Introduction
Recently, the Central Bank of Kenya (CBK) issued the Guidelines on Cybersecurity for Payment Service Providers (the Guidelines) which will change the way payment service providers (PSPs) deal with cybersecurity threats in the Kenya payment systems. PSPs play an important role in the economy as they facilitate payments to be done between parties through electronic systems. In Kenya, PSPs are broadly divided into four categories namely: electronic retail PSPs, e-money issuers, small e-money issuers and designated payment instrument issuers.
Context
The financial services area faces cybersecurity threats globally and these threats continue to morph each passing day into greater risks. The sector is vulnerable to cybersecurity attacks due to the massive data collected and exchanged on every single transaction.
Financial regulators globally are increasingly focused on coming up with measures to ensure cyber resilience in the financial industry. If left undetected, cybersecurity threats have the potential to generate shockwaves to an economy due to systemic risks that they would cause in the financial industry. In the Guidelines, CBK seeks to tackle the cybersecurity threat by creating a safer and more secure cyberspace in Kenya to promote stability of Kenya’s payment systems.
Main contents of the Guidelines
The salient provisions of the Guidelines are described below.
(a) Board responsibility to ensure cyber resilience
The Guidelines provide that directors and senior management of a PSP have the ultimate duty to implement and formulate cyber security strategies, frameworks, policies and procedures. The Guidelines set out in detail the responsibilities of the board and the senior management in promoting cyber resilience of a PSP.
(b) Every PSP should have a Chief Information Security Officer (CISO)
The Guidelines require all PSPs to have a CISO whose role is to create an organizational culture of shared cybersecurity ownership. The CISO can be in-house but the PSP may outsource some of the CISO’s operational security functions set out in the Guidelines to an external CISO subject to the PSP getting the prior approval of the CBK.
(c) Every PSP should have in place written cyber security policies
The Guidelines require PSPs to implement and maintain a written policy setting forth the PSP’s policies and procedures for the protection of its information system and confidential information stored on those information systems.
(d) Risk assessment, monitoring and reporting
The Guidelines require every PSP to conduct risk assessment of the PSP’s information systems which will help inform the design of the PSP’s cybersecurity program. The Guidelines require a PSP to have in place proper risk management framework that considers the operational risks, collaboration between internal and external stakeholders, incidence reporting and cyber resilience as well as monitoring and testing mechanisms to measure the effectiveness of the PSP’s security program.
(e) Every PSP to have a Cybersecurity Program
The Guidelines require every PSP to have a cybersecurity program designed to protect the confidentiality, integrity and availability of the PSP’s information systems. The program ought to, among other things, identify internal and external cybersecurity threats, identify proper defensive infrastructure able to protect the PSP’s information systems, identify response to detected threats to mitigate negative effects and utilize cyber threat intelligence to understand threats faced by the PSP.
(f) Guidelines on Outsourcing
The Guidelines seek to ensure that third parties providing outsourced service to PSPs have in place adequate cyber security measures that conform with legal and regulatory frameworks and international best practices.
(g) Regular independent assessment and audit of PSP’s systems
In order to ensure that cyber security risks are managed within the enterprise risk management portfolio of a PSP, the Guidelines require PSPs to carry out continuous independent assessment and internal and external audit.
(h) Training
Lastly, the Guidelines require PSPs to implement information technology (IT) security awareness training programs to provide information on good IT security practices, common threat types and the PSP’s policies and procedures.
What is required of PSPs?
PSPs have ninety (90) days from July 2019 to comply with the Guidelines.
All PSPs are required to submit their Cybersecurity policy, strategies and frameworks to the CBK by December 31, 2019. Banks licensed under the Banking Act (Cap 488 laws of Kenya) need not revise their cybersecurity policy in accordance with the Guidelines because they have a separate cybersecurity guide issued by CBK in 2017.
Commentary by MWC Legal on the Guidelines
We as legal practitioners are increasingly getting asked to advise on data privacy issues locally and internationally primarily because of the fluidity of movement of data assets within and outside Kenyan borders. The recent incident of Capital One data breach in the United States and Canada reported to affect more than one hundred million data subjects brings to the fore the risk posed by weak cybersecurity systems on entities storing customer data. We learn from this incident that cybersecurity threats pose both legal (such as the class action suits) and reputation (such as the bad press and damaging brand value) risks for the affected entity. The cost for compliance with data privacy laws is insignificant compared to the non-compliance costs and it is only proper that PSPs comply fully with the Guidelines. MWC Legal would be happy to assist PSPs to interpret and implement the Guidelines.
A recent report titled “Regulating for responsible data innovation” published in November 2018 by Cenfri is worth a read for stakeholders dealing with data to understand how regulators the world over are approaching the topic of data innovation.
If you have any queries regarding the Kenya payment systems and the financial services practice area generally, please do not hesitate to contact Peter Mwaura at pmwaura@mwc.legal. Please note that this e-alert is meant for general information only and should not be relied upon without seeking specific subject matter legal advice.
