CBK Publishes Cyber Risk Guidelines for Payment Service Providers in Kenya

Pursuant to Section 31(2) (b) of the National Payment System Act, 2011 which empowers the Central Bank of Kenya to issue Directives and Guidelines, the CBK has developed a Cybersecurity Guideline for Payment Service Providers (PSPs). The objective is to create a safer and more secure cyberspace that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector. The Guideline sets the minimum standards that PSPs are required to adopt in order to develop and implement effective cybersecurity governance and risk management frameworks. It further outlines the minimum requirements that PSPs are required to build upon in the development and implementation of strategies, policies, procedures and related activities for mitigating cyber risk.

The Guidelines outline the minimum requirements that PSPs shall build upon in the development and implementation of strategies, frameworks, policies, procedures and related activities aimed at mitigating cyber risk. The purpose of this Guidelines are to (i) Create a safer and more secure cyberspace that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector; (ii) Establish a coordinated approach to the prevention and combating of cybercrime; (iii) Up-scale the identification and protection of Critical Information Infrastructure (CII); (iv) Promote compliance with appropriate technical and operational cybersecurity standards; (v) Guide PSPs in developing the requisite skills, continuous building of capacity and promote a culture of fostering a strong interplay between policy, leveraging on technology to do business and risk management; and (vi) Help maintain public trust and confidence in the National Payment System.

The Guideline sets the minimum standards that PSPs should adopt to develop effective cybersecurity governance and risk management frameworks. It is not a replacement for and does not supersede the legislation, regulations and guidelines that PSPs must comply with as part of their regulatory obligations, particularly in the areas of risk management, outsourcing, information communication technology, internal controls and corporate governance.

Read the Cybersecurity Guideline for PSPs here.