CBK tells Kenyan banks to submit plans to deal with Cyber Security

Cybersecurity is a growing risk area for all businesses in Kenya.

However, they have been concerns of gaps in cybersecurity protection and infrastructure especially within the financial sector.

Banks have become the leading target of cyber crime in Kenya as people increasingly adopt the use of financial technology, according to the Serianu 2016 Cybersecurity Report where the country 175 million USD last year.

“In 2016, we witnessed more advanced attacks in banks mostly perpetrated by insiders, raising the concern that the banking sector is unprepared to deal with insider threats,” Mr. William Makatiani, Serianu Managing Director during a three day forum Kenya school of Internet Governance held in Nairobi.

Joseph Nzano from the Communications Authority of Kenya (CA) disclosed that Kenya is ranking as one of the high sources of cyber attacks. “We need to develop a harmonised framework for internet governance,” he said.

Serianu report discloses that about 44 per cent of financial institutions run on a meagre cybersecurity budget of less than 1,000 USD annually, whilst about 33 per cent of financial institutions in Kenya had no spending on cyber-security.

Currently, most banks are increasingly adopting technology to offer increased access and convenience to customers however, this has also opened the door to increased online security risks.

Central Bank of Kenya (CBK)  says, “It is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe.”

With its cyber security guidelines, “Therefore, CBK mandates all institutions to review their
cybersecurity strategy, policy and framework regularly based on each institution’s threat and
vulnerability assessment.”

“All institutions are required to submit their cyber security policy, strategies and frameworks to the CBK by August 31,” the note said.

“The institutions should also notify the Central Bank of Kenya immediately when it becomes
aware of a cybersecurity incident that could have a significant and adverse impact on the
institution’s ability to provide adequate services to its customers, its reputation or financial
Condition.”

CBK’s Guidance Note outlines the minimum requirements that institutions shall build
upon in the development and implementation of strategies, policies, procedures and
related activities aimed at mitigating cyber risk.