Cybersecurity Risk in the Kenyan Financial Sector

Kenya's financial sector has undergone remarkable digital transformation. Mobile money, internet banking, agency banking, and digital lending have made financial services more accessible to millions of Kenyans — and created an expanded attack surface for cybercriminals.

The consequences are increasingly visible. Reports of mobile money fraud, SIM swap attacks, and targeted attacks on banking systems appear regularly. The Communications Authority and the Central Bank of Kenya have both escalated their focus on cybersecurity governance in the financial sector. For boards and management teams, the question is no longer whether a cyber incident will occur, but whether the organisation is prepared to prevent, detect, respond to, and recover from one.

The Threat Landscape

Kenya's financial sector faces a diverse range of cyber threats. Mobile money fraud — including SIM swap, social engineering, and agent network compromise — continues to be the most prevalent and high-volume threat, with losses affecting both institutions and customers.

More sophisticated threats include targeted attacks on core banking systems, ransomware deployment against financial institutions, and business email compromise targeting finance teams. The growth of open banking and API-based financial services creates new integration points that attackers actively probe for vulnerabilities.

Third-party risk is a significant and often underestimated exposure. Core banking vendors, cloud service providers, fintech partners, and payment processors all represent potential entry points for attackers. The 2020 SolarWinds attack — which affected thousands of organisations globally through a compromised software update — demonstrated how devastating supply chain attacks can be.

CBK Regulatory Requirements

The Central Bank of Kenya's Guidance Note on Cybersecurity for Payment Service Providers (2020) and subsequent circulars have established a clear expectation: financial institutions must have board-approved cybersecurity strategies, dedicated cybersecurity functions, incident response plans, and regular cybersecurity assessments.

In practice, compliance with these requirements varies significantly. Board-level cybersecurity governance — including regular cybersecurity reporting to the board, board awareness of material cyber risks, and board oversight of the cybersecurity strategy — is an area where many institutions fall short. Boards often receive cyber updates that are too technical to be actionable, or too infrequent to provide meaningful oversight.

Building Cyber Resilience: A Framework Approach

For financial institutions seeking to strengthen their cybersecurity posture, we recommend a framework-based approach combining the NIST Cybersecurity Framework (which provides a comprehensive structure across Identify, Protect, Detect, Respond, and Recover domains) with ISO 27001 (which provides a management system framework for information security).

The starting point is a comprehensive cybersecurity maturity assessment — an honest evaluation of current capabilities against the framework, identifying gaps and prioritising remediation. This assessment should cover technical controls, governance and oversight, incident response readiness, third-party risk management, and staff awareness.

From the assessment, a prioritised cybersecurity improvement roadmap can be developed — one that allocates limited resources to the highest-impact improvements and builds cyber resilience systematically over time.

Incident Response: The Critical Gap

The area where we consistently find the greatest gaps in Kenyan financial institutions is incident response. Most organisations have some form of incident response plan on paper; far fewer have tested it through simulation exercises, trained their response teams, and established clear communication protocols.

A cyber incident is not the moment to discover that your incident response plan does not work. Regular tabletop exercises — simulating realistic attack scenarios and testing your organisation's response — are among the highest-value investments a financial institution can make in its cyber resilience.