Banks and mobile network operators will be required to file cyber security reports with the industry regulator.
The Central Bank of Kenya (CBK) is trying to raise the fight against fraud and aims to get a better view of the new threats that firms are grappling with.
The firms will be required to report within 24 hours of an attack and later file a quarterly report with CBK on the incidents experienced over three months and how they were handled.
This is expected to keep the regulator in the loop on the number and nature of cyber threats on banking industry players and mobile money operators as well as inform policy decisions.
Many cyberattacks usually go unreported despite the grave nature of the crime that has seen bank and mobile money customers lose billions, keeping regulators in the dark on the extent of the fraud in the country.
CBK has also directed the companies to submit strategies on how they are handling cyberattacks by August 31.
“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyber threats in Kenya and across the globe,” said CBK in new Guidelines on Cybersecurity for Payment Service Providers.
“The bank therefore requires all payment service providers to periodically review their cybersecurity strategy, policy and framework regulatory based on PSP’s (payment service providers) threat and vulnerability assessment.”
The guidelines are going through stakeholder participation until September 14.
Local firms have in the past under-reported the extent to which they have been attacked and lost money. According to cyber security consultancy Serianu, Kenyan companies lost over Sh21 billion last year.
Of this, Sh18 billion was withdrawn from bank customers’ accounts, with the institutions having to refund the money.
According to the firm, about 90 per cent of cyber-attack incidents go unreported.
“Payment service providers should notify CBK within 24 hours of any cybersecurity incidents that could have significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition,” said CBK.
“On a quarterly basis, PSPs shall provide CBK with a report… concerning its occurrence and handling of cybersecurity incidents.”
Last year, many locals firms were victims of cyberattacks, including dozens that were hit by WannaCry ransomware.
According to the Kenya Computer Incidence Response Team, domiciled at the Communications Authority of Kenya, there were minimal reports from companies of attacks, a pointer that firms could be withholding information on attacks, afraid that such reports might dent their credibility.
The few incidents reported were despite Serianu and other local ICT security firms saying they had been contacted by clients who had suffered attacks.
Some of the attacks have been contained and systems restored while others have proved difficult to contain.