Stima DT Sacco leads the fight against cyber risk

Stima DT Sacco is ramping up its cybersecurity efforts amid rising threats, with experts consistently warning that a serious cyber-attack could cripple financial infrastructure, block transactions, and spark public panic.

The Communications Authority of Kenya (CA) says the danger of cybercrime and security breaches looms over several Kenyan businesses like a slow-moving storm.

In fact, the country’s ICT regulator noted that in 2023 alone, between October and December, ransomware actors intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitals, schools, and government agencies, detecting over 1.2 billion cyber threat events, which represented a 943.01% increase from the 123 million threat events detected in the previous period (July to September 2023).

It attributed that rise to enhancement of “our cyber threat monitoring capabilities and the existence of vulnerable systems due to system misconfigurations.”

CA also found that malware propagation surged during that period, infiltrating systems with harmful software, while phishing attacks became even more prevalent, targeting unsuspecting users through deceptive emails and websites.

The authority, in its findings, also noted that hackers commonly target to steal user logins, credit card credentials, and other types of personal and financial information, as well as gain access to private databases – a common leitmotif, judging by the worrying tendency, may well persist.

It is against this backdrop that Stima DT Sacco management says it is moving with speed to help mitigate some of these attacks “before they even happen” in an effort to protect its members’ savings and data.

“Risk management is in our DNA,” offered Sacco’s Chief Executive Officer, Dr. Gamaliel Hassan.

Operationally, the Sacco says it continues to offer 24/7 call center support to assist members experiencing digital-access or security-related challenges, enabling rapid reporting and response.

“Importantly, no data breaches have been recorded this year, underscoring the effectiveness of Sacco’s proactive approach to cybersecurity governance,” said Hassan in his investor briefing last week, which took stock of Sacco’s 2025 financial performance, adding that there were no regulatory data audits conducted between 2024 and 2025.

However, the Sacco noted that eight internal data protection audits were carried out during this reporting period to assess the Sacco’s compliance with data protection requirements across its operations, processes, and third-party and employee relationships. The audits also reviewed projects under implementation, as well as emerging technologies, to ensure adherence to the privacy-by-design principle.

“The main area of concern identified related to the management of data processors, particularly ensuring that service providers with access to personal data consistently implement adequate measures to protect the Sacco’s data,” said the firm in its financial statement’s report.

Stima is implementing mechanisms to strengthen vendor oversight and ensure full compliance with data processor obligations. “Other non-material gaps identified during the audits have either been addressed or corrective actions are underway,” it noted.

In 2025, the institution noted that no data breaches were recorded. However, there was an increase in phishing attacks, about 3596 attempts last year, countered through continuous training and attempted cybersecurity attacks that were prevented through robust cybersecurity mechanisms. This was an increase from 3,334 attempts a year earlier.

SIM-SWAP as a threat case 

Stima says it recorded 53,655 attempts last year, compared to 47,920 attempts it reported in 2024. What’s more, last year, the Sacco did not encounter any SIM-SWAP-related challenges in comparison to the 21 SIM-SWAP-related fraud cases it recorded in 2024.

“Through these measures, the Sacco reaffirms its commitment to safeguarding member information, enhancing digital trust, and maintaining robust data-protection practices as it expands its digital ecosystem,” affirmed its management.

In 2024, CA noted that SIM swap fraud had become a rapidly growing criminal industry in Kenya, with cases surging in 2024-2025, often orchestrated by organized syndicates based in regions like Mulot, Bomet County. These gangs use social engineering, stolen ID data, and collusion with rogue agents to clone SIM cards, allowing them to drain bank accounts and mobile wallets.

In response to this growing threat, the African Union launched the Africa Cybersecurity Strategy, which aims to strengthen the region’s cybersecurity capabilities and enhance cooperation among member states.

One key solution to addressing Africa’s cybercrime and SIM swap threats is the implementation of an Identity Verification (IDV) system.

IDV is a process of verifying the identity of individuals through various means such as biometrics, document verification, and knowledge-based verification. By implementing a robust IDV system, African countries can effectively combat cybercrimes and SIM swap attacks by ensuring that individuals are who they claim to be when conducting online transactions or accessing digital services.

IDV can be used to verify the identity of individuals during online account registration, login, and transactions, thereby reducing the risk of identity theft and fraud.

An inclusive digital identity approach can open doors to critical government services such as labour markets, government benefits, and financial services without the risk of impersonation or fraudulent funding. This extends to those with limited ability to engage in the digital world.