Expert raises concerns over Finance Ministry’s cybersecurity measures after BEC attack

Cybersecurity expert Asela Waidyalankara states that technical measures are available to prevent incidents such as hackers gaining access to funds, as seen in the reported cyberattack involving a USD 2.5 million Treasury payment.

He explained that the cyberattack method used in the incident is known as Business Email Compromise (BEC), a tactic that has affected many private sector institutions.

However, Waidyalankara pointed out that because the Central Bank of Sri Lanka (CBSL) has recommended that the domestic banking system obtain ISO 27001—the international standard for Information Security Management Systems—cyberattacks against banks have been minimized.

According to him, if an institution such as the Treasury, which bears greater responsibility for the country’s funds than a bank, had implemented similar control mechanisms, the impact of such incidents could have been minimized.

Further elaborating, he stated that BEC cyberattacks typically involve intercepting invoices sent by one organization, altering the details, and redirecting payments to fraudulent accounts.

Cybersecurity expert Asela Waidyalankara further stated:

“The Business Email Compromise (BEC) method was utilized in this cyberattack. This is a common occurrence in the private sector. For example, when an invoice is sent from one organization to another, hackers may intercept it, alter the account details, and redirect the payment to a different account. The concern here is that this involved a financial transaction within a branch of the country’s Ministry of Finance.”

He stated that technical tools are available to mitigate such risks and noted that it must be examined whether these measures were properly utilized, whether email systems were up to date, and whether they had been adequately patched. He further observed that there appear to be structural issues within the institution regarding the management and oversight of cybersecurity.

“The Central Bank has mandated that Sri Lankan banks obtain ISO 27001 certification, which requires annual external audits. The absence of such standards in an institution like the Ministry of Finance, where national funds are handled, represents a significant shortcoming. While ISO 27001 does not guarantee immunity from cyberattacks, it provides a framework to minimize such risks,” he said.

He further added, “Banks are not routinely compromised because they adhere to stringent cybersecurity standards and processes. Given that the General Treasury handles national wealth on a scale greater than that of a typical bank, implementing comparable controls could have potentially prevented this situation.”