The Committee on Public Finance’s (COPF) investigation into the US$2.5 million cyber fraud that struck Sri Lanka’s foreign debt repayment system is far more than a report on a sophisticated cybercrime. It is an indictment of systemic institutional failure, exposing dangerous weaknesses in governance, accountability, cybersecurity, and public administration at a time when the country was painstakingly rebuilding international confidence through debt restructuring.
Predictably, the immediate response from the institutions involved has been to shift responsibility. The Ministry of Finance argues that the Central Bank of Sri Lanka, as the Government’s banker, should have detected suspicious transactions. The Central Bank insists it merely processed payment instructions originating from the ministry and cannot be blamed for compromised emails. While the Attorney General’s legal opinion largely supports the Central Bank’s position, COPF has rightly rejected attempts by either institution to wash its hands of responsibility.
The committee’s findings reveal that the fraud was never simply about hackers. Cybercriminals merely exploited vulnerabilities that public institutions themselves had created. During the transition to the newly established Public Debt Management Office, there were no clear terms of reference, no measurable training standards, no formal agreement defining institutional responsibilities, and no effective coordination mechanism. Months passed before a Memorandum of Understanding was even signed well after the damage had been done.
Equally alarming are the operational lapses uncovered. Multi-million-dollar foreign debt repayments could be authorised by a single official without independent review. Payment instructions were approved without verifying lender invoices against loan agreements. Officials failed to share critical correspondence during the transition, while separate and outdated email infrastructure within the former External Resources Department became an easy target for cybercriminals.
Perhaps most troubling is the revelation that the Central Bank had flagged one suspicious payment on Anti-Money Laundering grounds, yet the warning was not escalated or acted upon decisively. That missed opportunity alone illustrates how institutional complacency can prove as dangerous as technological weakness.
The lessons from this scandal extend well beyond recovering stolen funds. Sri Lanka’s public financial management framework clearly has not kept pace with modern cyber threats. Financial Regulations dating back to 1992, fragmented digital systems, and blurred institutional mandates are simply incompatible with managing billions of dollars in sovereign debt transactions.
COPF’s recommendations deserve urgent implementation. A comprehensive audit by the National Audit Office, amendments to the Financial Transactions Reporting Act, mandatory cybersecurity standards across government institutions, a secure lender verification database, updated financial regulations, and robust whistleblower protection should no longer be treated as optional reforms.
Sri Lanka cannot afford another governance failure disguised as a cyberattack. Public trust, investor confidence, and the country’s international credibility depend not merely on stronger firewalls but on stronger institutions. Technology may have been the weapon, but weak governance provided the opening. Unless accountability becomes as robust as cybersecurity, the next breach may prove even more costly.
The post Cyber Fraud Exposes Dangerous Accountability Vacuum at State’s Highest Levels appeared first on LNW Lanka News Web.