Elevating cyber crime war to board level a great step
A 2016 report by Serianu revealed that Kenya lost $175 million to cybercrime, with the banking sector being one of the most exposed. file photo | nmg
What you need to know:
A 2016 report by Serianu revealed that Kenya lost $175 million to cybercrime, with the banking sector being one of the most exposed.
The CBK therefore, through this note, seeks to set minimum standards that institutions will need to adopt in order to effect adequate cybersecurity governance and risk management mechanisms.
In a nutshell, the CBK draft guidance note is taking the responsibility of cyber crime away from the IT department to make it an organisational and governance concern.
On June 22, 2017, the Central Bank of Kenya (CBK) issued a draft guidance note on cyber risk. Section 33(4) of the Banking Act empowers the banking regulator to issue guidance notes to its licensees.
This inevitably means that all banks licensed under the Banking Act fall under the scope of this guidance note.
A 2016 report by Serianu revealed that Kenya lost $175 million to cybercrime, with the banking sector being one of the most exposed.
The CBK therefore, through this note, seeks to set minimum standards that institutions will need to adopt in order to effect adequate cybersecurity governance and risk management mechanisms.
In a nutshell, the CBK draft guidance note is taking the responsibility of cyber crime away from the IT department to make it an organisational and governance concern.
The draft CBK Guidance note provides clearly for the role of internal and external auditors in regular independent assessments in the organisation.
The aim of this being to ensure that organisations stay abreast of the ever-changing cyber threat landscape.
Furthermore, institutions that fall under the scope of the CBK will need to ensure that they regularly offer training and awareness exercises to the Board of Directors, Senior management and to all other employees in the Bank.
According to the guidance note, institutions will be required “to notify the central bank immediately when it becomes aware of a cybersecurity incident that could have a significant and adverse impact on the institution’s ability to provide adequate services to its customers, its reputation or financial condition.”
This will be crucial as banks will now be faced with the reputational risk of cybercrime, if they suffer service disruption, and have to report the same to the central bank. Banks failing to comply with this requirement could also face regulatory liability from the CBK.
The CBK will also require that licensees submit their cyber security policies, strategies and frameworks, failing which they may be facing penalties for non-compliance. What does this mean for your organisation?
For the first time ever, banks will need to ensure that cyber risk is addressed from a governance level, which will require the participation of senior level management, as well as board participation.
A top-down approach to enforcing security in the banks will elicit the best results in such an initiative.
Training and awareness exercises, soon to be mandatory for all employees, will also introduce a “human firewall” that will significantly reduce the exposure to cyber risk.
Although this note will only apply to banks, the same ought to act as a guide to other sectors. Cyber security is today not just a technical issue but a business and governance challenge.
