MARCH 2026 · 9 MIN READ

CBK cybersecurity requirements for Kenyan banks (2026)

Kenya is the largest banking market in East Africa. With dozens of licensed banks, a thriving fintech ecosystem, and mobile money volumes that few global markets match, the cybersecurity stakes are enormous. The Central Bank of Kenya (CBK) responded with the Guidance Note on Cybersecurity (August 2017), issued under Section 33(4) of the Banking Act, and extended comparable requirements to payment service providers through the 2019 Guideline on Cybersecurity for Payment Service Providers.

If you are a bank, microfinance institution, payment service provider, or digital credit provider supervised by CBK, this guide covers what CBK requires, how it compares to BNR cybersecurity regulation across the border in Rwanda, and what a practical compliance programme looks like.

Who do the CBK cybersecurity requirements apply to?

The 2017 Guidance Note applies to institutions licensed under the Banking Act: commercial banks and mortgage finance companies. The 2019 guideline covers payment service providers. In practice, CBK expects sound cyber risk management across the full set of institutions it supervises:

  • Commercial banks and mortgage finance companies
  • Microfinance banks
  • Credit reference bureaus
  • Payment service providers (PSPs)
  • Digital credit providers
  • Money remittance providers
  • Foreign exchange bureaus

If CBK supervises you, plan to the standard the Guidance Note sets. Smaller institutions have proportionally simpler environments, but the core expectations remain the same.

Core requirements of the CBK guidance

The guidance is organised around a set of core domains. Each carries specific expectations that CBK will examine.

1. Cybersecurity governance

CBK expects the board of directors to take direct responsibility for cybersecurity risk. This means:

  • A board-approved cybersecurity strategy and policy reviewed regularly, informed by each threat and vulnerability assessment
  • A designated Chief Information Security Officer (CISO) or equivalent role serving in the senior management team
  • Regular board reporting on cybersecurity risk posture, incidents, and programme status
  • Adequate budget allocation for cybersecurity proportionate to the institution's risk profile

This is not a formality. CBK examiners will verify that board minutes reflect substantive cybersecurity discussions and that resource allocation matches the stated risk appetite.

2. Cybersecurity risk assessment

Institutions must maintain a continuous risk assessment process that:

  • Identifies and classifies all information assets and their criticality
  • Assesses threats and vulnerabilities relevant to the Kenyan banking environment
  • Evaluates the likelihood and potential impact of identified risks
  • Informs the selection and prioritisation of security controls
  • Is updated at least annually and after significant changes

The risk assessment must consider threats specific to the East African context: mobile money fraud, SIM swap attacks, social engineering targeting bank staff, and the growing ransomware threat to African financial institutions.

3. Security controls and technology

CBK expects minimum technical controls that mirror international standards:

  • Network security: firewalls, intrusion detection and prevention, network segmentation separating critical banking systems from general corporate networks
  • Endpoint security: anti-malware, patch management, secure configurations
  • Access control: multi-factor authentication for remote access and privileged accounts, role-based access, regular access reviews
  • Data protection: encryption of sensitive data in transit and at rest, data classification, data loss prevention
  • Application security: secure software development lifecycle (SDLC), code review, security testing before deployment
  • Logging and monitoring: centralised log collection, real-time monitoring, and alerting on security events

4. Vulnerability assessment and penetration testing

Section 3.2 of the Guidance Note (Regular Independent Assessment and Test) sets out the testing expectations:

  • An independent cyber threat test at least once a year, in the document's own words
  • Internal audit must conduct regular independent threat and vulnerability assessment tests and comprehensive penetration tests, reporting findings to the board
  • External auditors must conduct independent threat and vulnerability assessments and penetration tests, reporting annually to both the board and CBK
  • The risk management function is expected to run red team exercises
  • Institutions should engage external consultants with sufficient cybersecurity expertise to understand their threat landscape

The guidance does not prescribe a quarterly scan cadence; the explicit floor is annual independent testing. In practice, a scope that covers internet-facing systems, core banking platforms, mobile banking applications, APIs, and network infrastructure, with remediation tracked to completion, is what stands up to examination.

What counts as "qualified" for CBK purposes? The Guidance Note asks for external consultants with sufficient cybersecurity expertise rather than naming certifications. Across the border, BNR Regulation No 50/2022 does name credentials, listing OSCP among the qualifications for penetration testers. A provider with financial-sector experience and recognised offensive security certifications gives an examiner the due-diligence evidence both regulators look for.

5. Incident response and cyber resilience

CBK's reporting obligations are explicit, and the preparedness expectations follow from them:

  • A documented incident response plan covering detection, analysis, containment, eradication, recovery, and post-incident review
  • Incident classification based on severity and impact
  • Reporting obligations: incidents with a significant and adverse impact on operations, reputation, or financial condition must be reported to CBK within 24 hours, with a quarterly return covering all incidents and their handling
  • Business continuity planning that accounts for cyber scenarios
  • Regular testing of incident response plans through tabletop exercises and simulations
  • Threat intelligence sharing with sector peers and CBK

CBK promotes threat intelligence sharing across the financial sector, and supervised institutions are expected to participate in the coordination arrangements available to them.

6. Third-party risk management

Given how heavily Kenyan banks rely on technology vendors, mobile network operators, and cloud providers, CBK expects adequate governance of outsourcing: due diligence on prospective providers, documented agreements, and ongoing monitoring of service delivery. In practice that means:

  • Due diligence on all third-party service providers before engagement
  • Contractual security requirements including the right to audit
  • Ongoing monitoring of third-party security posture
  • Incident notification clauses requiring vendors to report security incidents
  • Inclusion of critical third-party systems in penetration testing scope

The recent fraud incidents involving vendor platforms in the region underscore why this matters. See our analysis of what the recent bank fraud in East Africa means for your institution.

CBK vs BNR: a comparison

For institutions operating across East Africa, understanding both frameworks is essential. Many banks and fintechs operate in both Kenya and Rwanda.

| Requirement area | CBK Guidance Note (Kenya) | BNR Reg No 50/2022 (Rwanda) | | ------------------- | ----------------------------------------- | ----------------------------------------- | | Governance | Board-approved policy, CISO role | Board-approved policy, designated officer | | Risk assessment | Regular, board-overseen | Regular risk assessments | | Security testing | Independent cyber threat test annually | Annual pentest, bi-annual VA mandated | | Incident reporting | Within 24 hours to CBK, quarterly returns | Prompt reporting to BNR | | Third-party risk | Due diligence, documented agreements | Vendor risk management | | Data protection | Aligned with Kenya Data Protection Act | Aligned with Rwanda DPP Law | | Business continuity | Cyber-aware BCP expected | Business continuity expected | | Threat intelligence | Sector coordination led by CBK | Coordination with NCSA |

The practical overlap is substantial: an institution that builds a strong compliance programme for one framework will already have covered most of the other. The differences are in specifics: CBK is more prescriptive on incident reporting and sector coordination, while BNR mandates a specific testing cadence (annual penetration testing, bi-annual vulnerability assessments), names qualifying tester credentials, and aligns tightly with Rwanda's National Cyber Security Authority and data protection framework.

Operating in both countries? Build your security programme to the stricter requirement in each area. A single penetration testing engagement can be scoped to cover both CBK and BNR reporting requirements, saving cost and ensuring consistency.

Common compliance gaps in Kenyan banks

From security assessments across the East African banking sector, the gaps we most frequently encounter include:

  • CISO function without authority: the role exists on paper but lacks budget, board access, or decision-making power
  • Risk assessments disconnected from reality: generic risk registers that do not reflect the institution's actual threat landscape or technical environment
  • Penetration testing as checkbox: annual tests with minimal scope that miss critical systems, particularly mobile banking APIs and third-party integrations
  • Mobile channel security gaps: Kenya's M-Pesa ecosystem creates unique integration points between banking systems and mobile money platforms. These integrations are frequently undertested. See our mobile money security testing guide
  • Flat internal networks: insufficient segmentation between core banking, general IT, and internet-facing systems
  • Incomplete incident response: plans exist but have never been tested through a realistic exercise
  • Third-party blind spots: vendor-supplied core banking and internet banking platforms that have never been independently security tested

What a CBK-compliant security programme looks like

CBK's explicit testing floor is annual. The cadence below deliberately goes beyond it: it is what we consider proportionate for an institution holding customer funds.

Quarterly activities

  • Vulnerability scans of all systems in scope
  • Review and update of security monitoring rules
  • Third-party risk dashboard review
  • Security awareness reminders and phishing simulations

Annual activities

  • Full-scope penetration test covering network, web, mobile, and API attack surfaces
  • Risk assessment update
  • Policy review and board presentation
  • Incident response tabletop exercise
  • Third-party security review

After significant changes

  • Targeted penetration testing of new or modified systems
  • Updated risk assessment reflecting the change
  • Validation that security controls are effective in the new configuration

Continuous activities

  • Security monitoring and alerting (SIEM)
  • Patch management
  • Access reviews for privileged accounts
  • Threat intelligence consumption and action

The Kenya-specific threat landscape

Kenyan banks face threats that are both global and locally specific:

  • SIM swap fraud: exploiting mobile network operator processes to take over phone numbers and bypass SMS-based authentication. A persistent problem in Kenya despite improved controls
  • Social engineering: targeting bank staff and customers through phone calls, SMS, and social media. Building staff resilience against this starts with security awareness training
  • Mobile money integration attacks: business logic flaws in the bank-to-M-Pesa channel, exploiting velocity check gaps and float manipulation
  • Ransomware: increasingly targeting African financial institutions, Kenya included
  • Insider threats: privileged access abuse, particularly in IT departments with broad system access
  • API attacks: as Kenyan banks adopt open banking and PSD2-style APIs, the API attack surface is growing rapidly. See our API security guide for banking

How we can help

IMIZI Cyber is an offensive security firm based in Kigali, working with banks, fintechs, telecoms, government, and healthcare institutions across Africa, Kenya included. We work to both the CBK and BNR frameworks and can scope a single penetration test that supports both sets of requirements. Our testing covers web applications, APIs, mobile banking, network infrastructure, and cloud, delivered with reports structured for regulatory presentation that a board and a regulator can both act on.

For full details on our testing methodology and deliverables, see our penetration testing service page. For broader security assessment needs, see our security assessments service page. Contact us to scope a CBK-aligned security assessment for your institution.

Frequently asked questions

What is the CBK Guidance Note on Cybersecurity?
Issued in August 2017 under Section 33(4) of the Banking Act, the CBK Guidance Note on Cybersecurity sets minimum cybersecurity requirements for institutions licensed under the Banking Act. It covers governance, risk assessment, security controls, incident reporting, third-party risk, and regular independent security testing including penetration testing. A 2019 guideline extends comparable requirements to payment service providers.
Does CBK require penetration testing for Kenyan banks?
Yes. The Guidance Note on Cybersecurity directs institutions to carry out an independent cyber threat test at least once a year, and tasks internal and external audit with regular independent threat and vulnerability assessments and penetration tests. Findings must be reported to the board, and external auditors report annually to both the board and CBK.
How does CBK cybersecurity compare to BNR requirements in Rwanda?
Both regulators expect cybersecurity governance, risk assessment, security testing, incident reporting, and third-party risk management. CBK is more prescriptive on incident reporting, requiring 24-hour notification of significant incidents plus quarterly incident returns, while BNR Regulation No 50/2022 is more prescriptive on testing cadence, mandating annual penetration testing and bi-annual vulnerability assessments and listing qualifying tester credentials such as OSCP. Banks operating in both countries can build a unified compliance programme.
Who does the CBK cybersecurity framework apply to?
The 2017 Guidance Note applies to institutions licensed under Kenya Banking Act, including commercial banks and mortgage finance companies. CBK extended comparable requirements to payment service providers through its 2019 Guideline on Cybersecurity for Payment Service Providers, and expects sound cyber risk management from the other institutions it supervises.

Ready to secure your organisation?

We are a Kigali-based penetration testing firm, and our testing is led by an OSCP-credentialled practitioner. We work with banks, fintechs, and regulated institutions across Africa. Get a scoped quote within 48 hours.

Chat on WhatsApp Chat with us