CONTACTS: +254 726879488 (Mobile)
+254770 455 116 (Office)
Kenyan Banks and mobile money firms will from October be required to report to the Central Bank of Kenya (CBK) with information on cyber-attacks on a real-time basis – within two hours precisely of a cyber-fraud incident.
The banking regulator said the move is aimed at addressing cyber fraud.
The guidelines on cyber-security for payment service providers that became effective this month require firms with systems that clear huge amounts such as bank-to-bank transfers to immediately file reports.
Firms with systems that move huge volumes of cash such as mobile money will also be required to file a preliminary report.
CBK noted that banking systems that it referred to as Systemically Important Payment System (SIPS) were sensitive and their failure ‘could potentially endanger the operation of the entire economy.’
The failure of mobile money platforms or System-Wide Important Payment Systems ‘could also create disruptions due to a large number of users relying on the system, thus affecting public confidence’.
“PSPs should notify CBK within 24 hours, and SWIPS and SIPS within two hours, of any cyber-security incident(s) that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition… this should be followed by a comprehensive report on the incident,” reads CBK guidelines, which PSPs have 90 days to implement.
The Central Bank of Kenya and the Bank of Mauritius held a brainstorming session on Friday May 10, 2019, with a view to enhancing cooperation between the two central banks. Governor Dr Patrick Njoroge headed the delegation from the Central Bank of Kenya. Governor Yandraduth Googoolye led the discussion from the Bank of Mauritius perspective.
The central banks exchanged views on banking sector matters, fintech developments, AML/CFT issues, and challenges of relevance to Kenya and Mauritius.
They shared their experience on the current regulatory framework. The two institutions also closely examined areas of cooperation across a broad range of central banking issues where they can benefit from knowledge transfer.
These include the conduct of joint inspections and information sharing, reserves management, auction of government securities, payment systems and fintech. The holding of joint seminars on areas of mutual interest was also one of the key themes on the agenda.
Testimony to the strength of their collaboration, and the progress made during the discussions, the Bank of Mauritius and the Central Bank of Kenya will be meeting in the near future for another work session.
The two institutions are eagerly looking forward to jointly elaborating and implementing cybersecurity protocols as well as currency management systems.
At the end of the brainstorming session, Bank of Mauritius Governor Yandraduth Googoolye shared his appreciation regarding the spirit of close partnership between the Bank of Mauritius and the Central Bank of Kenya.
“This work session has enabled both central banks to fine tune and agree on a number of important elements for closer and stronger cooperation. This translates the cordial relationships that the Bank of Mauritius has been maintaining with the Central Bank of Kenya. It also underscores our respective ambitions to stand as beacons of central banking and governance in the region.”
The guidelines’ purpose outline the minimum requirements that PSPs shall build upon in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk.
The move will among other factors create a safer and more secure cyberspace ‘that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector, establish a coordinated approach to the prevention and combating of cybercrime, as well as up calling the identification and protection of critical information infrastructure.’
Over the year’s cyber threats has remained a global threat with many companies playing victim to the worrying trend. The threat exposes many companies even with the most reputable and stable security features, institutions and co-operative societies to the risk losing billions of shillings with the banking sector most targeted industry followed by government institutions.
In Kenya for instance, by Communications Authority of Kenya (CA) shows that nearly all cyber threats and attacks that were detected between July and September last year went unresolved with the authority’s first quarter report for 2018/19 showing that the National Cybersecurity Centre detected 3.82 million cyber threats, which was a jump from 3.46 million the institution reported between April and June of 2018.
In May 2018 the Kenyan government signed the Computer and Cyber Crime Act into law this despite an existing law, the Information Communication Act and the Penal Code and its regulations already criminalized several cybercrimes. It could have instead been amended according to analysts to, for instance, increase the penalties for certain crimes. Kenya is a polarized country especially during election times.