New guidelines strengthen cybersecurity requirements for banks and other financial institutions to protect against evolving threats.
The Central Bank of Kenya has issued updated Cybersecurity Guidelines for the financial sector, effective January 1, 2026.
Key Requirements:
Governance:
- Board-level oversight of cybersecurity
- Appointment of Chief Information Security Officer (CISO)
- Regular cybersecurity reporting to the Board
Risk Management:
- Comprehensive cyber risk assessment
- Incident response and recovery plans
- Regular vulnerability assessments and penetration testing
Technical Controls:
- Multi-factor authentication for critical systems
- Encryption of sensitive data
- Network segmentation and monitoring
Third-Party Risk:
- Due diligence on technology vendors
- Contractual security requirements
- Regular audits of third-party providers
Compliance Timeline:
- Large banks: Full compliance by Q2 2026
- Medium banks: Full compliance by Q3 2026
- Smaller institutions: Full compliance by Q4 2026
Penalties: Non-compliance may result in regulatory sanctions including fines and license conditions.
The CBK will provide guidance and support to institutions during the implementation period.
CybersecurityRegulationGuidelines
