The Central Bank of Kenya (CBK) plans to revise its seven-year-old cybersecurity guidelines in response to emerging digital threats, raising additional compliance cost fears among commercial banks which have spent up to Sh600 million annually on cybersecurity.

In the plan banks will be required to adopt new technologies, expand monitoring infrastructure, and reassess risk across increasingly digital operations.

CBK’s 2017 Cybersecurity Guidance is set for a major overhaul to incorporate risks associated with artificial intelligence, cloud computing, application programming interfaces, and mobile money fraud—areas that were not fully addressed in the current framework.  “As cyber threats evolve in scale and sophistication, updated guidance from central banks plays a critical role in safeguarding the stability, trust, and integrity of the financial system. Accordingly, CBK has embarked on the process of updating the 2017 CBK Guidance on Cybersecurity to commercial banks,” CBK said in its latest Cybersecurity survey.

The new survey by CBK, covering 37 commercial banks and one mortgage finance institution, reveals that while the current framework has significantly improved the industry’s cyber posture, the rapid evolution of cyber threats has outpaced the regulatory model.

In a survey, the regulator noted that some banks have recommended the regulations at a time when a third of the banks have not complied with the 2017 guideline.

The respondents recommended a number of emerging areas to be included in the Guidance namely; Artificial Intelligence and machine learning, cloud computing and the corresponding governance framework and application programming interface security.

“Cyber risk insurance and risk transfer mechanisms, enhanced controls on mobile money fraud detection, managing data protection related risks, and threat intelligence sharing mechanism are the others,” the regulator noted.

Banks highlighted gaps in the existing guidelines, especially in handling AI-generated attacks, data governance in cloud environments, and securing third-party integrations. A majority of institutions called for clear standards on zero trust architecture, cyber risk insurance frameworks, digital identity protection, and formal threat intelligence sharing systems.

Operational stability

The CBK report indicates that updates are necessary to safeguard operational stability and customer trust in a fast-changing financial ecosystem. The planned revisions will also require banks to submit evidence of their cybersecurity maturity levels, implement formal risk transfer mechanisms, and demonstrate measurable improvements in incident response time and user awareness.

While commercial banks have largely embraced the existing framework, the expansion of mandatory requirements is expected to stretch cybersecurity budgets further.  Already, banks are spending between Sh2.5 million and Sh600 million annually on cybersecurity, depending on their size and technology infrastructure.  These funds cover expenses such as software licensing, staff training, penetration testing, and establishing Security Operations Centres (SOCs).

However, the report reveals that only sixty-eight percent of banks have a fully established SOC. Twenty-nine per cent are in the process of setting one up, while three percent have no plans to implement one. Without a dedicated SOC, institutions face delays in detecting and responding to threats, which increases both reputational and financial risks.

Moreover, nearly one-third of the surveyed banks reported relying heavily on manual monitoring tools, which are often insufficient in detecting real-time threats. CBK’s expected update may push more banks toward adopting automated threat detection and response systems.

While foundational tools like firewalls and intrusion detection systems are already universally adopted, the report shows that only 89 per cent of banks use security information and event management systems, and just eighty-two percent use data encryption.