Payment service providers to create security-distinct post in new CBK guidelines

Payment Service Providers (PSPs) will be required to create a distinct information security post from October this year as the Central Bank of Kenya (CBK) moves in to tighten the screw on cyber breaches.

New guidelines by the financial sector regulator, published at the start of the month have recommended the creation of the Chief Information Security Officer (CISO) role by the payments-facilitating entities in a position differentiated from the current Chief Information Officer (CIO).

“As cyber-attacks evolve, one of the modern strategic measures globally accepted and acknowledged is the introduction of the role of the CISO. This role is aimed at creating an organizational culture of shared cyber security ownership,” noted the CBK.

Among the roles prescribed for the CISO include the design of cyber security controls in addition to the development and enforcement of a comprehensive cyber security policy.

The CISO will be at liberty to report to either the Chief Executive Officer (CEO), the Chief Operating Officer (COO), the Chief Information Officer (CIO) or Risk Function, with the CBK providing for adequate compensation and separation of roles from the CIO to include the  independent approval of budgets by the board.

The drawing up of new guidelines for the PSPs sits in line with the government’s plan of tightening security in the financial space this as the country comes face to face with an ever-increasing and evolving cyber threat.

The threat from the execution of cyber-attacks remains on the rise driven primarily by the continued adoption of technology in the operation of entities.

In spite of the increased awareness on threats in the evolving cyberspace, the majority of countries have continued to incur higher costs in their mitigation of the threat year on year, driven in part by the unstructured rush for cyber-security infrastructure.

According to a cyber-security report by the pan-African based business and cyber consultancy, Serianu, Kenya witnessed a 39.8 surge in cyber risk associated costs in 2018 to Ksh.29.5 billion (USD 295 million).

“We are in a panic mode. A lot of the investments we see today are panic purchases made as a quick purge to the prevailing challenge. You can buy a very good Maserati, but if the road is in a bad shape and not working well, the car is ruined within a few months,” Serianu Managing Director William Makatiani told Citizen Digital in an earlier interview.

Further to the panic buys, a shortfall in professionals in the field has left the door open for the infiltration of cyber threats to further dampen an already shaky cyber environment with the present shortfall of key staffers estimated at over 8,000.

Data from the Communications Authority’s (CA) National Cybersecurity Centre has continued to exhibit the growing threat as the number of detected cyber threats soared by 10.1 percent to 11.2 million in the first three months of 2019 on an account of enhanced cyber threat detection systems.

The Central Bank of Kenya has remained at the fore front of the war on cyber threats, taking seriously the potential for dire consequences from the occurrence of risks in the now heavily digitized financial system.

Commercial banks are already part and parcel of CBK’s focus with the regulator having instilled Cybersecurity regulations through an August 2017 note.

PSPs are now obligated to submit their Cybersecurity policy, strategies and frameworks to the CBK by the 31^st of December, 2019 with the onward provision for further reporting on a quarterly basis.