Skip to main content

Kenya's Central Bank Introduces Cyber Security Regulations for Payment Service Providers

N

Nyakundi Report

Newsroom 2 min read

This archive report was first published on 18 July 2019.

On July 18, 2019, the Central Bank of Kenya (CBK) published new cyber security regulations aimed at protecting the country's economy from cyber threats.

The regulations require Payment Service Providers (PSPs) that handle large value and high volume transactions, such as banks, to report critical cyber attacks within 2 hours from October 2019.

For retail payment service providers like M-Pesa, which are widely used by Kenyans, the reporting time frame is also 2 hours. Other PSPs will have 24 hours to report attacks.

As part of the regulations, PSPs will be required to submit a report detailing the occurrence and handling of cyber security incidents to the CBK.

Additionally, PSPs will need to submit their Cyber Security Policy, Strategies, and Frameworks to the CBK by December 31, 2019. Banks, however, will not be required to submit their documents on this date as they are licensed under the Banking Act.

According to the guidelines, PSPs are required to review their cyber security strategy, policy, and framework annually based on each PSP's threat and vulnerability assessment.

External auditors will also be required to report threats and cyber security strategies to the CBK annually.

The regulations also require PSPs to notify the CBK of their intention to outsource functions, services, and infrastructures at least thirty days before such outsourcing agreements are executed.

The move comes in the backdrop of a report by Microsoft, which states that the Kenyan economy lost Ksh29.5 billion to cyber crime in 2018.

Be the first to react

Support

Support this reporting

M-Pesa support recorded against this story.

Send support →

Stay close

Get the briefing

Major updates by email. No spam.

Get email brief →

Share

Save share card

Download a clean portrait card for sharing.

Save image →