Banks to adopt new cyber security rules in November

Central Bank Governor Patrick Njoroge. file photo | nmg
Central Bank Governor Patrick Njoroge. file photo | nmg 

The Central Bank of Kenya says commercial banks are expected to begin implementing the new cyber security guidelines by November 30 following conclusion of a consultative process that began in mid-June.

CBK governor Patrick Njoroge said the guidelines have been embraced by chief executives of financial institutions in their feedback which were received by the August 31 deadline.

The Guidance Note is meant to mitigate the growing risks of cyber-attacks in face of increasing exposure of the banks which have heavily invested in digital banking channels.

“(The guidelines) have now been commented on, revised and issued for implementation. It is in November that we need to ensure they have done that (implemented the guidelines,” Dr Njoroge said.

“These guidelines have been received very favourably by all the institutions. We need to ensure they have done all that we have prescribed."

The lenders, as a minimum requirement, have been ordered to formulate documented policy, strategy and framework to fight the multi-billion-shilling cyber security threat at the company level and its subsidiaries.

Senior levels

The note further requires the banks to elevate chief information security officers to senior managerial level to enforce cyber security policy and oversee implementation of the strategy.

The CBK argues in the note this will create an “organisational culture of shared cyber-security ownership” within the institution.

“It is not just the bank CEOs that have welcomed the guidelines but actually the much wider community. I would add that this is one of the areas where in the continent we (Kenya) are leading in terms of modern cyber-security guidelines,” Dr Njoroge said.

Consultancy firm Deloitte in global report in February estimated that Kenyan firms lost Sh17.59 billion ($171 million) to cyber criminals in 2016.

Banks, which rarely make public cyber-attacks to safeguard public confidence, are under the guidelines required to report such incidence to the CBK within 24 hours of occurrence.

Growing risk

The regulator, in the 2016 annual report, warned of growing risk of cyber-attacks for banks.

“With increased use of ICT there have been increased cases of ICT related frauds in the recent years,” the CBK said.

“As a result, there is an urgent need for the banking sector management to ensure increased use of computer-based transaction process is matched with effective controls.”