Central Bank of Kenya mandates robust cybersecurity across banks in Kenya by 30th Nov, 2017

The Central Bank of Kenya (CBK) recently issued a guideline to all commercials banks across Kenya to fortify their cybersecurity and establish effective cybersecurity governance and risk management. The CBK acknowledged the growing risk of cyber threats and highlighted the debilitating impact of cyber-attacks on financial institutions.

A report published in 2016 highlighted the estimated cost of cyber-crime in Africa being close to $895Mn with Nigeria being the topmost at $550Mn and Kenya holding the second position at $175Mn followed by Tanzania, Ghana, and Uganda.

The primary purpose of the issued guideline was to create a safer cyberspace to ensure the stability of Kenyan banking sector and instilling confidence of the public in their financial system. The CBK emphasizes the need to focus on evolving cybercrimes, the need for protection of critical IT infrastructure, promoting and adhering to excellent cybersecurity standards and building of both, capability and capacity to tackle cyber threats.  For the same, it has mandated all banks to draft and submit their cybersecurity policies by November 30, 2017. It is expected from the banks that they must adhere to, at least, the minimum standards that have been provided in the CBK guideline for cyber governance and cyber risk management.

CBK Guidelines: All you need to know

The guidelines issued by CBK mentions that “the board of directors and senior management of an institution are expected to formulate and implement cybersecurity strategies, policy, procedures, guidelines and set minimum standards for an institution.” Refer

Here are a few aspects highlighted in the CBK guidelines given to Kenyan banks.

1. Governance: A top-down approach with Board of members understanding the business impact of cyber threats and working towards a cybersecurity awareness culture to mitigate risk is a major step towards cybersecurity of a company. Further, the senior management should implement the strategy with relevant policies and supporting framework. It also involves hiring the right talent and also creating security specific roles like the Chief Information Security Officer (CISO).

2. Regular independent assessment and test: Auditing is an important aspect of ensuring that the cybersecurity strategy is put into action and is up to date as per plans. This requires internal auditing, risk management, and external auditing. Cybersecurity experts should be hired/ involved to conduct these assessments regularly.

3. Outsourcing: While it is a norm these days to work with outsourced agencies, vendors and cloud operators to reduce costs, these external connections are a huge threat to the cyber safety of banks. It is thus important to ensure stringent security policies regarding these external agencies/partners. CBK has mandated that banks ensure the security compliance of these third parties as per legal and regulatory framework.

4. Training/Awareness: Top-most levels of security cannot be achieved without every employee being a part of this phenomenon. It is thus important to have security training and awareness programs to cover the lowermost level of the organizational The same, if need be, should be extended to partners, suppliers, vendors and even customers.

What measures should be taken now?

The Central Bank of Kenya (CBK) guidelines requires organisations of all sizes to adopt a new set of processes and policies to fortify their cybersecurity. Much of this will involve updating systems to accommodate these new guidelines, and training staff. Other steps involve practical measures, such as employing robust cybersecurity solutions to mitigate the risk of cyber-attacks on financial institutions. With over 8 million licenses across 80 countries, Seqrite has been helping organisations bolster their cybersecurity with its comprehensive security solutions. Seqrite offers security solutions to enterprises covering them from all cyber threats that loom large over a company’s horizon. With an extensive experience, Seqrite has a plethora of solutions that fit the need of any organization irrespective of its size, location or business nature. Seqrite is equipped to handle your organisation’s transition as per the new guidelines in a simple and effective manner.

If you are looking for a security partner who can ensure complete protection of your assets and establish seamless operations as you amp up your company’s cybersecurity, Seqrite is the right choice to make.