Cybercrime & Government Failures Threaten Investor Confidence – Sri Lanka Guardian | #cybercrime | #infosec

MDPI (Multidisciplinary Digital Publishing Institute), a major Switzerland-based publisher of over 500 peer-reviewed, open-access journals, founded in 1996, in a review titled The Long-Run Impact of Information Security Breach Announcements on Investors’ Confidence: The Context of Efficient Market Hypothesis by Syed Emad Azhar Ali, Fong-Woon Lai, Rohail Hassan, and Muhammad Kashif Shad, in an MDPI publication in January 2021, points out that “Among undesirable impacts, emphasis must be put on the risk of information security (ISec) breaches, as they pose a potential threat to businesses. Especially for publicly traded firms, they could create a long-lasting influence on their financial performance and, thus, stock investors’ confidence.” In summary, the paper says that when large-scale computer scams are, or are perceived to be, handled poorly or are facilitated by corruption, they lead to a significant loss of both local and international investor reputation, potentially causing capital flight.

fDi Intelligence, a specialist division of the Financial Times, is a premier source for foreign direct investment (FDI) information, providing data-driven news, analysis, and tracking tools. In a recent research publication, it has stated that cyber-attacks are on the rise as they emerge as the flipside of the global digital economy, and they cost the world $8tn in damages in 2023 alone, and that public institutions at the highest level, particularly in developing economies, have proven vulnerable to such attacks.

Terence Toland, a manager at Kearney, a leading global management consulting firm, has stated that “countries with poor cyber hygiene risk seeing their investment appeal decrease as multinationals limit exposure to such risks, and that the reputational damage caused by a big breach, particularly a well-publicised breach, would definitely have a negative impact on the market’s prospects for FDI or being a supply chain destination.” As one would say, it’s not rocket science to say that financial scams pose significant threats to the economic stability and growth of emerging economies. These fraudulent activities undermine investor confidence, distort market efficiency, and divert scarce resources away from productive investments.

In Sri Lanka, a few IT and non-IT related issues, but primarily large-scale computer scams and high-profile cyber incidents, appear to have the potential to severely damage investor confidence by eroding trust in the security of financial systems, weakening the reputation of local markets, and introducing significant financial and operational risks. It is vital for the government to address these issues very urgently and expeditiously, possibly considering the engagement of a reputed international entity specialised in this area to undertake an urgent assessment of the adequacy of cybersecurity measures in the central bank and all local banks, and management measures in place to detect possible scams.

Among the issues that appear to have had a dent in the government’s ability to handle major breaches, both in IT and non-IT related areas, is the controversial container release saga. While it is not a computer-related issue, it has raised a considerable amount of debate and discussion, and the government’s position has been that the practice of releasing some containers without an inspection has been adopted in the past as a means of easing backlogs whenever such backlogs impeded the efficiency of the port. A Parliamentary Select Committee (PSC) is probing the release of 323 containers from the Colombo Port in early 2025 without mandatory physical inspections, many of which were reportedly marked “red” (high-risk). With the investigation extended by three months, and a final report expected in the coming weeks, the PSC report will hopefully provide the required clarity and identify any misdeeds, if any have occurred. However, the time period that has elapsed since the issue hit the headlines and a comprehensive explanation was provided to the public about the circumstances relating to the release of the containers has been far too long, and it has provided ample opportunities for speculation to take hold, whatever the factual situation might be.

The context relating to the Sri Lankan ports situation needs to be mentioned here. Port congestion and delayed cargo clearance, in what have been the highest-performing months for cargo handling, meant roughly 4,200 containers had been held up as of April 2026. The Sri Lanka Ports Authority (SLPA) is attempting to clear backlogs through 24-hour services and is reviewing, as a temporary measure, the use of space in Port City to alleviate yard congestion. Port capacity and developments so far have been unprecedented, with the Hambantota International Port (HIP) recording its highest single-vessel container volume (13,260 TEUs) on the MSC Marie Leslie in April 2026. The Colombo West International Terminal (CWIT), a joint venture involving India’s Adani Ports, is accelerating development to increase capacity by late 2026, ahead of its 2027 deadline. While some carriers are returning to the Red Sea, continued instability in the region due to the Middle Eastern conflict has caused a structural shift in shipping patterns, placing high demand on Sri Lankan terminals as a transshipment hub. The overall situation indicates that while Sri Lanka is successfully positioning itself as a major Indian Ocean logistics hub, it faces severe operational and bureaucratic bottlenecks in handling the increased traffic.

The challenge for the government is to assess whether equipment shortages and/or lack of skilled management expertise are causing port congestion, and if so, what measures should be taken to address these as a matter of priority, as its goal of Sri Lanka being a major Indian Ocean hub may be impacted.

In terms of the three IT-related issues, the two Commercial Bank-related issues (the scams at the NDB and the one at the Commercial Bank) are not directly related to the government, but possibly to monitoring shortcomings at the Central Bank, which is independent of the government. It certainly appears that the monitoring measures and IT guardrails to detect and prevent scams have not been as effective as they should have been, both within the two institutions concerned and within the central bank. However, as investigations are ongoing, speculation will not assist them, but clarity on this serious matter will have to be considered very urgent, as the potential damage to confidence in these institutions could otherwise become irreversible.

The challenge for the government (more so the central bank) is to take all possible measures, including obtaining international technical expertise to investigate, strengthening measures if necessary through legislation, and introducing more foolproof guardrails in all banks so that recurrence of these scams will not happen, and if any attempts are made by cybercriminals to hack systems, they will be detected before it is too late. Besides this, punishment for convicted offenders should be made extremely severe so that would-be criminals would think twice before committing such acts.

What is very concerning, and perhaps most serious, is the theft of USD 2.5 million from the government’s own external resources entity, which is inseparable from the treasury itself. To the best of the writer’s knowledge, based on publicly released information so far, it appears that a serious management shortcoming contributed to the eventual cyber theft. This is the apparent failure of the external resources/treasury to have sought an acknowledgement from the recipient of the funds, the Australian government, back in January when the transfer was supposedly made. Had the treasury assumed that the funds had been transferred on the due date, surely an acknowledgement should have been sought as a matter of routine, or there should have been a management mechanism to identify funds that had to be transferred by a due date but were not actually transferred, which would have prompted investigations into why the transfer had not taken place. On the face of it, it appears that there had been a clear management failure.

Impact on investor confidence

As mentioned earlier, besides the loss of money, which may be totally or partially recovered, what would be difficult to recover would be the dents in investor confidence when Sri Lanka desperately needs direct foreign investment to boost the economy. The IT-related scams will result in the erosion of trust in digital finance.

Cyber-enabled fraud, which has tripled recently, erodes trust in the digital channels that modern financial systems rely on. When scams are perceived as widespread, investor trust in digital services decreases, making it harder for financial institutions to maintain confidence. There would be reduced foreign direct investment (FDI), as countries with poor cyber guardrails run the risk of being characterised as having weak governance and not giving top priority to combating cybercrime, thereby losing their appeal for FDI, as multinationals take risk-avoidance measures and limit their exposure to such hazards. Significant breaches could prompt firms to relocate to jurisdictions with higher security standards. Even if governments are not necessarily weak, investors will view large-scale scams as evidence of inept management or severe operational vulnerabilities within institutions, including the central bank. In addition, the high cost of remediation, along with potential legal and regulatory fines, could impair institutions’ ability to operate efficiently, making them less attractive to investors.

From the country’s perspective, a national economy suffering from cybersecurity breaches may experience increased equity risk, as potential investors may become hesitant to invest, either making only small investments as a risk-mitigating measure or demanding higher short-term returns. Another serious risk that could arise from widespread digital fraud is the flight of capital, posing threats to economic stability.

fDi Intelligence lists the following as key drivers of reduced confidence:
• The adoption of AI and deepfakes by criminals makes scams harder to detect, leading to prolonged periods of risk for institutions.
• In some instances, regulations requiring data to be stored locally can heighten a country’s attractiveness as a target for cybercriminals, inadvertently raising risks for foreign investors.
• Foreign investors may find their local partners or suppliers to be the “weakest link,” exposing the overall investment to contagion risks from weak local cybersecurity.

In conclusion, the following conclusion from a ResearchGate paper titled Economic Impact of Financial Scams on Emerging Economies: A Legal Review is quoted here as it summarises the potential fallout from scams that are becoming quite widespread globally:

“The rapid advancement of technology has led to significant changes in the global financial landscape. The rise of digital transactions presents new opportunities for financial inclusion and economic growth, but it has also led to a surge in financial fraud (Lakew & Azadi, 2020). Financial frauds exert extensive and diverse economic impacts on developing nations. Financial fraud undermines economic stability, distorts markets, and erodes trust in financial institutions (Sajid et al., 2023). The inadequacy of legal and regulatory frameworks in numerous emerging nations has exacerbated the problem further. Mitigating the economic impact of financial fraud relies on robust legal and regulatory responses. This encompasses the enhancement of national legal frameworks, the augmentation of regulatory oversight, the promotion of international collaboration, and the empowerment of consumers through protective measures and education (Babu & Xavier, 2015). The convergence of information technology and financial services has propelled the growth of financial technologies, necessitating legislative reforms to address the interplay of financial products, services, technologies, risks, and institutions (Tritto et al., 2020).”

One hopes that the government has taken heed of the urgency to strengthen all avenues that pose threats to cyber fraud, address management shortcomings via legislation if need be, and treat this as a matter of utmost priority, while taking the public into confidence by providing open, consistent, and accurate updates on the issues concerned and preventing speculation arising from gaps between what is known and what is disclosed. At present, speculation appears to be ahead, and its proliferation on social media seems to be gaining a foothold regarding the government’s ability to meet these and similar major challenges.