
Kenya’s cybersecurity industry has expanded to an estimated Ksh 18 billion in annual revenues, according to data published by the Communications Authority of Kenya this month, driven in significant part by a sharp rise in the sophistication and frequency of attacks targeting the country’s banking and financial services sector. The figure represents a 62 per cent increase from Ksh 11.1 billion recorded in 2023, reflecting both genuine threat escalation and the accelerated response by institutions that can no longer treat cyber risk as a secondary operational concern.
The Central Bank of Kenya reported in its 2025 Financial Sector Stability Report that attempted cyberattacks on licensed commercial banks increased by 287 per cent between 2023 and 2025, with confirmed successful breaches resulting in direct losses of Ksh 3.8 billion during that period. The attacks range from SIM-swap fraud exploiting mobile banking credentials to highly sophisticated supply-chain intrusions targeting core banking system vendors.
The Nature of the Threat
Kenya’s cyber threat landscape has evolved considerably from the opportunistic phishing attacks that dominated the early 2020s. The country’s Cybersecurity Directorate under the National Intelligence Service documented 14 incidents in 2025 that bore the hallmarks of organised criminal syndicates operating across borders, with forensic evidence pointing to coordination between actors in Nigeria, Eastern Europe, and — in at least two cases — North Korea-linked groups known to target African financial institutions for hard currency.
The most damaging single incident involved a Tier 2 bank that lost Ksh 890 million over a 72-hour window in October 2025 after attackers gained access through a compromised third-party software update. The bank’s name has not been publicly disclosed, but CBK Governor Kamau Thugge confirmed the incident in parliamentary testimony in February 2026, adding that full recovery had been effected and no depositors ultimately suffered losses — a reassurance that nonetheless highlighted the fragility of existing defences.
Mobile money platforms remain a particular target. The CA’s cyber monitoring unit recorded over 4.2 million attempted fraudulent M-Pesa transactions in the first quarter of 2026 alone, of which Safaricom’s fraud detection systems successfully blocked 99.3 per cent. The 0.7 per cent that were not blocked cost users an estimated Ksh 240 million — significant enough to maintain public anxiety about mobile money security even as the absolute success rate is high.
Regulatory Response
The CBK issued revised Cyber Security Guidance Notes in March 2026, making mandatory what had previously been recommended practice. All licensed banks are now required to maintain a dedicated Chief Information Security Officer at executive committee level, conduct penetration testing at least quarterly rather than annually, maintain cyber incident response plans tested through live simulation exercises, and report any attempted breach within four hours of detection rather than the previous 24-hour window.
“We are not waiting for a systemic event to happen and then respond,” Thugge told the Kenya Bankers Association annual conference. “The regulatory expectation is that every bank in Kenya treats cyber risk with the same seriousness it treats credit risk. That means capital allocation, board oversight, and continuous testing.”
The CA has also launched a national Cyber Threat Intelligence Sharing Platform allowing financial institutions, telcos, and government entities to share anonymised threat data in near real time. Twelve major institutions are currently participating, with the CA reporting that shared intelligence has enabled pre-emptive blocking of at least three major attack campaigns since the platform went live in January 2026.
A Growing Industry
The threat environment has created commercial opportunity. Nairobi has seen a rapid increase in locally founded cybersecurity firms, including Serianu, Weza Tele, and newcomer ArcShield Technologies, founded by ex-Safaricom security engineers. International firms including Palo Alto Networks and Check Point have expanded their Nairobi offices, drawn by both the domestic market and the opportunity to use Kenya as a base for pan-African managed security services.
Kenya’s Ministry of ICT has invested Ksh 1.2 billion in the National KE-CIRT/CC since 2024, tripling its analyst headcount and deploying new threat monitoring infrastructure. The centre’s 2025 annual report noted a tenfold increase in entities actively seeking its assistance compared with 2022 — a sign that awareness, if not yet full preparedness, is improving across the economy. With the 2027 election cycle approaching and digital financial services ever more central to everyday Kenyan life, cybersecurity has become a matter of national infrastructure rather than a niche technical specialism.

0 comments