In order to fight against banking frauds and to get a better view of the new threats that payment service providers are facing, the Central Bank of Kenya (CBK) has proposed new guidelines for cybersecurity standards.
According to the newly proposed guidelines, banks and mobile payment operators are required to file cybersecurity reports with the industry regulator. The firms are asked to notify the Central Bank of Kenya within 24 hours of any suspicious activity and also need to submit a quarterly report with CBK on the incidents experienced and how they were resolved.
“CBK is well aware of the fact that cyber risk will keep morphing due to the evolution of cyberthreats in Kenya and across the globe. The Bank, therefore, requires all Payment Service Providers (PSPs) to periodically review their cybersecurity strategy, policy, and framework regularly based on each PSP’s threat and vulnerability assessment. All PSPs are required to submit their Cybersecurity Policy, Strategies and Frameworks to the Central Bank of Kenya by August 31, 2018.” CBK stated in the new guidelines. “The Payment Service Providers should notify the Central Bank of Kenya within 24 hours of any Cybersecurity incident(s) that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition in the stipulated format.”
CBK stated that the banking industry and mobile money operators incurred huge losses due to cyberattacks, but most of them are unreported to the regulators. It also directed the firms to share the security strategies on how they are handling cyberattacks by August 31.