By: Staff Writer
June 09, Colombo (LNW): A multimillion-dollar cybercrime targeting Sri Lanka’s debt payment system has emerged as one of the most closely watched financial security incidents since the country launched its historic debt restructuring programme, raising critical questions about cyber resilience in sovereign debt management.
The case centres on the disappearance of US$2.5 million earmarked for debt servicing obligations owed to Australia. Investigations indicate that cybercriminals manipulated payment instructions, causing funds to be transferred to unauthorised accounts before reaching the intended creditor.
Although the incident triggered a technical breach under Sri Lanka’s IMF programme, international lenders have largely accepted the government’s argument that the payment failure resulted from criminal interference rather than financial distress.
The IMF’s latest review confirms that Sri Lanka failed to observe the continuous performance criterion on new external payment arrears from November onward because of the cyberattack. Under normal circumstances, such a breach could jeopardise programme reviews and future disbursements.
However, the Fund concluded that the authorities had acted in good faith and had demonstrated a clear intention to make the payment. As a result, the IMF Executive Board granted a waiver of non-observance, recognising that the arrears emerged from extraordinary circumstances beyond the government’s control.
The arrears can only be formally cleared after parliamentary approval of a supplementary budget to accommodate the additional debt service payment. Until then, authorities are working closely with Export Finance Australia and debt restructuring advisers to determine the most appropriate accounting treatment for the stolen funds.
The incident has also prompted a broader reassessment of financial-sector cybersecurity safeguards. The IMF warned that cyberattacks on critical physical and digital infrastructure represent an increasing threat to economic stability. Such attacks can interrupt payment systems, disrupt financial markets, delay public services and encourage precautionary behaviour among investors and market participants.
To address these vulnerabilities, Sri Lanka has committed to implementing a comprehensive package of reforms. New debt payment Standard Operating Procedures developed with IMF technical assistance are scheduled for full implementation by June 2026. These procedures introduce multiple layers of verification and approval for payment instructions.
A major component of the reform effort is the launch of the Meridien Debt Management Information System. Scheduled to become fully operational by August, the platform will provide automated verification of account information, payment amounts and creditor details, significantly reducing opportunities for fraud and human error.
Despite the cyber setback, Sri Lanka’s debt restructuring programme continues to advance. Public Debt Management Office figures show external debt declining to US$37.47 billion by March 2026. China remains the country’s largest bilateral creditor with nearly US$5 billion in outstanding exposure, followed by Japan and India. Among multilateral lenders, the Asian Development Bank remains the largest creditor, followed by the World Bank and the IMF.
Economic analysts note that the IMF’s decision to grant a waiver sends an important signal to international investors that Sri Lanka’s restructuring momentum remains intact. The episode has highlighted cybersecurity weaknesses but has not derailed the country’s broader effort to restore debt sustainability, rebuild market confidence and normalise relations with external creditors after the sovereign debt crisis.