Kenya is the largest banking market in East Africa. With dozens of licensed banks, a thriving fintech ecosystem, and mobile money volumes that few global markets match, the cybersecurity stakes are enormous. The Central Bank of Kenya (CBK) responded with the Guidance Note on Cybersecurity (August 2017), issued under Section 33(4) of the Banking Act, and extended comparable requirements to payment service providers through the 2019 Guideline on Cybersecurity for Payment Service Providers.
If you are a bank, microfinance institution, payment service provider, or digital credit provider supervised by CBK, this guide covers what CBK requires, how it compares to BNR cybersecurity regulation across the border in Rwanda, and what a practical compliance programme looks like.
Who do the CBK cybersecurity requirements apply to?
The 2017 Guidance Note applies to institutions licensed under the Banking Act: commercial banks and mortgage finance companies. The 2019 guideline covers payment service providers. In practice, CBK expects sound cyber risk management across the full set of institutions it supervises:
- Commercial banks and mortgage finance companies
- Microfinance banks
- Credit reference bureaus
- Payment service providers (PSPs)
- Digital credit providers
- Money remittance providers
- Foreign exchange bureaus
If CBK supervises you, plan to the standard the Guidance Note sets. Smaller institutions have proportionally simpler environments, but the core expectations remain the same.
Core requirements of the CBK guidance
The guidance is organised around a set of core domains. Each carries specific expectations that CBK will examine.
1. Cybersecurity governance
CBK expects the board of directors to take direct responsibility for cybersecurity risk. This means:
- A board-approved cybersecurity strategy and policy reviewed regularly, informed by each threat and vulnerability assessment
- A designated Chief Information Security Officer (CISO) or equivalent role serving in the senior management team
- Regular board reporting on cybersecurity risk posture, incidents, and programme status
- Adequate budget allocation for cybersecurity proportionate to the institution's risk profile
This is not a formality. CBK examiners will verify that board minutes reflect substantive cybersecurity discussions and that resource allocation matches the stated risk appetite.
2. Cybersecurity risk assessment
Institutions must maintain a continuous risk assessment process that:
- Identifies and classifies all information assets and their criticality
- Assesses threats and vulnerabilities relevant to the Kenyan banking environment
- Evaluates the likelihood and potential impact of identified risks
- Informs the selection and prioritisation of security controls
- Is updated at least annually and after significant changes
The risk assessment must consider threats specific to the East African context: mobile money fraud, SIM swap attacks, social engineering targeting bank staff, and the growing ransomware threat to African financial institutions.
3. Security controls and technology
CBK expects minimum technical controls that mirror international standards:
- Network security: firewalls, intrusion detection and prevention, network segmentation separating critical banking systems from general corporate networks
- Endpoint security: anti-malware, patch management, secure configurations
- Access control: multi-factor authentication for remote access and privileged accounts, role-based access, regular access reviews
- Data protection: encryption of sensitive data in transit and at rest, data classification, data loss prevention
- Application security: secure software development lifecycle (SDLC), code review, security testing before deployment
- Logging and monitoring: centralised log collection, real-time monitoring, and alerting on security events
4. Vulnerability assessment and penetration testing
Section 3.2 of the Guidance Note (Regular Independent Assessment and Test) sets out the testing expectations:
- An independent cyber threat test at least once a year, in the document's own words
- Internal audit must conduct regular independent threat and vulnerability assessment tests and comprehensive penetration tests, reporting findings to the board
- External auditors must conduct independent threat and vulnerability assessments and penetration tests, reporting annually to both the board and CBK
- The risk management function is expected to run red team exercises
- Institutions should engage external consultants with sufficient cybersecurity expertise to understand their threat landscape
The guidance does not prescribe a quarterly scan cadence; the explicit floor is annual independent testing. In practice, a scope that covers internet-facing systems, core banking platforms, mobile banking applications, APIs, and network infrastructure, with remediation tracked to completion, is what stands up to examination.
What counts as "qualified" for CBK purposes? The Guidance Note asks for external consultants with sufficient cybersecurity expertise rather than naming certifications. Across the border, BNR Regulation No 50/2022 does name credentials, listing OSCP among the qualifications for penetration testers. A provider with financial-sector experience and recognised offensive security certifications gives an examiner the due-diligence evidence both regulators look for.
5. Incident response and cyber resilience
CBK's reporting obligations are explicit, and the preparedness expectations follow from them:
- A documented incident response plan covering detection, analysis, containment, eradication, recovery, and post-incident review
- Incident classification based on severity and impact
- Reporting obligations: incidents with a significant and adverse impact on operations, reputation, or financial condition must be reported to CBK within 24 hours, with a quarterly return covering all incidents and their handling
- Business continuity planning that accounts for cyber scenarios
- Regular testing of incident response plans through tabletop exercises and simulations
- Threat intelligence sharing with sector peers and CBK
CBK promotes threat intelligence sharing across the financial sector, and supervised institutions are expected to participate in the coordination arrangements available to them.
6. Third-party risk management
Given how heavily Kenyan banks rely on technology vendors, mobile network operators, and cloud providers, CBK expects adequate governance of outsourcing: due diligence on prospective providers, documented agreements, and ongoing monitoring of service delivery. In practice that means:
- Due diligence on all third-party service providers before engagement
- Contractual security requirements including the right to audit
- Ongoing monitoring of third-party security posture
- Incident notification clauses requiring vendors to report security incidents
- Inclusion of critical third-party systems in penetration testing scope
The recent fraud incidents involving vendor platforms in the region underscore why this matters. See our analysis of what the recent bank fraud in East Africa means for your institution.
CBK vs BNR: a comparison
For institutions operating across East Africa, understanding both frameworks is essential. Many banks and fintechs operate in both Kenya and Rwanda.
| Requirement area | CBK Guidance Note (Kenya) | BNR Reg No 50/2022 (Rwanda) | | ------------------- | ----------------------------------------- | ----------------------------------------- | | Governance | Board-approved policy, CISO role | Board-approved policy, designated officer | | Risk assessment | Regular, board-overseen | Regular risk assessments | | Security testing | Independent cyber threat test annually | Annual pentest, bi-annual VA mandated | | Incident reporting | Within 24 hours to CBK, quarterly returns | Prompt reporting to BNR | | Third-party risk | Due diligence, documented agreements | Vendor risk management | | Data protection | Aligned with Kenya Data Protection Act | Aligned with Rwanda DPP Law | | Business continuity | Cyber-aware BCP expected | Business continuity expected | | Threat intelligence | Sector coordination led by CBK | Coordination with NCSA |
The practical overlap is substantial: an institution that builds a strong compliance programme for one framework will already have covered most of the other. The differences are in specifics: CBK is more prescriptive on incident reporting and sector coordination, while BNR mandates a specific testing cadence (annual penetration testing, bi-annual vulnerability assessments), names qualifying tester credentials, and aligns tightly with Rwanda's National Cyber Security Authority and data protection framework.
Operating in both countries? Build your security programme to the stricter requirement in each area. A single penetration testing engagement can be scoped to cover both CBK and BNR reporting requirements, saving cost and ensuring consistency.
Common compliance gaps in Kenyan banks
From security assessments across the East African banking sector, the gaps we most frequently encounter include:
- CISO function without authority: the role exists on paper but lacks budget, board access, or decision-making power
- Risk assessments disconnected from reality: generic risk registers that do not reflect the institution's actual threat landscape or technical environment
- Penetration testing as checkbox: annual tests with minimal scope that miss critical systems, particularly mobile banking APIs and third-party integrations
- Mobile channel security gaps: Kenya's M-Pesa ecosystem creates unique integration points between banking systems and mobile money platforms. These integrations are frequently undertested. See our mobile money security testing guide
- Flat internal networks: insufficient segmentation between core banking, general IT, and internet-facing systems
- Incomplete incident response: plans exist but have never been tested through a realistic exercise
- Third-party blind spots: vendor-supplied core banking and internet banking platforms that have never been independently security tested
What a CBK-compliant security programme looks like
CBK's explicit testing floor is annual. The cadence below deliberately goes beyond it: it is what we consider proportionate for an institution holding customer funds.
Quarterly activities
- Vulnerability scans of all systems in scope
- Review and update of security monitoring rules
- Third-party risk dashboard review
- Security awareness reminders and phishing simulations
Annual activities
- Full-scope penetration test covering network, web, mobile, and API attack surfaces
- Risk assessment update
- Policy review and board presentation
- Incident response tabletop exercise
- Third-party security review
After significant changes
- Targeted penetration testing of new or modified systems
- Updated risk assessment reflecting the change
- Validation that security controls are effective in the new configuration
Continuous activities
- Security monitoring and alerting (SIEM)
- Patch management
- Access reviews for privileged accounts
- Threat intelligence consumption and action
The Kenya-specific threat landscape
Kenyan banks face threats that are both global and locally specific:
- SIM swap fraud: exploiting mobile network operator processes to take over phone numbers and bypass SMS-based authentication. A persistent problem in Kenya despite improved controls
- Social engineering: targeting bank staff and customers through phone calls, SMS, and social media. Building staff resilience against this starts with security awareness training
- Mobile money integration attacks: business logic flaws in the bank-to-M-Pesa channel, exploiting velocity check gaps and float manipulation
- Ransomware: increasingly targeting African financial institutions, Kenya included
- Insider threats: privileged access abuse, particularly in IT departments with broad system access
- API attacks: as Kenyan banks adopt open banking and PSD2-style APIs, the API attack surface is growing rapidly. See our API security guide for banking
How we can help
IMIZI Cyber is an offensive security firm based in Kigali, working with banks, fintechs, telecoms, government, and healthcare institutions across Africa, Kenya included. We work to both the CBK and BNR frameworks and can scope a single penetration test that supports both sets of requirements. Our testing covers web applications, APIs, mobile banking, network infrastructure, and cloud, delivered with reports structured for regulatory presentation that a board and a regulator can both act on.
For full details on our testing methodology and deliverables, see our penetration testing service page. For broader security assessment needs, see our security assessments service page. Contact us to scope a CBK-aligned security assessment for your institution.