When Reform Outpaces Readiness

The recent “money hacking” incident at Sri Lanka’s Finance Ministry has cast a long and uncomfortable shadow over the government’s reform narrative. It is not merely the breach itself that alarms, but its timing—coming in the wake of the Central Bank of Sri Lanka’s press release formally transferring public debt management responsibilities to the Finance Ministry. What was projected as a structural reform aligned with international best practice now risks being viewed through a harsher lens: was the transition executed with sufficient professionalism and preparedness?
The Central Bank’s announcement marked a significant institutional shift. Public debt management—long housed within the relative technocratic insulation of the apex monetary authority—was moved to the Finance Ministry to ensure closer coordination with fiscal policy. In theory, the rationale is sound. Debt management, after all, is inseparable from budgetary strategy, revenue mobilisation, and expenditure planning. Many countries have adopted similar models, often under IMF guidance, to streamline fiscal operations.
Yet, such transitions are not merely administrative. They require a deep reservoir of technical capacity, systems integrity, and risk management frameworks. The Central Bank’s press release itself underscored the establishment of a dedicated unit within the Ministry to handle these functions. But the critical question now is whether that unit—and the broader institutional ecosystem it operates within—was fully equipped to shoulder the responsibility.
The hacking incident suggests otherwise, or at the very least, raises doubts that cannot be brushed aside.
Public debt management is not a peripheral function. It involves handling vast flows of money, sensitive financial data, and interactions with domestic and international creditors. It demands not only economic expertise but also cutting-edge digital security. The Finance Ministry’s response, as reflected in its subsequent communication, has been to assure that corrective measures are underway. Professionalism, in this context, is not an abstract ideal. It is about sequencing reforms correctly. There is also the question of institutional culture. Central banks, by design, operate with a degree of independence and a strong emphasis on technical rigour. Line ministries, on the other hand, are often subject to political pressures and bureaucratic inertia. Bridging this cultural gap is as important as transferring functions. 
The timing of the breach, therefore, is more than coincidental. It exposes the vulnerabilities that can emerge when reform is driven by urgency rather than readiness. Sri Lanka, still navigating the aftermath of its economic crisis and operating under an IMF-supported programme, is under pressure to demonstrate progress. International experience offers useful lessons. Countries that have successfully transitioned debt management functions to finance ministries have done so over extended periods, with parallel investments in technology, human resources, and governance frameworks. They have built dedicated debt management offices staffed by specialists. 
Sri Lanka must take heed. The current episode should prompt a comprehensive review of the transition process initiated by the Central Bank’s press release. Were adequate risk assessments conducted before the transfer? Were cybersecurity protocols stress-tested? 
Equally important is the issue of transparency. The public—and indeed, international stakeholders—deserve clarity on the nature and extent of the breach. Vague assurances are unlikely to restore confidence. Detailed disclosures, while uncomfortable, are essential in demonstrating accountability and a commitment to rectification.
This is not an argument against reform. On the contrary, rationalising public debt management and aligning it with fiscal policy is a necessary step. But reform must be grounded in realism. It must recognise the limits of existing capacity and invest in bridging those gaps before assuming greater responsibility. The stakes are high. Public debt remains one of Sri Lanka’s most critical economic challenges. Managing it effectively is central to restoring macroeconomic stability, maintaining creditor confidence, and sustaining the fragile recovery now underway.
In the final analysis, the hacking incident is a stress test of the reform process itself. It challenges the assumption that structural changes, once announced, automatically translate into improved governance. It reminds policymakers that institutions are only as strong as the systems and people that underpin them.
The Central Bank’s press release may have marked the beginning of a new chapter in public debt management. But the events that have followed suggest that the story is far from complete. For reform to succeed, it must move beyond the transfer of responsibility to the transformation of capability. Anything less risks turning well-intentioned policy into a cautionary tale.