Cyber-Security Guidelines for Payment Service Providers

The Central Bank of Kenya (CBK) has released Draft Cyber-Security Guidelines for Payment Service Providers (PSPs), 2018. PSPs are defined as entities which provide services of storing or processing payments, this also includes entities which controls the network or handles data of other providers. The Cyber Security Guidelines are meant to provide a framework for management of the data that is handled by PSPs. The guidelines are in response to the widespread and increasing use of PSPs in ordinary financial transactions in Kenya which in turn expose these entities to increased cyber risks.The interconnectedness of these PSPs with each other and the larger financial infrastructure adds to the reasons why all probable entry points of a cyber-attack must be sealed. The guidelines outline that the management of PSPs should set cyber security strategy and framework for the organization which includes the collection of cybercrime information, the reporting of threats and ensuring adequate staffing in their cyber security departments. The guidelines also encourage the setting up of the post of Chief Information Security Officer (CISO) in the organizations who oversees the cyber security aspects of the organization, small organizations are exempted from this requirement.

The guidelines also mandate that the PSPs should ensure cyber security awareness by their employees and customers through training. In addition PSPs are mandated to ensure that 3rd parties who outsource certain services to them can be put under the CBK’s oversight, and are in compliance with the guidelines and the National Payment Services Act, 2011. PSPs should also have a business continuity plan that is designed to preserve the accumulated data in the event of an attack and geared at reducing the impact of these attacks on the end users. The continuity plan improves the cyber resilience of the PSPs and enables them to recover quickly from cyberattacks and protect their critical business functions. The institutions are also required to conduct internal and external audits of their IT infrastructure and assessment of the cyber threats, the reports from these audits should be forwarded to the board and the CBK.

In view of the delay in the enactment of the Data Protection Bill, the cybersecurity guidelines are important in that they mandate the PSPs to take steps to prevent breaches to their systems and subsequent access to the data stored in them. The guidelines are up for public participation until Friday, 14th September, 2018. https://www.centralbank.go.ke/2018/08/17/draft-cyber-security-guidelines-payment-service-providers-psps-invitation-comments/

KnownAfrique (HAKI Team)

Written by

"We Make the Law Known" Download HAKI: bit.ly/hakiapp