The Central Bank of Kenya (CBK) has asked all payment service providers (PSPs) to submit their cybersecurity policy, strategies and frameworks by August 31, 2018, under the new draft guidelines. The aim of the guidelines is to create safer cyberspaces, promote compliance, fight cybercrime, and maintain public trust.
“The Guidelines outline the minimum requirements that PSPs shall build upon in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk,” the document reads in part.
The Requirements
PSPs are required to implement risk management strategies in internal and external dependency management and incident response and cyber resilience. The central bank also wants PSPs to regularly conduct independent assessment and testing of internal audits, external audits, and risk management while ensuring that third-party service providers also comply with cybersecurity legal and regulatory frameworks.
Under the new guidelines, Payment Service providers are also required to set up IT awareness training programs which will help employees to understand proper IT security practices, common cyber threats, and the company’s policies and procedures.
“A formalized plan should be put in place to provide ongoing technical training to cybersecurity specialists within the PSP,” the Guideline states.
PSPs are also required to notify the CBK of cybersecurity incidences that could have a negative impact on the ability to serve customers within 24 hours. The central bank also expects PSPs to introduce the role of a Chief Information Security Officer (CISO) except small e-money issuers and fintechs that pose minimal risk to end users.
The board of directors and the senior management of PSPs are required to take an active role in the creation and implementation of cybersecurity strategies, policies, and frameworks. The Guideline reads: “The board of directors and senior management of payment service providing institutions are expected to formulate and implement cybersecurity strategies, policies, procedures, guidelines and set minimum standards set for the institution. All these must be documented and made available for review by external auditors and CBK.”