Confidence: The last subtheme that emerged from the participants was how suffering cyberattacks could result in the financial institution losing investors and how customers' confidence in the institution might suffer. Their views are supported by an expanse of literature that cites that the announcement of cybercrime often negatively impacts the market value of the stock prices (Smith, Jones, Johnson, & Smith, 2019). EY Global (2019) asserts the participants' views by stating that a cyberattack can destroy trust between organisations and their customers. This is because, in recent times, customers have been providing more data to organisations. Concurrently, concerns around data privacy and cybersecurity have been growing among customers. #### Participant VS18 Stated that: "And shareholders would not have faith, you know, in the bank itself. Because if you're unable to protect your systems against cyber-attacks, then they cannot trust that the interests are protected in the bank, and they feel very vulnerable. So you can do a lot in terms of the share price." Participant DM01 was clear how the loss of information could be consequential to the bank by stating that "You could lose, number one, some very important information of your clients, which in turn will result in a loss of trust with the clients in the bank. And, you know, you could lose market share" ## VI. CONCLUSION This paper examined the mitigations available to commercial banks in South Africa with dealing with cyber threats and attacks. The results evidenced multiple contributors to the success of attacks by threat actors. It would take a concerted effort by all stakeholders to mitigate the threats faced by the banks. From the responses, it emerged that to mitigate the threats; efforts would need to be applied to improving the cybersecurity culture within organisations and provisioning more resources, including skilled security professionals and the financial resources required to obtain the necessary tool and security assessments to identify and mitigate threats. Security needs to be viewed as an enabler of business. This would enable security to widen its scope within organisations and actively analyse and prioritise risk. The overall theme that emerged from the findings was that the issue of security needs novel approaches that would employ a three-pronged approach of people, process, and technology. The study's limitations were the adoption and implementation of POPIA, which limits the sharing of personal information without the express consent of the data subjects; the implications were that identified participants and respondents to the study could not share details of potential respondents and participants without first acquiring their consent. Furthermore, the participants of the semi-structured interviews were employees from the big five commercial banks in South Africa. Due to this, the study's findings portray views mainly of the big five banks. Future research may be performed to investigate the impacts they have on commercial banks and to determine if the regulations have had a positive effect on cybercrimes and cybersecurity within the country. To gather a more comprehensive picture of the threats and patterns of attacks faced by banks, further studies could focus on obtaining the necessary permissions and clearance to study this nature within the banks. This will enable better data collection and access to information that is not publicly available due to its sensitivity. ### ACKNOWLEDGEMENTS The authors acknowledge with gratitude the University of the Western Cape for allowing this study to take place. The financial institutions and participants to the study are acknowledged for their time and invaluable contributions towards the completion of the project. We acknowledge our families and friends for their support towards this study.

Generating HTML Viewer...