NAIROBI, June 21 (Xinhua) -- The Central Bank of Kenya (CBK) has come up with new rules to guide commercial banks on fighting cybercrime as the vice increases in the East African nation.
The apex bank noted Wednesday that increased use of technology by the banks has exposed them to the crime that saw several financial institutions lose up to 291 million U.S. dollars in the last two years.
In 2016 alone, Kenya lost 170 million dollars to cyber criminals, according to a recent report on technology, media and telecommunications by Deloitte.
"The increased leveraging on technology by banks exposes them to cyber risk. In this regard, the CBK has drafted guidelines on cyber risk that outline the minimum requirements for banks to enhance cyber security," said the regulator in a note seeking views on the guidelines.
According to the document, all board of directors and senior management of banks will be expected to formulate and implement Cyber Risk strategies, policy, procedures and guidelines and set minimum standards for the institution.
"All these must be documented and made available for review by external auditors and the CBK," said the bank.
Besides that, banks would be expected to have qualified Information and Communication Technology auditors in their Internal Audit teams.
"The institution's internal information technology auditors should ensure that they continuously review the cyber risk and controls of the ICT systems within the institutions and other related third-party connections," said the bank.
CBK identifies sources of cyber risks as improper access to accounts, for example by a hacker who gains access to a privileged account to control the entire system.
Interconnectedness of institutions could also lead to compromise in the institutions entry points such as through service providers.
"Internal IT system can itself be a source of cyber risk. For example, data replication arrangements that are meant to safeguard business continuity could transfer malware or corrupted data to the backup systems," said CBK.
Banks would thus be required to notify the Central Bank immediately when they become aware of a cyber security incident that could have a significant and adverse impact on the institution's ability to provide adequate services to its customers, its reputation or financial condition.
Kenya was ranked 69th most vulnerable country in the Global Threat Index out of 127 last year.
At least 19 organizations in Kenya were affected by the recent global ransomware hacking attack, according to the Communication Authority of Kenya.
Banks were among organizations hit by the WannaCryptor virus that infected networks and computers in the East African nation and across the world.
The authority formed the National Kenya Computer Incident Response Team (National KE-CIRT) to help in the coordination of fighting the virus.
Almost 80 percent of Kenya's servers are based on Windows, another 16 per cent on unix or the Linux variant, making the country vulnerable.
