• Urge an assessment review of governance arrangements

The Digital Trust Alliance, a coalition of professional organisations representing cyber security, information systems audit, digital trust, information and communications technology (ICT) governance, and related professional disciplines, and certified cyber security professionals, information systems auditors, governance specialists, privacy professionals, cloud security experts, and ICT practitioners, has written to President Anura Kumara Dissanayake on strengthening cyber security governance and Governmental institutional resilience.

Considering the recent cyber security incidents reported in relation to Government financial systems, it is imperative that Sri Lanka adopts a more robust, structured, and governance-led approach to cyber security across the public sector. Public reporting has referred to the diversion of approximately US $ 2.5 million following a breach of Finance Ministry systems. The incident has raised serious public concern and has highlighted the need for stronger institutional preparedness, clearer accountability, and more resilient cyber governance mechanisms. Cyber security is no longer only a technical concern. It is now a matter of financial integrity, public trust, institutional continuity, and national resilience. Public sector digital systems are becoming more central to economic management and citizen services.

In this backdrop, the letter proposed a designated Government cyber security governance structure (a formally designated team or committee with the authority, technical understanding, and institutional mandate to receive recommendations, coordinate across agencies, and drive implementation), clear ownership and accountability (cyber security recommendations should be linked to responsible officials or institutions, expected outcomes, and realistic review timelines), a structured maturity and gap assessment (a practical review of current governance arrangements, incident readiness, third-party risk management, payment and communication verification controls, business electronic mail compromise safeguards, and escalation procedures), alignment with recognised cyber security governance frameworks (the engagement may be anchored to globally recognised frameworks such as the National Institute of Standards and Technology Cybersecurity Framework Two, which organises cyber security outcomes across govern, identify, protect, detect, respond, and recover functions), and a focused public-sector cyber security roundtable (convening an initial roundtable with a carefully selected group of senior public officials, cyber security professionals, audit and governance experts, and the relevant statutory bodies). The letter suggested that the relevant Ministry consider inviting the participation of key institutions such as the Digital Economy Ministry, the Computer Emergency Readiness Team, the Data Protection Authority, GovTech and other relevant agencies whose mandates intersect with cyber security, digital governance, financial systems, and public-sector accountability. “The Government would benefit from appointing a designated senior point of contact and identifying a small implementation-focused team,” the letter further read.