Kenyan banks have two months to compile and file with the Central Bank of Kenya (CBK) detailed reports of how they plan to confront emerging cyber security threats.
The CBK, which is the financial services sector regulator, says in an industry guidance note that the move is intended to ensure stability of the industry as it continues to automate its processes.
“All institutions are required to submit their cyber security policy, strategies and frameworks to the Central Bank of Kenya by August 31, 2017,” the draft guidance note on cyber risk says.
“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe. Therefore, CBK mandates all institutions to review their cybersecurity strategy, policy and framework regularly based on each institution’s threat and vulnerability assessment.”
Under the new requirements made public through a circular on Wednesday, the lenders will be required to place the issue of cyber risk at the board and management level.
The new regulations are expected to spur the hiring of more internet savvy expertise, including chief information security officers (CISO) dedicated to countering cyber threats.
CBK’s move comes in the wake of increased threats to business on both the local and international fronts as tech-savvy criminals exploit weaknesses in IT systems to steal funds, demand ransom or sabotage corporations.
While local banks and other businesses have not suffered major cyber-attacks, there are fears that growing interconnectedness of the Kenyan economy has brought with it elevated risk levels.
Russian banks, for instance, were among the victims of the computer hostage-taking malware, dubbed WannaCry, which in May extorted money from organisations spread across 150 countries.
Such attacks join the list of Kenyan bankers’ nightmares that have largely revolved around internal and external fraud.
Most banks have sworn to accelerate automation of their services hoping to reap the double benefit of cost savings and better customer service, a strategy that comes with greater exposure to cyber-attacks.
Money transfer and lending are among the services that can now be accessed through digital channels such as mobile and internet banking.
The CBK wants banks to focus more on this risk at the board and management levels, a demand that will require each institution to allocate a budget for managing cyber threats.
This should add to costs of compliance after the lenders established administrative structures and processes to implement anti-money laundering laws. “Ensure the provision of sufficient number of skilled staff for the management of cyber security, who should be subjected to enhanced background and security checks,” reads part of the actions expected of senior bank managers, according to the CBK.
The chief information security officer will, among other duties, continuously test disaster recovery and business continuity plans to ensure his bank can sustain its operations and meet its regulatory obligations in the event of a cyber-crime attack.
Board members are to promote awareness of technology risk in the institution and ensure that their cyber security policy is implemented across the company’s operating units including subsidiaries and joint ventures.