Kenyan banks are, in two months, expected to compile and file detailed reports with the Central Bank of Kenya (CBK) on their approaches to tackle threats to cyber security. The financial services sector regulator said that the move is intended to increase the industry’s stability as there is increased application of digital technology.
“All institutions are required to submit their cybersecurity policy, strategies and frameworks to the Central Bank of Kenya by August 31, 2017,” said a preliminary guidance note on cyber insecurity. The move by CBK comes on the verge of increased threats to local and international business as cyber-crime activities exploit loopholes in IT infrastructures, thus sabotaging service providers, stealing funds and demanding ransoms.
Lenders will have to prioritize the issues of cyber security at the management and board levels; the new requirements were publicized. The new laws are expected to give an incentive of the hiring of cybersecurity expertise, which includes chief information security officers (CISO) with the aim of fighting cyber threats.
“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe. Therefore, CBK mandates all institutions to review their cyber security strategy, policy and framework regularly based on each institution’s threat and vulnerability assessment.”
The Kenyan economy has experienced increased interconnectedness which allows users to send and lend money through the Internet and mobile banking among other digital channels. Local banks and businesses have not yet suffered major cyber-attacks, and this puts them at elevated risk levels.
The CBK insists that banks should focus more on cyber security, thus forcing institutions to allocate funds for cyber –threats managements. “Ensure the provision of a sufficient number of skilled staff for the management of cybersecurity, who should be subjected to enhance background and security checks,” indicates a section of the actions that senior managers should meet.
In addition, bank chief information security officers will have to test disaster recovery options regularly and continuously to ensure that banks achieve sustainability should cyber-attacks take place. Board members are also expected to spearhead the awareness of risks associated with technology in their institutions and ensure that cyber-security policies are implemented across all the units of their organizations.
In May, Russian banks were among the worst hit victims of cyber-attacks where a malware dubbed WannaCry infected computers and encrypted crucial files. To have data decrypted, victims had to pay ransoms as required by the malware. The malware spread across more than 150 countries worldwide.