Subscribe!
survey
State invites new bids for Konza Next Story
Airtel quells talk of price war Previous Story
You are here  » Home   » Business

Banks, mobile money firms to file cyber security reports

By Macharia Kamau | Published Wed, August 22nd 2018 at 00:00, Updated August 21st 2018 at 22:34 GMT +3
Hacker breaching computer security.

Banks and mobile network operators will be required to file cyber security reports with the industry regulator.

The Central Bank of Kenya (CBK) is trying to raise the fight against fraud and aims to get a better view of the new threats that firms are grappling with.

ALSO READ: Debate on rate cap now shifts to House ahead of IMF deadline

The firms will be required to report within 24 hours of an attack and later file a quarterly report with CBK on the incidents experienced over three months and how they were handled.

This is expected to keep the regulator in the loop on the number and nature of cyber threats on banking industry players and mobile money operators as well as inform policy decisions.

Many cyberattacks usually go unreported despite the grave nature of the crime that has seen bank and mobile money customers lose billions, keeping regulators in the dark on the extent of the fraud in the country.

CBK has also directed the companies to submit strategies on how they are handling cyberattacks by August 31.

“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe,” said CBK in new Guidelines on Cybersecurity for Payment Service Providers.

Avoid fake news! Subscribe to the Standard SMS service and receive factual, verified breaking news as it happens. Text the word 'NEWS' to 22840

Periodic review

“The bank therefore requires all payment service providers to periodically review their cybersecurity strategy, policy and framework regulatory based on PSP’s (payment service providers) threat and vulnerability assessment.”

The guidelines are going through stakeholder participation until September 14.

ALSO READ: Imperial depositors may wait one more year

Local firms have in the past under-reported the extent to which they have been attacked and lost money. According to cyber security consultancy Serianu, Kenyan companies lost over Sh21 billion last year.

Of this, Sh18 billion was withdrawn from bank customers’ accounts, with the institutions having to refund the money.

According to the firm, about 90 per cent of cyber-attack incidents go unreported.

“Payment service providers should notify CBK within 24 hours of any cybersecurity incidents that could have significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition,” said CBK.

“On a quarterly basis, PSPs shall provide CBK with a report… concerning its occurrence and handling of cybersecurity incidents.”

Last year, many locals firms were victims of cyberattacks, including dozens that were hit by WannaCry ransomware.

According to the Kenya Computer Incidence Response Team, domiciled at the Communications Authority of Kenya, there were minimal reports from companies of attacks, a pointer that firms could be withholding information on attacks, afraid that such reports might dent their credibility.

ALSO READ: Stanbic Bank profit more than doubles to Sh3.4b

The few incidents reported were despite Serianu and other local ICT security firms saying they had been contacted by clients who had suffered attacks.

Some of the attacks have been contained and systems restored while others have proved difficult to contain.


Would you like to get published on Standard Media websites? You can now email us breaking news, story ideas, human interest articles or interesting videos on: [email protected]

RECOMMENDED