
Kenya’s Insurance Regulatory Authority (IRA) has introduced a mandatory rule requiring all insurers to report cyberattacks within 24 hours of detection under the country’s new cyber insurance rule.
The move aims to strengthen the sector’s resilience against escalating cyber threats.
Under the rule, insurers are required to promptly report any incident that causes major disruptions to critical services, unauthorized access to customer data, or financial losses to the insurer, its clients, or third parties.
According to the IRA, all insurance companies must adopt cybersecurity policies approved by their board of directors, with the policies reviewed annually. The authority further requires quarterly reports of all cybersecurity events to be submitted within 15 days after the end of each quarter.
Additionally, every insurer must ensure that at least one board member has proven expertise in cybersecurity to guide oversight and security strategy effectively. The IRA also strongly recommends periodic phishing simulations, comprehensive cyber hygiene training for all staff, and enhanced data backup practices.
The new regulations come amid a rising number of cyber incidents in Kenya, threatening the integrity of financial and insurance operations. The IRA emphasizes that timely reporting and robust preparedness are critical to maintaining trust and protecting sensitive data.
The authority noted that these measures align with international best practices, reinforcing Kenya’s commitment to safeguarding its financial sector against evolving cyber risks.
In the first quarter of 2025, Kenya recorded a 201.7% increase in cyber threats, highlighting how the country remains a desired target for threat actors.