The Central Bank of Kenya (CBK) Issues Draft Guidance On Cyber Risks


The Central Bank of Kenya (CBK) has released a draft titled ‘Guidance Note on Cyber Risk’. The draft is issued under Section 33(4) of the Banking Act that mandates the CBK to steer baking institutions on matters that cover the stability of the banking system. The draft applies to any financial institution that operates under the license of the Banking Act (Cap. 488).

Primarily, the Guidance Note gives a brief description of the minimum requirements that banking institutions should set up and support on an enterprise-wide cybersecurity program and policy. By doing so, such institutions will enhance the ability to identify of cyber risks, as well as measuring, managing and mitigating them.

Due to the sensitivity banking activities, it is no secret that banking institutions have their strategic plans in place, in addition to risk governance frameworks that should foresee and guard against cyber risks that may endanger their operations. The draft by the CBK is looking forward to making such measures a legal requirement for target institutions so that they all have a uniform approach in enhancing cybersecurity. In like manner, the CBK hopes to encourage institutions to build upon the draft’s recommendations to continually police any residual risks that present themselves after mitigation efforts have been deployed.

CBK’s issue of this draft echoes the importance of the banking sector because the included recommendations apply to an entity that could cripple financial systems if disrupted.

The CBK is inviting public comments on what it intends to be a robust policy to boost cybersecurity in the Kenyan banking system. You can send your comments and suggestions to by Tuesday, July 4, 2017.

The draft is right here.