Banks need to increase their cybersecurity investments to tackle emerging new threats in artificial intelligence, according to a new report by the Central Bank of Kenya.
This is among the issues raised by the banking sector regulator in its planned overhaul of the 2017 Cybersecurity Guidance to counter emerging threats.
CBK argues that issues such as artificial intelligence, cloud computing, application programming interfaces, and mobile money fraud— were not adequately addressed in the current (2017) framework.
Currently, the Commercial banks budget between Sh2.5 million and Sh600 million annually towards cybersecurity.
The regulator says that despite a growing awareness of the risks posed by sophisticated cyberattacks, the budget was dependent on the cost of annual license fees of cybersecurity solutions implemented by the commercial banks
“As cyber threats evolve in scale and sophistication, updated guidance from central banks plays a critical role in safeguarding the stability, trust, and integrity of the financial system," CBK said in its latest Cybersecurity survey
CBK has embarked on updating the
2017 CBK Guidance on Cybersecurity to commercial banks.
The regulator argues that, while the current framework has significantly improved the industry’s cyber posture, the rapid evolution of cyber threats has outpaced the regulatory model.
The findings covering 37 commercial banks and one mortgage shows that 95 percent of lenders have a cybersecurity budget.
Conversely, five percent indicated that they do not have a cybersecurity budget and that funds are availed on a need basis.
While commercial banks have largely embraced the existing framework, the expansion of mandatory requirements is expected to stretch cybersecurity budgets further.
Already, banks are spending between Sh2.5 million and Sh600 million annually on cybersecurity, depending on their size and technology infrastructure.
These funds cover expenses such as software licensing, staff training, penetration testing, and establishing Security Operations Centres (SOCs).
“About one-third of the surveyed banks reported relying heavily on manual monitoring tools, which are often insufficient in detecting real-time threats. CBK’s expected update may push more banks toward adopting automated threat detection and response systems,” the report reads in part.
The local banks are calling for updated cybersecurity guidelines that reflect emerging digital risks and technologies, amid growing concerns over data protection, cybercrime, and evolving financial platforms.
CBK says in recent submissions to the regulator, financial institutions recommended that upcoming cybersecurity guidance incorporate several key areas currently not covered in detail.
These include Artificial Intelligence (AI) and Machine Learning (ML), cloud computing, and application programming interface (API) security—technologies that are increasingly central to banking operations.
Further the financial institutions want cyber risk insurance and risk transfer mechanisms, enhanced controls to curb mobile money fraud, data protection and privacy risk management and threat intelligence sharing frameworks, particularly mechanisms that allow for anonymised information exchange between institutions.
The proposed updates come as the financial sector rapidly digitises and faces sophisticated cyber threats.
Mobile money platforms, which now dominate daily transactions, have become a major target for fraud, prompting calls for stricter detection controls.
Banking leaders argue that incorporating these emerging concerns into regulatory frameworks will bolster sector-wide resilience and better safeguard customer data in an increasingly interconnected financial ecosystem.
