CBK’s New BS-SOC and CMCA Regulations: What Your Bank Must Do Now
Understanding Kenya’s Banking Sector Cybersecurity Operations Centre, the CMCA Regulations 2024, and the dual compliance requirements reshaping cybersecurity governance for banks, SACCOs, and payment service providers across East Africa.
The Central Bank of Kenya has established the Banking Sector Cybersecurity Operations Centre and commenced harmonising its cybersecurity guidelines with the Computer Misuse and Cybercrimes Regulations 2024. For every regulated financial institution in Kenya, this creates new reporting obligations, control requirements, and governance expectations that demand immediate attention — with non-compliance carrying supervisory consequences that boards cannot afford to ignore.
The New Regulatory Architecture: CBK’s Cybersecurity Enforcement Evolution
In September 2025, the Central Bank of Kenya (CBK) took a landmark step in cybersecurity regulation by establishing the Banking Sector Cybersecurity Operations Centre (BS-SOC) — a dedicated facility under CBK’s Cyber Fusion Unit equipped to provide Cyber Threat Intelligence, Incident Response, Digital Forensics, and Cyber Investigations for the entire regulated financial sector. This initiative, a cornerstone of the CBK Strategic Plan 2024–2027, signals a fundamental shift from principles-based cybersecurity guidance to operationalised, infrastructure-backed regulatory enforcement.
Simultaneously, CBK has commenced the process of harmonising the Commercial Banks Cybersecurity Guidelines 2017 and the Payment Service Providers Cybersecurity Guidelines 2019 with the provisions of the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybersecurity) Regulations 2024 (CMCA Regulations). All regulated institutions — banks, microfinance banks, SACCOs, and payment service providers — must comply with both existing guidelines and the new CMCA requirements concurrently during this transition period.
Understanding the BS-SOC: Structure, Mandate & Reporting Requirements
The BS-SOC represents Kenya’s first sector-specific cybersecurity operations centre established by a financial regulator. Its creation reflects global best practice — regulators in Singapore (MAS), the UK (BoE/FCA), and South Africa (SARB) have established similar capabilities — and positions CBK at the forefront of cybersecurity regulation in Africa.
Core BS-SOC Functions
The BS-SOC aggregates, analyses, and disseminates threat intelligence relevant to the Kenyan financial sector. Regulated institutions are expected to consume and operationalise BS-SOC intelligence feeds, integrating them into their own detection and monitoring capabilities.
When a significant cyber incident affects a regulated institution, the BS-SOC coordinates the response across the sector — ensuring that systemic risk is identified and managed, containment measures are proportionate, and regulatory communication is streamlined.
The BS-SOC provides or coordinates digital forensic capabilities for investigating cyber incidents within the banking sector. Institutions must preserve forensic evidence in accordance with BS-SOC protocols and facilitate access to impacted systems and logs during investigations.
Working alongside law enforcement and the National Computer and Cybercrimes Coordination Committee (NC4), the BS-SOC supports investigations into cybercrimes targeting the financial sector, including ransomware, fraud, and data theft incidents.
Mandatory Incident Reporting to the BS-SOC
Under the CMCA Regulations, all regulated institutions are mandated to report cybersecurity incidents to the BS-SOC within stipulated timelines. This replaces the previous ad-hoc reporting arrangements and establishes a structured, standardised incident notification framework. The reporting obligation covers attempted attacks, successful breaches, data compromises, service disruptions, ransomware incidents, and third-party compromises affecting the institution’s operations.
Critical Compliance Requirement
“All regulated institutions must continue to comply with both sets of the requirements simultaneously and are mandated to report cybersecurity incidents to the BS-SOC within stipulated timelines under the CMCA Regulations.” — CBK Press Release, September 2025. Institutions that fail to report incidents risk regulatory sanction, supervisory action, and reputational damage.
The CMCA Regulations 2024: What Banks Must Implement
The Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybersecurity) Regulations 2024, enacted under the Computer Misuse and Cybercrimes Act 2018, establish mandatory requirements for operators of Critical Information Infrastructure (CII) — which includes all CBK-regulated financial institutions, payment service providers, and their critical technology suppliers.
Key Compliance Requirements
Financial institutions must identify and register their critical information infrastructure with the relevant authority. CII includes core banking systems, payment platforms, customer data repositories, internet banking infrastructure, mobile banking platforms, and associated network infrastructure.
Institutions must establish, implement, and maintain a comprehensive cybersecurity risk management framework that addresses identification, protection, detection, response, and recovery capabilities. The framework must be approved by the board, reviewed annually, and aligned with internationally recognised standards such as NIST CSF or ISO 27001.
Mandatory vulnerability assessment programmes must be in place, with risk-based prioritisation of remediation. CBK guidelines specifically require institutions to assess vulnerability severity, system sensitivity, and potential exploitation impact. Patch management timelines must be documented and evidenced.
Documented and tested incident response plans are mandatory, with defined escalation procedures, communication protocols, and recovery time objectives. Tabletop exercises and simulation drills must be conducted at minimum annually, with results reported to the board and available for CBK inspection.
Institutions must assess and monitor the cybersecurity posture of all third-party service providers, cloud service providers, and technology vendors with access to their systems or data. Contractual obligations must include cybersecurity requirements, audit rights, incident notification provisions, and compliance verification mechanisms.
Both internal and external audit functions must assess the adequacy of the institution’s cybersecurity framework on an annual basis. The internal audit function must evaluate the design and operating effectiveness of cybersecurity controls, while the external auditor must report findings to both the board and CBK annually.
Navigating the Harmonisation: Dual Compliance During Transition
CBK has explicitly stated that during the harmonisation period, institutions must comply with all three regulatory instruments simultaneously: the 2017 Cybersecurity Guidelines for commercial banks, the 2019 Cybersecurity Guidelines for payment service providers, and the 2024 CMCA Regulations. This creates a complex compliance landscape that requires careful gap analysis and implementation planning.
-
Step 01 — Gap AnalysisMap current compliance against all three instrumentsConduct a comprehensive gap analysis comparing your institution’s current cybersecurity controls, policies, and procedures against the requirements of each regulatory instrument. Identify overlaps, contradictions, and net-new requirements that require implementation.
-
Step 02 — Risk AssessmentPrioritise gaps by regulatory and business riskAssess each compliance gap against the likelihood of CBK supervisory scrutiny, the potential financial and operational impact of non-compliance, and the institution’s risk appetite. Prioritise remediation accordingly.
-
Step 03 — RemediationImplement controls to address identified gapsDeploy technical controls, update policies and procedures, establish or enhance incident reporting workflows to the BS-SOC, and strengthen third-party risk management programmes. Document all changes for audit evidence.
-
Step 04 — TestingValidate control effectivenessConduct penetration testing, vulnerability assessments, incident response simulations, and BS-SOC reporting drills to validate that implemented controls are operationally effective. Testing results should be reported to the board and audit committee.
-
Step 05 — ReportingEstablish continuous compliance monitoringImplement ongoing monitoring and reporting mechanisms that demonstrate continuous compliance to CBK. Internal audit should include cybersecurity compliance in its annual plan, and management reporting to the board should include BS-SOC interaction and incident metrics.
Industry Use Cases: Practical Application Across the Banking Sector
Kenya’s largest banks are establishing dedicated threat intelligence functions that ingest BS-SOC feeds, correlate them with global threat intelligence from vendors like Recorded Future and Mandiant, and produce actionable intelligence for their SOC teams. These banks are also leading the adoption of SOAR platforms to automate BS-SOC incident reporting workflows.
PSPs face unique challenges under the harmonised requirements: their transaction volumes, API ecosystems, and mobile-first architectures create attack surfaces that differ significantly from traditional banking. PSPs must implement API security monitoring, mobile application security testing, and real-time transaction fraud analytics alongside traditional cybersecurity controls.
Kenya’s 176 SASRA-regulated deposit-taking SACCOs face the dual burden of SASRA’s tightened IT audit requirements and CBK’s CMCA obligations for those handling payment services. For resource-constrained SACCOs, managed security service providers (MSSPs) and co-sourced IT audit arrangements offer viable compliance pathways.
Microfinance institutions often lack dedicated cybersecurity staff and operate core systems with limited monitoring capabilities. The harmonised requirements mandate minimum cybersecurity controls regardless of institution size — creating an urgent need for practical, proportionate implementation roadmaps that balance compliance with operational reality.
Approaches, Methodologies & Tools for Compliance
CBK’s guidelines align closely with NIST CSF. The 2024 update added the Govern function — addressing board-level cybersecurity governance — making it directly relevant to the CBK’s emphasis on board accountability for cybersecurity risk management.
The international information security management standard provides a certifiable framework that satisfies many CBK requirements. Certification demonstrates compliance maturity to regulators and clients, and is increasingly expected by international correspondents and partners.
Enterprise SIEM platforms enable the centralised log management, threat detection, and incident reporting capabilities required by CBK. Microsoft Sentinel’s cloud-native architecture has driven strong adoption among Kenyan banks already invested in the Microsoft 365 and Azure ecosystem.
Vulnerability management platforms that automate the scanning, prioritisation, and remediation tracking CBK explicitly requires. These tools provide the evidence trail auditors need to validate vulnerability management programme effectiveness.
Challenges for Kenyan & East African Financial Institutions
Complying with three overlapping regulatory instruments simultaneously creates confusion about which requirements take precedence, how to resolve contradictions, and how to efficiently evidence compliance. Institutions need specialist regulatory compliance expertise to navigate this transition period effectively.
Many institutions lack the automated incident detection and reporting infrastructure required to comply with BS-SOC reporting timelines. Organisations that rely on manual security monitoring processes face significant operational challenges in meeting mandatory reporting requirements during active incidents.
The CMCA Regulations’ third-party risk management requirements expose a persistent gap across the Kenyan financial sector: most institutions lack continuous visibility into the cybersecurity posture of their technology vendors, cloud providers, and shared infrastructure partners.
Both the existing CBK guidelines and the CMCA Regulations require board-level accountability for cybersecurity risk. However, board cybersecurity competency remains limited across most East African financial institutions outside the Tier 1 banking segment, creating a governance gap that cannot be addressed through technical controls alone.
Questions Every Bank Board Should Be Asking About BS-SOC & CMCA Compliance
- Have we completed a gap analysis mapping our current cybersecurity controls against both the existing CBK guidelines and the CMCA Regulations 2024?
- Is our institution registered as a Critical Information Infrastructure operator, and have we identified all qualifying systems?
- Do we have the technical infrastructure and procedures to report cybersecurity incidents to the BS-SOC within the mandated timelines?
- Has our cybersecurity risk management framework been reviewed and approved by the board within the last 12 months?
- What is the status of our vulnerability and patch management programme, and do we meet CBK’s evidence requirements?
- Have we conducted cybersecurity assessments of all third-party vendors with access to our systems or customer data?
- Are our internal and external audit functions adequately assessing cybersecurity control effectiveness?
Conclusion: From Compliance Obligation to Sector Resilience
The establishment of the BS-SOC and the implementation of the CMCA Regulations represent a maturation of Kenya’s financial sector cybersecurity governance that has been needed for years. The regulatory architecture is now moving from principles to operations — from guidance notes to monitored compliance with enforced reporting obligations and sector-wide threat intelligence sharing.
For banks, SACCOs, payment service providers, and microfinance institutions, the harmonisation period is both a compliance challenge and a strategic opportunity. Institutions that invest in building genuine cybersecurity capabilities — not just policy documentation — will emerge stronger, more resilient, and better positioned to serve customers in an increasingly hostile threat environment.
The question is no longer whether your institution has a cybersecurity policy. It is whether your controls can withstand a sophisticated attack, your team can report to the BS-SOC within required timelines, and your board can demonstrate to CBK that cybersecurity governance is treated with the same rigour as credit risk and capital adequacy. For Kenya’s financial sector, the standard has been set.


