By: Staff Writer
June 18, Colombo (LNW): The alleged cyber theft of more than US$ 2.5 million from Sri Lanka’s Treasury has triggered renewed questions about institutional accountability during one of the most sensitive reforms in the country’s public finance administration—the transfer of debt servicing responsibilities from the Central Bank to the newly established Public Debt Management Office (PDMO) under the Treasury.
The controversy has intensified following demands by the Free Lawyers Association (FLA) for a Parliamentary Select Committee to investigate the incident, which occurred during the transition period when debt management functions were being shifted between institutions. The lawyers argue that the cyber heist has exposed serious weaknesses in governance, coordination and oversight within both the Treasury and the Central Bank.
According to the Association, the stolen funds were allegedly transferred to a bank account maintained by a company identified as Mish Global LLC at TD Bank in the United States. The organisation claims the funds may still be traceable, raising questions about the speed and effectiveness of the official response.
More troubling, however, are the inconsistencies that have emerged regarding the value of the loss. While public disclosures have cited a figure of US$ 2.5 million, references by the Auditor General reportedly indicate a significantly smaller amount. The discrepancy has fuelled concerns that key institutions responsible for public debt operations may not possess a complete understanding of the incident.
The timing of the cyberattack has become central to the accountability debate. The transfer of debt servicing functions from the Central Bank to the Treasury represented a major structural reform intended to strengthen public debt management and improve transparency. Yet critics argue that operational responsibilities may have been shifted before adequate safeguards, procedures and regulatory frameworks were fully established.
The FLA alleges that debt settlement activities had already commenced before all regulations governing the Public Debt Management Office had been finalised. If accurate, such claims raise concerns about whether operational readiness assessments were conducted before critical functions were transferred.
Questions have also been directed at coordination mechanisms between the Treasury and the Central Bank. During any institutional transition involving financial transactions worth billions of dollars, responsibilities for cybersecurity, payment verification, authorisation protocols and risk management must be clearly defined. The cyber breach suggests potential gaps in those arrangements.
Equally concerning is the apparent absence of public accountability after the incident. Parliamentary oversight committees, including the Committee on Public Finance and the Committee on Public Accounts, have reportedly examined the matter but have yet to release findings or recommendations.
As Sri Lanka seeks to rebuild confidence in its public financial management systems following its economic crisis, the cyber heist represents more than an isolated security breach. It has become a test of whether institutions entrusted with managing sovereign debt can demonstrate transparency, competence and accountability when failures occur. The calls for a Parliamentary Select Committee reflect growing pressure for answers on who was responsible, what safeguards failed, and whether the transition to the new debt management regime was executed with sufficient preparation.