The Insurance Regulatory Authority (IRA) has issued a guidance note on cyber security for the insurance industry, pointing to heightened exposure to cybersecurity threats and data breaches as the insurance sector in Kenya undergoes rapid digital transformation.
The IRA says in its “Guidance Note on Cyber Security for the Insurance Industry” that as cyber threats grow in scale and sophistication, it is important for insurers to adopt proactive and resilient measures to safeguard systems, data, and services.
The Guidance Note sets out the minimum standards for the management of cyber security risks within the insurance sector. It aims to promote sound practices in cyber security governance, risk management, and incident response.
The Guidance Note states that the ultimate responsibility for an insurer’s cyber security framework rests with the insurance company’s board of directors and senior management. Other matters highlighted in the Note include:
Insurers are expected to establish and maintain a documented cyber security strategy that is proportionate to their size, nature, and complexity. The strategy should articulate clear objectives, delineate roles and responsibilities, and describe the tools, processes and capabilities required to manage cyber risk.
While insurers may adopt internationally recognised cyber security standards, the strategy must be aligned with relevant national legislation.
The cyber security strategy should be subject to regular review, at a minimum annually, or upon the occurrence of a significant incident, introduction of new systems, or material changes in the cyber threat landscape. The strategy should be approved by the board of directors and communicated across the institution, including periodic awareness for staff on the strategic direction.
Cyber security governance requires a clearly defined and well-coordinated structure involving the board of directors, senior management, and the designated cybersecurity lead. Each level plays a distinct but complementary role in ensuring a secure and resilient technology environment.
Insurers are expected to adopt a structured and proactive approach to cyber security risk management in line with their risk appetite and strategic goals.
Cyber risk should be integrated into the institution’s overall enterprise risk management framework, with appropriate governance, systems, and processes to support the timely identification, assessment, mitigation, and monitoring of risks arising from cyber threats.
Insurers should identify cyber risks and assess the effectiveness of the mitigating measures to protect against and manage cyber risks within the risk appetite and tolerance limit set by the board.
Insurers should establish foundational cyber hygiene practices and foster a culture of cybersecurity awareness across the organisation.
Insurers are required to develop, maintain, and regularly test a comprehensive Cyber Security Incident Response Plan.
Each insurer is required to develop and maintain a comprehensive cyber security policy and supporting framework aligned with the Guidance Note. The cyber security policy shall be submitted to the IRA within 14 days from the date it is approved by the board or upon request by the Authority.
Insurers should internally review and update their cyber security policy at least annually, or upon significant changes in their ICT environment, threat landscape, or regulatory obligations.
All material cyber security incidents with the potential to significantly impact service delivery, reputation, operations, or financial stability must be reported to the Authority within 24 hours from confirmation or substantiated detection, whichever is earlier.