Kenyan insurance companies are now under stricter scrutiny when it comes to cyber attacks, following a new directive from the Insurance Regulatory Authority (IRA). In a bold move to improve cyber resilience, the IRA has mandated that all insurance firms report major cybersecurity incidents within 24 hours of detection and develop board-approved cybersecurity strategies.
This regulatory shift comes amid rising reliance on digital platforms for customer onboarding, policy management, and claims processing. With this digitization, insurers are now exposed to evolving cyber threats, including data breaches, ransomware attacks, and AI-driven intrusions.
Cybersecurity Now a Boardroom Responsibility
The IRA’s new guidelines signal a fundamental change in how cyber risk is governed. What was once considered an IT issue is now a strategic business priority. Insurers must submit comprehensive cybersecurity strategies that are approved both by their boards of directors and the regulator.
Boards are not only required to supervise cybersecurity governance but also urged to include at least one member with cybersecurity expertise. This ensures that cyber risks receive the same level of attention as financial and operational risks.
24-Hour and Quarterly Reporting Requirements
Reportable cyber incidents include:
- Major disruptions to critical services
- Unauthorized access to sensitive customer data
- Financial losses to the insurer, policyholders, or third parties
In such cases, companies must report the event to the IRA within 24 hours. Additionally, insurers are required to submit quarterly reports summarizing all cyber incidents within 15 days after the end of each quarter.
These timelines aim to improve incident visibility and allow the regulator to assess systemic risks across the industry.
AI and Third-Party Vulnerabilities
The IRA’s updated framework also accounts for AI-related threats and third-party vulnerabilities. As insurance firms increasingly adopt artificial intelligence for underwriting and claims processing, they encounter new categories of cyber risks.
Traditional cybersecurity controls often fail to address the complex nature of AI-based attacks and supplier-based vulnerabilities. The regulator is pushing insurers to adopt a holistic approach to cybersecurity, integrating vendor risk management and ethical AI practices.
Company-Wide Cyber Resilience Required
Insurance companies are now expected to build organization-wide cybersecurity cultures. This includes:
- Regular staff training
- Phishing simulations
- Robust backup protocols
- Periodic review of cybersecurity policies
The IRA recommends reassessing these policies annually or whenever significant changes occur in the ICT environment, threat landscape, or legal requirements. This will ensure security practices evolve with changing risks.
Why Cybersecurity Is Critical for Insurers
Cyber attacks in the insurance sector can have devastating consequences. A single breach can compromise the personal and financial data of thousands of policyholders, delay claim payouts, and undermine public trust in insurance institutions.
Unlike retail or media, the failure of cybersecurity in insurance can leave vulnerable families without access to critical financial protection during emergencies.
Final Thoughts
The new IRA directive underscores the urgency of cybersecurity in Kenya’s financial sector. With Kenyan insurance companies now mandated to report cyber attacks within 24 hours, firms must prioritize digital resilience as a matter of business survival.
This landmark shift places cybersecurity where it belongs—in the boardroom—and holds executive leadership accountable for protecting customer data and ensuring uninterrupted service delivery.
