275
The Central Bank of Kenya (CBK) has established a Banking Sector Cybersecurity Operations Centre (BS-SOC) to enhance cyber defenses across the country’s financial system. The facility, which will operate under CBK’s Cyber Fusion Unit, is designed to provide real-time threat intelligence, incident response, digital forensics, and cyber investigations.
The move comes at a time when cyber threats targeting Kenya’s financial institutions are on the rise, with regulators and industry players warning of growing risks to banking operations and customer data.
CBK Governor Kamau Thugge said the launch of the centre reflects the need for a coordinated approach to cybersecurity in the financial sector. “Cyber threats continue to evolve. A sector-wide response is essential to protect Kenya’s financial system,” he noted.
The apex bank’s own stress tests in May 2025 highlighted the scale of potential risks. The simulations assumed a five per cent probability of successful cyberattacks, with estimated losses of KSh 32.8 million under a baseline scenario. Losses could rise sharply to KSh 2.1 billion under a moderate scenario and KSh 2.9 billion in a severe case.
Kenya has already been experiencing a surge in cyber incidents. According to the National Kenya Computer Incident Response Team – Coordination Centre (KE-CIRT/CC), the country recorded 4.5 billion cyber threat events between April and June 2025, an increase of 80.7 per cent compared to 2.54 billion incidents in the first quarter. Financial institutions remain among the most vulnerable sectors, given their reliance on digital transactions and the large volumes of sensitive data they handle daily.
The new BS-SOC aims to address these vulnerabilities by strengthening the capacity of banks and payment service providers (PSPs) to detect and respond to attacks quickly, while also giving regulators clearer visibility of risks across the sector.
CBK said the initiative is rooted in the Critical Infrastructure and Cybersecurity Regulations, 2024, enacted under the Computer Misuse and Cybercrimes Act. These regulations set new compliance standards for financial institutions and expand the obligations on incident reporting.
Banks and PSPs are now required to meet the requirements of three regulatory frameworks: the Commercial Banks Cybersecurity Guidelines of 2017, the PSP Cybersecurity Guidelines of 2019, and the 2024 Critical Infrastructure and Cybersecurity Regulations. The overlapping rules have raised compliance concerns among industry players, but CBK has indicated it plans to consolidate them in the future. However, the regulator has not provided a specific timeline for the consolidation.
Industry experts say the BS-SOC is a critical step in aligning Kenya’s financial system with global standards on cyber resilience. Similar sector-wide centres have been established in advanced economies to improve coordination and intelligence-sharing among regulated entities.
For Kenya, the initiative comes as digital banking adoption continues to rise, increasing the stakes for both regulators and operators. The financial sector has been rapidly digitising, with mobile money platforms, online banking, and payment innovations expanding access but also exposing new vulnerabilities.
Analysts point out that cyberattacks on financial institutions could have systemic consequences if left unchecked, including disruption of payment systems, erosion of customer trust, and financial losses that could undermine stability. By establishing a central operations centre, CBK is signalling that cybersecurity is no longer just a matter of compliance but a pillar of financial stability.
While the sector has welcomed the move, compliance costs and capacity gaps remain a challenge for smaller banks and PSPs. Many rely heavily on outsourced IT services, which may not meet the new standards without significant investment. CBK is expected to use the BS-SOC to support knowledge-sharing and build sector-wide resilience, ensuring that weaker institutions are not left behind.
The banking regulator has also signalled that cyber resilience will form part of its supervisory priorities going forward. This means institutions could face stricter assessments on how well they manage risks, report incidents, and invest in cyber defenses.
As Kenya continues to position itself as a regional financial hub, sector players agree that robust cybersecurity will be crucial in sustaining investor confidence and protecting the integrity of the financial system.
