RESEARCH BRIEF 01/2025
Gefona Digital Foundation
Author: Tomslin Samme-Nlar Series Editor: Tomslin Samme-Nlar
FINANCIAL INCLUSION AND CYBERSECURITY: THE ROLE OF GOVERNANCE IN CONFLICT STATES IN AFRICA
Introduction
The introduction of digital financial services in Africa has been the major driver of significant improvement in financial inclusion observed in the last three decades. Linkages between financial inclusion and ICT development in African countries are evident because smartphones and broadband internet have proven to be necessary for expanding access to safe and affordable financial services such as payments, domestic and international remittances, insurance, credit, and savings. The implementation of fintech ecosystems with affordable digital and innovative financial services depends on governance and the effective implementation of cyber and financial inclusion planning.
It is observed that Africa has an enormous potential for market improvement and financial development. In countries affected by natural disasters and fragile situations such as post-conflict, it is easier to deliver digital financial services (DFS) to remote areas than the alternative. However, adopting financial instruments from digital solutions requires trust in these instruments, guaranteed by the government and specifically by cyber governance. Is there then an influence of governance in the financial inclusion and cybersecurity nexus in fragile and post conflict countries?
Discussion
To help answer the above question and identify cybersecurity governance strategies that contribute to successful digital financial services in conflict states, we studied conflict states that have a thriving DFS like Somalia and those that do not, like Democratic Republic of Congo.
To do this, we developed a framework for comparing good cybersecurity governance between the countries. The framework consists of four measures, which include leadership, legal measures, technical measures, and workforce & education.
Figure 1 Model for Effective Cybersecurity Governance
Using this framework, we assessed and compared Somalia’s governance of cybersecurity against that of Democratic Republic of Congo. Below follows our findings of the comparison.
Leadership in cybersecurity governance includes the issue being approached as a nation-wide strategic issue, involving the executive branch or at least its buy-in, a dedicated state agency responsible for governing cybersecurity and private industry stakeholders.
⮚ Somalia
It is understood that the banking regulatory authority and central bank of Somalia stopped functioning in 1991 and only got reestablished in 2009. In the absence of regulatory institutions, an informal money transfer system ensued based on informal trust systems and traditional networks called the hawala system. This informal system evolved to a formal system called the Dahabshiil system where digital systems were utilized for notifications, but cash was still being used. Not long after, the Dahabshiil system integrated with mobile money systems.
Given the timeline, the private sector led the evolution of money transfer and digital finance evolution in the early days. While this absence of government leadership allowed for innovation in this area to flourish, it made the financial system to be very risky for the users. With no regulation, customers did not feel safe using the system and they also felt it was unreliable. Despite these security concerns, the digital financial system played a key role during Somalia’s 2017 drought where USD $10 million was transferred to one million Somalis within a month through mobile money. In the same year, a Communications Act, which mandates all mobile network operators to link mobile accounts with identification information was passed. The Somali government was beginning to see the issue as a nation-wide strategic issue, an important aspect in cybersecurity governance leadership. Proof of this is also seen in the fact that in 2019, Somalia’s Central Bank decided to work on mobile money regulations. In addition, in 2023, led by the prime minister, the Somali federal government cabinet ratified a new Cybersecurity Act and approved essential regulations governing the National Intelligence and Security Agency (NISA), involving the executive branch and a dedicated state agency responsible for governing cybersecurity to bolster and strengthen the country’s cybersecurity framework.
⮚ DRC
The DRC government that won the 2018 elections made digital economy reforms a top priority. While the top executive office of the state led digitization by making it a priorityhttps://www.zotero.org/google-docs/?AFgXsb, there appears to be no champion, no executive buy-in on cybersecurity, data protection laws or policies and consumer protection and there is no dedicated state agency responsible for cybersecurity. The result of this is that no laws or policies exist in these areas.
Like Somalia, DRC will have to establish a dedicated state agency responsible for cybersecurity to lead and champion cybersecurity governance. This will improve consumer trust and attract new investments in DFS.
⮚ Somalia
The legal aspects of cybersecurity governance in Somalia were largely non-existent except for a section on security in Somalia’s 2020 Mobile money regulation. In 2023 however, the nation signed its cybersecurity bill into force. Prior to this, no law nor policy had governed cybersecurity in the state. There is also no national cybersecurity strategy. While the National Economic Council of Somalia assessed that despite noteworthy progress made by the financial sector in Somalia, it grew unregulated, the growing interest in establishing cybersecurity institutions and framework means some alignment to Atta-Aidoo et al findings that weak institutional capacity leads to weak financial inclusion and DFS.
⮚ DRC
While some progress is being made in increasing DFS in DRC, especially around mobile money and small scale fintechs, unfortunately, this is happening without cybersecurity as no relevant policy, law or regulation exists on cybersecurity.
Looking at Abdi’s findings and how Somalia is ramping up cybersecurity institutional capacity to de-risk DFS and increase economic stability, it would be necessary for DRC to immediately start addressing the cybersecurity aspects of its digital economy plans.
Technical measures include incident response mechanisms often managed by Computer Incident Response Teams, digital identification systems and a public key infrastructure.
⮚ Somalia
While there was no form of an incident response team when digital finance growth exploded in 2017, by 2019, Somalia had formed an incident response team called the Somalia Computer Emergency Response Team/Coordination Center (SomCERT/CC) with the objective of securing Somalia’s cyberspace and providing an official point of contact to handle cybersecurity incidents in the Somali Internet community.
Also, Somalia has implemented a biometric digital identity system, a system that they began developing in 2018. The move certainly improves both security and financial inclusion as digital identity systems are known to be key to financial inclusion and digital financial services as research has found.
Public key infrastructure (PKI), which is essential for digital transactions and trade, is a system of policies, procedures, software, and institutions that manages the authentication, distribution, and revocation of digital certificates. While Somalia has no PKI policy now, many websites and services in the country use free domain validation certificates from the Let’s Encrypt service.
⮚ DRC
The Democratic Republic of Congo has no established Computer Incident Response Team, no digital identification system, and no policy on public key infrastructure. With regards to the digital identification system, it is understood that the DRC launched a biometric identification project in 2023 which is still in progress.
Since studies identify that these measures together are central to financial inclusion and online transactions, and generate trust in DFS, it is no surprise then that Somalia has most of these measures in place. DRC should consider implementing these measures to increase both the uptake and development of DFS.
⮚ Somalia
A study carried out in 2021 shows that cybersecurity awareness is very low in Somalia in both the public and private sectors. Nevertheless, there is an increase in the number of cybersecurity training and awareness being provided by civil society and private training institutions. Institutions like the Somalia Cybersecurity Community have partnered with the government to promote cybersecurity awareness and education in Somalia through training, networking, and advocacy. The Cybersecurity Department in the National Communications Authority also has a mandate to raise public awareness of cybersecurity in the country.
⮚ DRC
In DRC, most of the population is still unable to use ICTs effectively in general, making it even harder for cybersecurity education and awareness. With a deficient post-primary education, DRC faces a double task of both improving the standards of education across the country and ensuring that digital and cybersecurity skills are part of the education system to make it relevant. The shortage in digital skills means that an increasing digital economy will struggle to find a qualified workforce.
Conclusions
From the comparison, we make the following observations: firstly that Somalia has implemented or is developing most of the measures required for effective cybersecurity governance and this appears to have contributed to its thriving DFS.
Secondly, we find that DRC does not have most of the cybersecurity governance measures in place and unlike Somalia, DFS use in DRC is very low and not growing much.
As a result, we make the following recommendations:
Leadership: While it is great that DRC has a plan to digitize its economy by 2025 as outlined in the Plan National du Numérique Horizon 2025 (Democratic Republic of Congo 2019) document and great that high-level leadership exists as the president is the champion of the vision, clear leadership, specifically in cybersecurity which is captured under the Governance pillar is needed to address cybersecurity and its related laws and policies. A dedicated and strong institution or agency is required to clearly define and manage the cybersecurity strategy. A digital economy which is not trusted by users will only delay its usage. Cybersecurity laws and regulations are necessary for the success of DRC’s digitalization plans and a thriving DFS.
Laws and Policies: Laws on Cybersecurity, cybercrime, electronic signature, and e-commerce are required for the safe use of and trustworthy DFS. The absence of such laws undermines the growth and use of digital financial services and electronic transactions in general. Considering that 2024 brings the Plan National du Numérique Horizon 2025 towards the close of the planned period to implement actions captured in the document, DRC should immediately start working on the development of such laws as part of its digitization plans.
CIRTs/CERTs: In a digital economy, both national and sectoral cybersecurity protection and coordination in the event of cyber incidents will be critical. Therefore, we think DRC should prioritize creating at least a CIRT immediately. Especially because the digital economy, including digital financial services, is growing.
Cybersecurity Awareness and Training: Urgency is required in developing a national education strategy which not only addresses the very low literacy levels in the country but also aligns with the DRC’s development strategy and goals. DRC should consider introducing digital skills from primary education.
Further Reading
Samme-Nlar, T., Djamen, B.L. (2026). Financial Inclusion and Cybersecurity: The Role of Governance in Conflict States in Africa. In: Hoven, IG., In, S.Y., Puschmann, T. (eds) Sustainable Digital Finance. Financial Innovation and Technology. Springer, Cham. https://doi.org/10.1007/978-3-032-02983-6_22
Tomslin Samme-Nlar is the research director at Gefona Digital Foundation.
Email: mesumbeslin@gmail.com
Stay Awake and Informed! Subscribe to Gefona’s Newsletter for the Latest Updates on Digital Policy, Tech Education, and Cybersecurity in Africa.
