With increasing fears that cyber attacks pose a huge threat to Kenya’s economy, The Central Bank of Kenya (CBK) has published new cyber security regulations that will require Payment Service Providers (PSPs) that move large value and high volume transactions like banks to report critical cyber attacks within 2 hours from October this year.
The new regulations also require retail payment service providers used by many Kenyans such as M-Pesa to report these attacks within two hours of occurrence while all other PSPs will be required to report attacks within 24 hours.
PSPs will also be required to furnish CBK with a report of these attacks detailing occurrence and their handling of cyber security incidents.
Further, PSPs will also be required to submit their Cyber security Policy, Strategies and Frameworks to CBK by December 31, 2019.
Banks will not be required to submit their documents on this date as they are licensed under the Banking Act.
“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe. Therefore all PSPs are required to review their cyber security strategy, policy, and framework annually based on each PSP’s threat and vulnerability assessment,” read the guidelines.
Conversely, external auditors will also be required to report threats and cyber security strategies to CBK annually.
PSPs will also be required to notify CBK of the intention to outsource functions, services and infrastructures at least thirty days before such outsourcing agreements are executed.
This comes in the backdrop of the release of a report by Microsoft which states that the Kenyan economy lost Ksh29.5 billion to cyber crime in 2018.
The Microsoft Security Intelligence 2018 warns that as authorities adjust to the recent wave of cyber crime, hackers are becoming more sophisticated and hurting Kenyan businesses as a result.
Another report authored by Pan African cyber security firm Serianu states that Kenya lost Ksh29.8 billion to cyber crime in 2018.