FEBRUARY 2026 · 10 MIN READ

Cybersecurity in East Africa: threats, regulations, and how to stay protected

Kenya alone lost Sh10.71 billion (about USD 83 million) to cybercrime in 2023, according to the Communications Authority of Kenya, ranking second in Africa behind Nigeria. East Africa's mobile money, USSD banking, and fintech growth has outpaced its security maturity, and that gap is exactly what attackers exploit. This guide maps the regional threat landscape, the regulators in Rwanda, Kenya, Uganda, and Tanzania, and the programme decisions that hold up across all four markets.

The East African cybersecurity landscape

East Africa's rapid digital adoption, particularly in mobile money and internet banking, has made the region a priority target for both local and international threat actors. The attack surface has expanded faster than the defences. A community bank in Kigali now has the same digital exposure as a bank anywhere in the world, but often with fewer security resources.

The volumes are measurable. Kenya's National KE-CIRT/CC, the most prolific incident publisher in the region, detected over 1.1 billion cyber threat events in the April to June 2024 quarter alone, a 16.5 percent rise on the previous quarter. Across the region, incident reporting is dominated by:

  • Banking trojans and credential-stealing malware
  • Business email compromise (BEC) targeting finance teams
  • Mobile money fraud exploiting USSD session vulnerabilities
  • Phishing campaigns impersonating banks, telcos, and government agencies
  • Ransomware attacks on hospitals, government, and financial institutions

Key threats facing East African organisations

Business email compromise (BEC)

BEC attacks, where fraudsters impersonate executives or suppliers to redirect payments, accounted for USD 2.9 billion in reported losses in 2023 according to the FBI's Internet Crime Complaint Center, second only to investment fraud among the categories it tracks. East African banks and corporates are heavily targeted. A finance officer receives an email that appears to come from the CFO, authorising an urgent wire transfer to a new account. The losses can be in the hundreds of thousands of dollars.

Mobile money fraud

Mobile money services across Africa processed more than USD 1.1 trillion in transactions in 2024, according to the GSMA State of the Industry Report on Mobile Money, and East Africa led the growth in monthly active accounts. The attack vectors against MTN MoMo, Airtel Money, and M-Pesa are numerous: SIM swap fraud, USSD session hijacking, agent network compromise, and social engineering of customer service representatives. The speed of mobile money transactions means losses can be irreversible within minutes.

Banking application vulnerabilities

Many banks and fintechs in the region have built and deployed digital products faster than they have secured them. Insecure APIs, missing authentication controls, and business logic flaws in mobile banking apps allow attackers to access other customers' accounts, manipulate transaction amounts, or bypass payment authorisation. These flaw classes survive automated scanning; they surface only under manual testing that follows the application's business logic. Our guide to mobile banking security assessments covers what a thorough test looks like.

Ransomware

Ransomware attacks have hit hospitals and government agencies across East Africa in recent years. Attackers encrypt critical data and demand payment in cryptocurrency. The operational impact (inability to process transactions, access customer records, or run core systems) can last weeks. Our ransomware defence guide for African banks covers the controls that actually reduce this risk.

Insider threats

With high staff turnover in some sectors and competitive salary markets for tech talent, insider threats, both deliberate and negligent, are a persistent concern. A disgruntled employee with access to core banking systems or customer data can cause damage that no perimeter control prevents.

Country-by-country regulatory overview

Rwanda

Rwanda has the most developed regulatory cybersecurity framework in East Africa. BNR Regulation No 50/2022 requires BNR-regulated institutions to conduct a penetration test at least annually and vulnerability assessments at least twice a year (Article 10), lists OSCP among the credentials a qualifying tester can hold, and requires test results to be filed with the central bank within 15 days. The National Cyber Security Authority (NCSA) oversees national cybersecurity strategy and coordinates incident response, and Rwanda's data protection law (Law No 058/2021) aligns with international standards including GDPR principles. See our detailed guides: BNR cybersecurity requirements for banks in Rwanda and penetration testing in Rwanda.

Kenya

The Central Bank of Kenya (CBK) issued its Guidance Note on Cybersecurity (CBK/PG/23) in 2017, requiring all banks to conduct risk assessments and security testing; we break the requirements down in our CBK cybersecurity guide for Kenyan banks. The Communications Authority of Kenya oversees cybersecurity for the broader ICT sector through the National KE-CIRT/CC. Kenya also has the Computer Misuse and Cybercrimes Act (2018), which criminalises a wide range of cyber offences and establishes incident reporting requirements. For provider selection in this market, see our guide to penetration testing in Kenya.

Uganda

The Bank of Uganda (BoU) has issued guidelines requiring supervised institutions to conduct regular security assessments. Uganda's National Information Technology Authority (NITA-U) coordinates national cybersecurity. The Computer Misuse Act (2011) was amended in 2022 to address modern threats.

Tanzania

The Bank of Tanzania (BoT) sets cybersecurity programme requirements within its licensing and supervision framework. Tanzania's TCRA (Tanzania Communications Regulatory Authority) manages cyber incident reporting for the ICT sector. The Electronic and Postal Communications Act provides the legislative framework.

The financial sector: the primary target

Banks, fintechs, insurance companies, and payment processors are disproportionately targeted for an obvious reason: that is where the money is. Beyond direct financial fraud, attackers target:

  • Customer data: sold on dark web marketplaces for identity fraud
  • Transaction systems: for fraudulent transfers or transaction manipulation
  • SWIFT connections: the most lucrative target for sophisticated attackers. In the 2016 Bangladesh Bank heist, attackers moved USD 81 million through fraudulent SWIFT messages. That incident drove the SWIFT Customer Security Programme, whose annual attestation now applies to SWIFT-connected banks in East Africa.
  • Core banking systems: for long-term persistence and data exfiltration

Mobile money and USSD: a growing attack surface

East Africa's reliance on USSD-based financial services creates attack surfaces that do not exist in Western banking markets. USSD sessions can be vulnerable to session hijacking, man-in-the-middle attacks on 2G networks, SIM swap fraud, and enumeration of customer accounts via sequential transaction queries. See our deep dives: USSD security testing: how we assess mobile money platforms and mobile money security testing: MoMo, M-Pesa and USSD platforms.

Building a regional cybersecurity programme

For organisations operating across multiple East African countries, the key is to build a programme that meets the most prescriptive applicable regulation as the baseline, then layer country-specific requirements on top. In this region that baseline is BNR Regulation No 50/2022, which sets the clearest testing floor: annual penetration testing, bi-annual vulnerability assessments, and named tester credentials. Key elements:

  • Annual penetration testing across all material digital assets
  • Continuous vulnerability management, not just annual scans
  • Security awareness training for all staff, in relevant local languages where possible
  • Incident response plan with clear escalation and regulatory notification procedures per country
  • Third-party risk management: assess your cloud providers, payment processors, and software vendors
  • SWIFT CSP attestation if you process SWIFT transactions. See our SWIFT CSP compliance guide for Rwandan banks.

Choosing a security partner in East Africa

Regulators in this region increasingly name the credentials they expect: BNR Regulation No 50/2022 lists OSCP among qualifying tester certifications. So verify two things: that the individual who will test your systems holds a recognised offensive-security credential, and that the firm can demonstrate hands-on methodology rather than firm-level logos. Look for documented experience with African financial institutions, presence in the region for on-site testing, and reports that stand up in front of BNR, CBK, BoU, or BoT.

How we can help

IMIZI Cyber is an offensive security firm based in Kigali, testing the systems that run Africa's regulated institutions: banks, fintechs, telecoms, government and ministry systems, healthcare providers, and other supervised enterprises across Rwanda, Kenya, Uganda, Tanzania, and the wider continent. Our testing is led by an OSCP-credentialled practitioner, grounded in threat-led offensive-security methodology and BNR-aligned engagement experience, with evidence-led reporting a regulator and a board can both act on. The team behind IMIZI Cyber is introduced on our About page.

For details on our assessment methodology, see our security assessments service page. For penetration testing engagements, see our penetration testing service page.

Next step

If your organisation needs a security partner who understands both the threat landscape and the regulatory requirements of the region, Book a Free Call and we will scope the conversation around your regulator and your systems.

Frequently asked questions

What are the biggest cybersecurity threats in East Africa?
The primary threats are business email compromise, mobile money fraud exploiting USSD vulnerabilities, banking application vulnerabilities such as insecure APIs, ransomware attacks on financial institutions and government, and insider threats from employees with access to critical systems.
Which East African countries have cybersecurity regulations for banks?
Rwanda (BNR), Kenya (CBK), Uganda (Bank of Uganda), and Tanzania (Bank of Tanzania) all have cybersecurity requirements for supervised financial institutions. Rwanda currently has the most developed regulatory framework in the region.
How can East African organisations improve their cybersecurity?
Start with annual penetration testing across all digital assets, implement continuous vulnerability management, conduct security awareness training for all staff, establish a tested incident response plan, and assess third-party vendor security risks.

Ready to secure your organisation?

We are a Kigali-based penetration testing firm, and our testing is led by an OSCP-credentialled practitioner. We work with banks, fintechs, and regulated institutions across Africa. Get a scoped quote within 48 hours.

Chat on WhatsApp Chat with us