With Cyber Attacks Rising, Kenya’s New Insurance Rules Put Pressure on Insurers’ Boards
Insurers are no longer off the hook as Kenya’s regulator demands boardroom accountability and rapid breach reporting.
Kenya’s insurance industry is now under stricter cybersecurity oversight after the Insurance Regulatory Authority (IRA) introduced a sweeping framework that compels insurers to report major cyber attacks within 24 hours of detection or confirmation.
The move is part of a broader regulatory push to strengthen defenses in a sector increasingly reliant on digital platforms for customer onboarding and claims processing. Under the new Kenya cyber insurance rules, insurers must not only develop detailed cybersecurity policies but also ensure their strategies are reviewed annually—and receive board-level approval.
“All licensed insurers and reinsurers are required to familiarise themselves with the contents of the guidance note and ensure full and timely implementation,” IRA chief executive Godfrey Kiptum said in a circular.
Material Breaches Must Be Reported Fast
The guidance sets a clear bar for what qualifies as a material cybersecurity incident—including service disruptions, unauthorized access to sensitive customer data, and cyber events that lead to financial losses. Any such breach must be reported to IRA within 24 hours of being either confirmed or reasonably detected.
The rules also require quarterly reporting of all cybersecurity events, due within 15 days after the end of each quarter. This move aims to give the regulator better visibility into the scale and frequency of cyber threats hitting the sector.
Cybersecurity Is Now a Boardroom Issue
In a significant shift, the IRA has placed the ultimate responsibility for cybersecurity squarely on the shoulders of insurers’ boards and senior management—signaling that this is no longer just an IT issue.
Every board must now include at least one member with experience or expertise in cybersecurity, ensuring better governance and risk awareness at the top. The regulator also recommends regular phishing simulations, staff-wide cyber hygiene training, and stronger data backup protocols.
These changes reflect a more holistic view of cybersecurity—one that considers company-wide culture and not just technical fixes.
Addressing AI and Third-Party Risks
The new Kenya cyber insurance rules also address emerging risks, particularly those tied to artificial intelligence systems and third-party vendors. With many insurers outsourcing parts of their operations and adopting AI for underwriting or fraud detection, the framework calls for stricter monitoring of supply chain risks and algorithmic vulnerabilities.
Cyber attacks in Kenya surged to 2.5 billion incidents last year, a threefold increase, according to official estimates. Key sectors—including finance and insurance—are among the most targeted.
The IRA’s guidance marks a decisive step in pushing the industry to modernize its defenses before another major breach shakes public confidence.
Mark your calendars! TechTrends Pulse lands in Nairobi this August! Join top tech leaders, innovators & AI experts for a half-day of keynotes, showcases & sharp insights on business transformation. RSVP now -limited slots available! Register here.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
