Kenya banks, telcos to file cyber security rules

Monday August 27 2018

A Caucasian hacker with balaclava. Kenya lost at least $210 million to cyber criminals last year, according to the Africa Cyber Security Report 2017. FILE PHOTO | NATION


The Central Bank of Kenya has directed payments service providers to deposit their cybersecurity policies with it before the end of this month, as part of the government’s plan to tighten financial security amid increasing cyber-attacks.

The directive came just weeks after some banks in the country reported cyber-attacks in which they lost close to $1 million, after their third-party payments contractors’ platforms were compromised.

With the new guidelines, Kenya is seeking to fine-tune its financial security regulations like some of its regional peers.

Uganda, which in 2009 established the National Information Technology Authority-Uganda to co-ordinate and regulate information technology services, is already ahead of its regional peers.

The country has established the National Computer Emergency Response Team and Co-ordination Centre to support centralised responses to cyber-related incidents.

Kampala is also developing a financial cybersecurity strategy, and using the Electronic Transactions Act to promote security in the financial services sector.


Tanzania has the National Payment Systems Act 2015, which regulates payments service providers.

The Act was preceded by the Electronic Payment Scheme Guidelines.

There has been a noted increase in cyberattacks targeted at financial institutions in the region.

Two months ago, Serianu, an information technology services and business consulting firm, released the Africa Cyber Security Report 2017, which showed that the region lost $394 million last year to cyber criminals.

Kenya lost at least $210 million, followed by Tanzania at $99 million and Uganda at $85 million.

Now, the Central Bank requires payments service providers, including mobile money networks and fintech firms, to notify it of all cybersecurity incidents, to help it ensure sound, secure and efficient national payments system and cut down on fraud.

“The payments service providers should notify the Central Bank of Kenya within 24 hours of any cybersecurity incident(s) that could have a significant and adverse impact on the their ability to provide adequate services to their customers, its reputation or financial condition,” the CBK said.

“The purpose of this is to create a safer and more secure cyberspace that underpins information system security priorities, to promote stability of the Kenyan payments system sub-sector; establish a co-ordinated approach to the prevention and combating of cybercrime.”

Protection of critical data

Kenya hopes to improve the identification and protection of critical information in order to maintain public trust in the national payments system.

“The board of directors and senior management of payments service providing institutions are expected to formulate and implement cybersecurity strategies, policies, procedures, guidelines and set minimum standards set for the institution. All these must be documented and made available for review by external auditors and CBK,” the regulator said.

Kenyan institutions have recently experienced increased hacking and payments fraud, coupled with cyber-attacks on organisations’ information systems, which, the CBK says, have now placed the abuse of cyberspace high on its agenda.

The regulator says the financial sector is grappling with breach of institutions’ databases, unauthorised access to privileged accounts and people-related attacks like phishing, malware introduced through social engineering.

The regulations require firms to hire chief information security officers.

“As cyber-attacks evolve, one of the modern strategic measures globally accepted and acknowledged is the introduction of the role of the chief information security officer.

“Where this is applicable, the institution should determine the best reporting option of the CISO depending on factors such as the institution’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines,” the CBK said.

The recent Kenya Financial Transaction Fraud study by Myriad Connect linked the increase in financial fraud to the rapid adoption of technology in the country’s financial market.

“While financial service transaction fraud is a global issue, Kenya has been a leader in the adoption of mobile and digital payments, which unfortunately brings with it a growing risk of fraud.

“The financial service transaction fraud in Kenya is costing banks millions of dollars and customers their life savings,” said Fabien Delanaud, Myriad Connect general manager, at its launch in July.

In September 2017, PesaLink, an integrated payments service provider jointly owned by banks, said it had fended off a hacking attempt into its real-time gross settlement channel.

Kampala is expected to host the regional Cyber Defence Conference early in September, it will focus on how the five East African Community member states can prepare for cyberattacks.