CYBERSECURITY IN THE PAYMENT SERVICE SPACE
The past decade has seen the financial sector in Kenya diversify to include payment service providers (PSPs) who operate systems that ease the circulation of money. The systems are technology based, making use of established telecommunications infrastructure and services heavily reliant on the internet. Consequently, as with all operations conducted online or connected to the internet, they are at risk of falling prey to cyber criminals. The risk to consumers’ funds, the systems themselves and the economy at large is therefore exponential.
In July 2019, in an effort to address and reduce the palpable cyber risks that the PSPs face, the Central Bank of Kenya (CBK) issued the Guidelines on Cybersecurity for PSPs (the Guidelines). This came just after a cyber-security report by the pan-African cybersecurity consultancy Serianu noted that cyber risk-associated costs in Kenya had surged to KES 29.5 billion (USD 295 million) in 2018.
The objective of the Guidelines is to ‘create a safer and more secure cyberspace that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector’. The CBK is mandated with the regulation of national payment systems and as such the Guidelines are binding on all registered PSPs in the country.
What do the Guidelines mean for PSPs?
The Guidelines place an obligation on PSP boards of directors and senior managers to formulate and implement cybersecurity strategies, frameworks, policies and procedures. There has to be clear documentation to this effect which must be made available for review by external auditors and the CBK. The ultimate responsibility for a PSP’s cybersecurity is placed on the board of directors, which raises the question of whether the board members will be held personally liable for any system breaches or, as has been the practice in the past, the PSP will indemnify the affected consumers without any liability attaching to the directors.
A PSP now has to maintain a cybersecurity programme based on its risk assessment. The goal of the programme is to protect the confidentiality, integrity and availability of the PSP’s information systems. While the Guidelines do not dictate the parameters of the programme, they outline the functions that it must perform and which the PSP must keep in mind when designing the programme.
Further, all PSPs will now be required to establish a written cybersecurity policy. The Guidelines provide a list of items that should appear in the cybersecurity policy, including but not limited to testing and detection standards.
All PSPs must establish the new role of a Chief Information Security Officer (CISO), who shall be responsible for, among others, developing and implementing the PSP’s cybersecurity programme and enforcing the cybersecurity policy. Of interest is that outsourcing the governance, oversight and management functions of the CISO is prohibited. A PSP can only outsource operational security functions to support the CISO with the approval of the CBK.
Minimum standards set for operational risk management
The Guidelines set the minimum standards that PSPs are required to adopt in order to develop and implement effective cybersecurity governance and risk management frameworks. These standards centre on the fact that PSPs will now be required to establish a robust operational risk management framework and establish firm internal policies and procedures to that effect.
For instance, the Guidelines mandate PSPs to establish and clearly define roles and responsibilities for addressing operational risk, as well as to firm up information security policies to mitigate major vulnerabilities and threats. Moreover, the Guidelines require PSPs to set up explicit dependency management strategies to manage both internal and external cyber risks to the business.
Outsourcing contracts, which are heavily regulated by CBK guidelines, have not been spared under the Guidelines. The Guidelines are emphatic that outsourcing contracts must be governed by a clearly written contract which contains key provisions such as: security incident reporting, contingency plans to ensure business continuity and controls to ensure data confidentiality. This further restricts how PSPs interact with third parties and external service providers.
Reporting guidelines have also been put in place. These mandate PSPs to report any cybersecurity incidents that may have a significant impact on the business to the CBK within two hours of an incident occurring. PSPs must also provide a quarterly report of all cybersecurity incidents in the format prescribed in the Guidelines.
How long until PSPs have to fully comply?
All PSPs will be required to submit their cybersecurity policies, strategies and frameworks to the CBK by 31 December 2019. This date does not however apply to commercial banks, who are subject to the earlier issued Guidance Note on Cybersecurity (August 2017). This gives PSPs just over four months to comply with the Guidelines.
Information security remains a sensitive subject for consumers and a highlight in the legal discourse at present. Enactment of the Guidelines by the CBK shows insight into financial market behavior and its sensitivity to data protection and information security. These Guidelines demonstrate a proactive approach by the government to combat cyber-associated risks and by extension, protect the integrity of the financial sector.
An anticipated challenge in implementing the Guidelines may be in harmonising policies among all PSPs, as the Guidelines provide the requirements in a generalised manner. Further, it is unclear what the CBK’s follow-up role would be after cybersecurity incidents are reported, as is required. The next year is therefore crucial, as we see how the Kenyan market will adapt to and implement the Guidelines.