On August 18, 2017, the Central Bank of Kenya (“CBK”) used its authority under Section 33(4) of the Banking Act to publish a Guidance Note on identifying and mitigating cyber risk. The Guidance Note directs institutions licensed under the Banking Act (Cap. 488) (“Institutions”) to develop and implement a comprehensive set of program requirements to mitigate cybersecurity risk.
According to a 2016 report by Serianu, a Kenya-based IT services and business consulting firm, Kenya lost approximately $175 million to cybercrime in 2016. The report identifies the introduction of e-services in both the private and public sector as a major factor behind the dramatic increase in new cyber weaknesses. Other experts say the interconnectivity of the Kenyan economy and the automation of banking services have further exposed Kenya’s financial sector to risk. In issuing the Guidance Note, the CBK also recognized the “interconnectedness” of financial Institutions and the need for a coordinated approach and information sharing to maintain “public trust and confidence in the financial system.”
As a result, CBK’s Guidance Note establishes minimum requirements that Institutions should adopt in order to develop effective cybersecurity policies and procedures, but recognizes that it is “not a replacement for and does not supersede the legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations.” Among other things, the Guidance Note provides regulatory guidance for the following key areas:
- Governance: The Guidance Note emphasizes a top-down approach to risk-management, and imposes obligations at all levels of the organization: boards of directors and executive management are directly responsible for strategic aspects of the cybersecurity risk mitigation, and Institutions must identify a Chief Information Security Officer to develop and implement cybersecurity policies and controls across the organization.
Members of Institutions’ boards of directors are expected to “set the right tone at the top” by elevating the importance and awareness of the Institution’s cybersecurity policies and procedures. In addition, they should allocate an adequate cybersecurity budget based on their Institution’s structure and ensure that their cybersecurity policy applies to all of their Institution’s operating entities, including subsidiaries, joint ventures, and geographic regions. Members of senior management are responsible for the implementation of their Institution’s cybersecurity risk identification and mitigation strategy, as well as ensuring the creation of a containment strategy and documenting a cybersecurity incident response plan to be used in event of a breach. The CISO should be a part of senior management and should focus on the tactical and operational aspects of the Institution’s cybersecurity policy, such as ensuring that information systems meet the needs of the Institution and its Information and Communication Technology (ICT) strategy, as well as testing the Institution’s disaster recovery and business continuity plans.
Moreover, the Guidance Note provides that the CISO should report to the Institution’s CEO no less than once per quarter on the CISO’s assessment of the confidentiality, integrity, and availability of information systems in the Institution; exceptions to the approved cybersecurity policies and procedures; the CISO’s assessment of the effectiveness of the cybersecurity program; and all material cybersecurity events that occurred during the period.
- Independent Assessments/Tests: The Guidance Note requires Institutions to have in place functions for internal audits, risk management, and external audits. The internal audit function must include assessments of the design and effectiveness of the Institution’s cybersecurity framework, as well as threat and vulnerability assessment tests. The findings of such assessments must be reported to the board. The external audit function should conduct similar assessments (and also is required to report findings to the board and CBK on an annual basis). In addition, the risk management function must include monitoring of current and emerging risks, as well as changes to applicable laws and regulations.
- Outsourcing: The Guidance Note specifically highlights the cybersecurity risks posed by the use of third-party services, such as cloud services. The Guidance Note therefore advises Institutions to have in place adequate outsourcing agreements, due diligence procedures for prospective service providers, and monitoring processes for service delivery.
- Training/Awareness: Institutions are instructed to provide IT security awareness training programs for all personnel—including senior management and the board. In addition, there should be a formalized plan in place that details the technical training that will be provided to Institutions’ cybersecurity specialists on an ongoing basis. Finally, cybersecurity awareness and information should be provided to a variety of the Institution’s third-party stakeholders, from clients and suppliers to partners and service providers.
Institutions are required to submit their cybersecurity policy consistent with the requirements outlined in the Guidance Note to CBK by November 30, 2017. In addition, Institutions are required to notify CBK of any cybersecurity incidents that could have a “significant and adverse impact” on business operations, finances, or reputation within 24 hours and to submit quarterly reports to CBK regarding the occurrence and handling of all cybersecurity incidents. The Banking Act provides that failure to comply with any direction or order under Section 33 shall, in addition to the penalty prescribed under Section 49 of the Banking Act, be liable “to such additional penalty as may be prescribed for each day or part thereof during which the offense continues.”