May 17, 2024
Volume XIV, Number 138
Home
Legal Analysis. Expertly Written. Quickly Found.
Login

Trending News

Central Bank of Kenya Issues Guidance Note on Cybersecurity
Wednesday, August 23, 2017
cybersecurity, kenya, finance
Print Mail Download i

On August 18, 2017, the Central Bank of Kenya (“CBK”) used its authority under Section 33(4) of the Banking Act to publish a Guidance Note on identifying and mitigating cyber risk.  The Guidance Note directs institutions licensed under the Banking Act (Cap. 488) (“Institutions”) to develop and implement a comprehensive set of program requirements to mitigate cybersecurity risk.

According to a 2016 report by Serianu, a Kenya-based IT services and business consulting firm, Kenya lost approximately $175 million to cybercrime in 2016.  The report identifies the introduction of e-services in both the private and public sector as a major factor behind the dramatic increase in new cyber weaknesses.  Other experts say the interconnectivity of the Kenyan economy and the automation of banking services have further exposed Kenya’s financial sector to risk.  In issuing the Guidance Note, the CBK also recognized the “interconnectedness” of financial Institutions and the need for a coordinated approach and information sharing to maintain “public trust and confidence in the financial system.”

As a result, CBK’s Guidance Note establishes minimum requirements that Institutions should adopt in order to develop effective cybersecurity policies and procedures, but recognizes that it is “not a replacement for and does not supersede the legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations.”  Among other things, the Guidance Note provides regulatory guidance for the following key areas:

  • Governance: The Guidance Note emphasizes a top-down approach to risk-management, and imposes obligations at all levels of the organization: boards of directors and executive management are directly responsible for strategic aspects of the cybersecurity risk mitigation, and Institutions must identify a Chief Information Security Officer to develop and implement cybersecurity policies and controls across the organization.

Members of Institutions’ boards of directors are expected to “set the right tone at the top” by elevating the importance and awareness of the Institution’s cybersecurity policies and procedures.  In addition, they should allocate an adequate cybersecurity budget based on their Institution’s structure and ensure that their cybersecurity policy applies to all of their Institution’s operating entities, including subsidiaries, joint ventures, and geographic regions.  Members of senior management are responsible for the implementation of their Institution’s cybersecurity risk identification and mitigation strategy, as well as ensuring the creation of a containment strategy and documenting a cybersecurity incident response plan to be used in event of a breach.  The CISO should be a part of senior management and should focus on the tactical and operational aspects of the Institution’s cybersecurity policy, such as ensuring that information systems meet the needs of the Institution and its Information and Communication Technology (ICT) strategy, as well as testing the Institution’s disaster recovery and business continuity plans.

Moreover, the Guidance Note provides that the CISO should report to the Institution’s CEO no less than once per quarter on the CISO’s assessment of the confidentiality, integrity, and availability of information systems in the Institution; exceptions to the approved cybersecurity policies and procedures; the CISO’s assessment of the effectiveness of the cybersecurity program; and all material cybersecurity events that occurred during the period.

  • Independent Assessments/Tests: The Guidance Note requires Institutions to have in place functions for internal audits, risk management, and external audits.  The internal audit function must include assessments of the design and effectiveness of the Institution’s cybersecurity framework, as well as threat and vulnerability assessment tests.  The findings of such assessments must be reported to the board.  The external audit function should conduct similar assessments (and also is required to report findings to the board and CBK on an annual basis).  In addition, the risk management function must include monitoring of current and emerging risks, as well as changes to applicable laws and regulations.

  • Outsourcing: The Guidance Note specifically highlights the cybersecurity risks posed by the use of third-party services, such as cloud services. The Guidance Note therefore advises Institutions to have in place adequate outsourcing agreements, due diligence procedures for prospective service providers, and monitoring processes for service delivery.

  • Training/Awareness: Institutions are instructed to provide IT security awareness training programs for all personnel—including senior management and the board. In addition, there should be a formalized plan in place that details the technical training that will be provided to Institutions’ cybersecurity specialists on an ongoing basis.  Finally, cybersecurity awareness and information should be provided to a variety of the Institution’s third-party stakeholders, from clients and suppliers to partners and service providers.

Institutions are required to submit their cybersecurity policy consistent with the requirements outlined in the Guidance Note to CBK by November 30, 2017.  In addition, Institutions are required to notify CBK of any cybersecurity incidents that could have a “significant and adverse impact” on business operations, finances, or reputation  within 24 hours and to submit quarterly reports to CBK regarding the occurrence and handling of all cybersecurity incidents.  The Banking Act provides that failure to comply with any direction or order under Section 33 shall, in addition to the penalty prescribed under Section 49 of the Banking Act, be liable “to such additional penalty as may be prescribed for each day or part thereof during which the offense continues.”

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins

 

Logo-white

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC