Kenya is the largest banking market in East Africa. With over 40 commercial banks, a thriving fintech ecosystem, and mobile money volumes that dwarf most global markets, the cybersecurity stakes are enormous. The Central Bank of Kenya (CBK) has responded with increasingly specific requirements, culminating in the Risk-Based Cybersecurity Framework (RBCF) that sets the baseline for every supervised institution.
If you are a bank, microfinance institution, payment service provider, or digital credit provider supervised by CBK, this guide covers what the framework requires, how it compares to BNR cybersecurity regulation across the border in Rwanda, and what a practical compliance programme looks like.
Who does the CBK RBCF apply to?
The framework applies to all institutions supervised by the Central Bank of Kenya:
- Commercial banks and mortgage finance companies
- Microfinance banks
- Credit reference bureaus
- Payment service providers (PSPs)
- Digital credit providers
- Money remittance providers
- Foreign exchange bureaus
If CBK supervises you, the RBCF applies. There are no exemptions based on size. Smaller institutions have proportionally simpler environments, but the core requirements remain the same.
Core requirements of the CBK RBCF
The framework is organised around five pillars. Each carries specific expectations that CBK will examine.
1. Cybersecurity governance
CBK expects the board of directors to take direct responsibility for cybersecurity risk. This means:
- A board-approved cybersecurity strategy and policy reviewed at least annually
- A designated Chief Information Security Officer (CISO) or equivalent role with direct reporting to senior management
- Regular board reporting on cybersecurity risk posture, incidents, and programme status
- Adequate budget allocation for cybersecurity proportionate to the institution’s risk profile
This is not a formality. CBK examiners will verify that board minutes reflect substantive cybersecurity discussions and that resource allocation matches the stated risk appetite.
2. Cybersecurity risk assessment
Institutions must maintain a continuous risk assessment process that:
- Identifies and classifies all information assets and their criticality
- Assesses threats and vulnerabilities relevant to the Kenyan banking environment
- Evaluates the likelihood and potential impact of identified risks
- Informs the selection and prioritisation of security controls
- Is updated at least annually and after significant changes
The risk assessment must consider threats specific to the East African context: mobile money fraud, SIM swap attacks, social engineering targeting bank staff, and the growing ransomware threat to African financial institutions.
3. Security controls and technology
The RBCF specifies minimum technical controls that mirror international standards:
- Network security: firewalls, intrusion detection and prevention, network segmentation separating critical banking systems from general corporate networks
- Endpoint security: anti-malware, patch management, secure configurations
- Access control: multi-factor authentication for remote access and privileged accounts, role-based access, regular access reviews
- Data protection: encryption of sensitive data in transit and at rest, data classification, data loss prevention
- Application security: secure software development lifecycle (SDLC), code review, security testing before deployment
- Logging and monitoring: centralised log collection, real-time monitoring, and alerting on security events
4. Vulnerability assessment and penetration testing
CBK explicitly requires regular security testing:
- Vulnerability assessments of all IT systems at least quarterly
- Penetration testing at least annually and after significant system changes
- Testing must cover internet-facing systems, core banking platforms, mobile banking applications, APIs, and network infrastructure
- Testing must be conducted by qualified, independent professionals
- Results must be documented, reported to senior management, and remediation must be tracked to completion
What counts as “qualified” for CBK purposes? CBK does not mandate specific certifications, but expects institutions to conduct due diligence on their testing providers. OSCP certification is the industry standard for proving practical penetration testing competence. A provider with financial sector experience and recognised offensive security certifications will satisfy CBK expectations.
5. Incident response and cyber resilience
The RBCF places significant emphasis on incident preparedness:
- A documented incident response plan covering detection, analysis, containment, eradication, recovery, and post-incident review
- Incident classification based on severity and impact
- Reporting obligations: significant cyber incidents must be reported to CBK within 24 hours
- Business continuity planning that accounts for cyber scenarios
- Regular testing of incident response plans through tabletop exercises and simulations
- Threat intelligence sharing with sector peers and CBK
CBK has established a Financial Sector Cyber Threat Intelligence Sharing platform, and supervised institutions are expected to participate.
6. Third-party risk management
Given how heavily Kenyan banks rely on technology vendors, mobile network operators, and cloud providers, the RBCF requires:
- Due diligence on all third-party service providers before engagement
- Contractual security requirements including the right to audit
- Ongoing monitoring of third-party security posture
- Incident notification clauses requiring vendors to report security incidents
- Inclusion of critical third-party systems in penetration testing scope
The recent fraud incidents involving vendor platforms in the region underscore why this matters. See our analysis of what the recent bank fraud in East Africa means for your institution.
CBK vs BNR: a comparison
For institutions operating across East Africa, understanding both frameworks is essential. Many banks and fintechs operate in both Kenya and Rwanda.
| Requirement area | CBK RBCF (Kenya) | BNR Regulation (Rwanda) |
|---|---|---|
| Governance | Board-approved policy, CISO role | Board-approved policy, designated officer |
| Risk assessment | Continuous, annual minimum | Regular risk assessments |
| Penetration testing | Annual minimum, quarterly VA | Annual minimum, quarterly recommended |
| Incident reporting | Within 24 hours to CBK | Prompt reporting to BNR |
| Third-party risk | Due diligence, audit rights | Vendor risk management |
| Data protection | Aligned with Kenya Data Protection Act | Aligned with Rwanda DPP Law |
| Business continuity | Cyber-specific BCP required | Business continuity expected |
| Threat intelligence | Sector sharing platform | Coordination with NCSA |
The practical overlap is substantial. An institution that builds a strong compliance programme for one framework will cover 70-80% of the other. The differences are in specifics: CBK is more prescriptive on business continuity and threat intelligence sharing, while BNR has stronger alignment with Rwanda’s National Cyber Security Authority and data protection framework.
Operating in both countries? Build your security programme to the stricter requirement in each area. A single penetration testing engagement can be scoped to cover both CBK and BNR reporting requirements, saving cost and ensuring consistency.
Common compliance gaps in Kenyan banks
From security assessments across the East African banking sector, the gaps we most frequently encounter include:
- CISO function without authority: the role exists on paper but lacks budget, board access, or decision-making power
- Risk assessments disconnected from reality: generic risk registers that do not reflect the institution’s actual threat landscape or technical environment
- Penetration testing as checkbox: annual tests with minimal scope that miss critical systems, particularly mobile banking APIs and third-party integrations
- Mobile channel security gaps: Kenya’s M-Pesa ecosystem creates unique integration points between banking systems and mobile money platforms. These integrations are frequently undertested. See our mobile money security testing guide
- Flat internal networks: insufficient segmentation between core banking, general IT, and internet-facing systems
- Incomplete incident response: plans exist but have never been tested through a realistic exercise
- Third-party blind spots: vendor-supplied core banking and internet banking platforms that have never been independently security tested
What a CBK-compliant security programme looks like
A practical compliance programme for a Kenyan bank should include:
Quarterly activities
- Vulnerability scans of all systems in scope
- Review and update of security monitoring rules
- Third-party risk dashboard review
- Security awareness reminders and phishing simulations
Annual activities
- Comprehensive penetration test covering network, web, mobile, and API attack surfaces
- Risk assessment update
- Policy review and board presentation
- Incident response tabletop exercise
- Third-party security review
After significant changes
- Targeted penetration testing of new or modified systems
- Updated risk assessment reflecting the change
- Validation that security controls are effective in the new configuration
Continuous activities
- Security monitoring and alerting (SIEM)
- Patch management
- Access reviews for privileged accounts
- Threat intelligence consumption and action
The Kenya-specific threat landscape
Kenyan banks face threats that are both global and locally specific:
- SIM swap fraud: exploiting mobile network operator processes to take over phone numbers and bypass SMS-based authentication. A persistent problem in Kenya despite improved controls
- Social engineering: targeting bank staff and customers through phone calls, SMS, and social media. See our social engineering guide for East African banks
- Mobile money integration attacks: business logic flaws in the bank-to-M-Pesa channel, exploiting velocity check gaps and float manipulation
- Ransomware: increasingly targeting African financial institutions, with several Kenyan organisations affected in 2025-2026
- Insider threats: privileged access abuse, particularly in IT departments with broad system access
- API attacks: as Kenyan banks adopt open banking and PSD2-style APIs, the API attack surface is growing rapidly. See our API security guide for banking
How we can help
We are an OSCP-certified penetration testing firm based in Kigali, working with banks and financial institutions across East Africa including Kenya. We understand both the CBK and BNR frameworks and can deliver penetration tests that satisfy both sets of requirements in a single engagement. Our testing covers web applications, APIs, mobile banking, network infrastructure, and social engineering, all delivered with reports structured for regulatory presentation.
For full details on our testing methodology and deliverables, see our penetration testing service page. For broader security assessment needs, see our security assessments service page. Contact us to scope a CBK-compliant security assessment for your institution.