Overview

The Central Bank of Kenya (CBK) issued a guideline on cybersecurity for Payment Service Providers (PSPs).

The Guideline on Cybersecurity for Payment Service Providers (the Guideline) is applicable to all PSPs authorised under the National Payment System Act, which include:

  • a person, company or organisation acting as provider in relation to sending, receiving, storing or processing of payments or the provision of other services in relation to payment services through any electronic system;
  • a person, company or organisation which owns, possesses, operates, manages or controls a public switched network for the provision of payment services; or 
  • any other person, company or organisation that processes or stores data on behalf of such payment service providers or users of such payment services.

Commercial banks already have most but not all of these obligations under the Guidance Note on Cybersecurity issued by the CBK in August 2017.

The Guideline:

  • requires PSPs to maintain a cybersecurity programme with specified minimum standards designed to mitigate cyber risk in the payment system in Kenya; and
  • places the ultimate responsibility for compliance with this requirement on the board of directors and senior management of PSPs. This requirement is one of those additional responsibilities not set out in the earlier Guidance Note on Cybersecurity for commercial banks.

Key highlights

The highlights of the specified minimum standards PSPs are now required to maintain to mitigate cyber risk in the payment system are as follows:

Governance structure

  • The Guideline has set out the various roles to be carried out by the board of directors and senior management of a PSP including, amongst others: overseeing the cultivation and promotion of an ethical governance, management culture and awareness – setting "the right tone from the top" and implementing the board-approved cybersecurity strategy, policy and framework, respectively.
  • All PSPs are required to have a Chief Information Security Office (CISO). The roles of the CISO include amongst others: developing and implementing the PSP's cybersecurity programme and enforcing the cybersecurity policy; and periodically reporting on the organisation's cybersecurity posture to senior management, board of directors and audit committee.
  • A PSP is limited to outsourcing only the operational security functions of the CISO, such as information security monitoring, testing and threat intelligence, and will be required to seek the prior approval of CBK.

Cybersecurity strategy, frameworks and policies

  • Each PSP shall implement and maintain a written policy or policies for the protection of its information systems and confidential information stored on those information systems.
  • The policy should address key cybersecurity issues including: information security; data governance and classification; business continuity and disaster recovery planning; resources, systems and network security; customer data privacy; vendor and third party service provider management; risk assessment and incident response.

Risk management

Each PSP shall conduct a periodic risk assessment of the PSP's information systems sufficient to inform the design of the cybersecurity programme as required under the Guideline, including the identification of critical cyber assets and revision of controls to respond to technological developments and evolving threats.

Outsourcing

  • PSPs are required to ensure that their third party service providers i.e. cloud service providers comply with legal and regulatory frameworks as well as international best practices.
  • The relationship should be governed by an outsourcing agreement in the nature of a clearly written contract, the nature and detail of which should be appropriate to the materiality of the outsourced activity in relation to the ongoing business of the PSP.
  • PSPs are required to notify CBK of the intention to outsource functions, services and infrastructures at least 30 days before such outsourcing agreements are executed.

Regular independent assessment and testing

  • PSPs are also required to carry out regular independent assessment and audit. To achieve this, the Guideline requires PSPs to incorporate qualified information and communication technology (ICT) auditors within their internal audit team.
  • The Guideline has also set out the IT audit scope for the external auditors.

Training and awareness

  • PSPs should implement IT security awareness training programmes to provide information on good IT security practices, common threat types and the PSP's policies and procedures to the PSP's customers, clients, suppliers, partners, outsourced service providers, staff and other third parties who have links to the PSP's IT infrastructure.

Next steps for PSPs

  • The Guideline allows PSPs up to 1 October 2019 to comply with the requirements in the Guideline.
  • All PSPs except commercial banks are required to submit their cybersecurity policy, strategies and frameworks to the CBK by 31 December 2019.
  • PSPs are required to notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP's ability to provide adequate services to its customers, its reputation or financial condition.
  • PSPs operating systemically important payment systems and system-wide important payment systems are required to notify CBK within two hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP's ability to provide adequate services to its customers, its reputation or financial condition.
  • PSPs are required to provide CBK with a report on the occurrence and its handling of cybersecurity incidents on a quarterly basis.
  • The Guideline has not provided a penalty for non-compliant PSPs. However, the National Payment System Act provides that the CBK may revoke or vary any designation of a payment instrument if, in the opinion of the CBK, the issuer of a designated payment instrument has failed to comply with any regulations, guidelines, circulars, notices or standards issued by the CBK.
  • Before imposing such a penalty, the CBK shall give the PSP not less than seven days' notice, requiring the PSP to show cause as to why the penalty prescribed should not be imposed.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.