Executive Summary

The guideline on cybersecurity became effective on July 2019 which sets the minimum standards that Payment Service Providers (PSPs) should adopt to develop effective cybersecurity governance and risk management frameworks.

This is to create a safer and more secure cyberspace that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector and help maintain public trust and confidence in the National Payment System.

Who are Payment Service Providers?

These are essentially providers who are players who participate in the payment space. Well, known examples are Safaricom’s M-PESA and Real-time Gross Payment (RTGS) which is owned by CBK through Kenya Electronic Payment and Settlement System (KEPSS) platform. Other payment services providers include regional payment systems, retail/ low-value payment systems, payment card industry, mobile phone transfer services the likes of Equitel, Airtel Money, T-Kash, Mobile Pay etc.

 You can get a list of the payment service providers here


The Board of Directors of PSPs are the ultimate responsible parties to formulate and implement cybersecurity strategies, frameworks, policies and procedure. They shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the PSP’s Information Systems.

Governance of PSPs

The guideline provides the responsibilities and roles for the Board of directors, senior management and the Chief Information Security Officer (CISO).

The Board of Directors will be responsible to have robust oversight and engagement on cyber risk matters at the board level to promote a security risk conscious culture within the PSP.

The senior management will be responsible for implementing the PSP’s business strategy in line with its risk appetite, while being cognizant of cyber threats.

The Chief Information Security Officer (CISO) will be responsible in developing and implementing the PSP’s cybersecurity program and enforcing the cybersecurity policy.

Risk Management

PSP shall be required to conduct a periodic risk assessment of the PSP’s information systems sufficient to inform the design of the cybersecurity program. And establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.

Setting up a Cyber Resilient Organization

In order to set up a resilient Cybersecurity program, the institutions should cover all the elements of identification, protection, detection, response and recovery. This can be done in three ways:

Internal Dependency Management: Have effective capabilities to identify and manage cyber risks associated with business assets throughout their lifespans and to continually assess and improve as necessary, their ability to reduce the cyber risks associated with internal dependencies on enterprise-wide basis,

External Dependency Management (EDMs): Have effective capabilities in place to identify and manage cyber risks associated with external dependencies and interconnection risks.

Incident Response: Able to respond, contain and to rapidly recover from disruptions caused by cyber incidents.

Vulnerability Assessments and Penetration Testing

In order to ensure continuous monitoring and testing of cybersecurity program for each PSP, they shall be required to conduct:

  1. Quarterly vulnerability scans of all critical cyber assets;
  2. Annual Penetration Testing of the PSP that cover, at a minimum, the critical cyber assets as determined each given year based on the Risk Assessment; and
  3. Bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the PSP’s Information Systems based on the Risk Assessment.

Outsourcing and Training

The PSPs should have adequate governance when outsourcing their services. They should also notify Central Bank of Kenya before outsourcing any services.

PSPs should put in place a formalized plan to provide ongoing technical training to Cybersecurity specialists. Awareness should also cover customers, clients, suppliers, partners, outsourced service providers and other third parties who have links to the PSP’s IT infrastructure.