An estimated Sh21 billion was lost in 2017 through cyber crimes in Kenya according to Serianu Africa Cyber Security Report. The biggest victims are Payment Service Providers (PSPs) who are now tightening nooses against the online criminals. Here are ten ways to avert the risk of falling victim to cyber crimes according to the Central Bank of Kenya.

1. Organisational leadership by board

Every Payment Service Provider should understand the nature of their institution and the cyber risks to which they can be exposed. Having a robust structure on cyber security issues at board level promotes a security risk conscious culture within the institution.

The board particularly should promote and cultivate healthy ethical governance, management culture and awareness. Additionally, the board should ensure there is a sound cyber security strategy and framework with respect to cyber security.

2. Operations specifications

Most PSPs deal with either Large Value Payment Systems (LVPS) or Retail Payment Systems. Both channels are averse to risks or attacks by cyber criminals and therefore need sound proof protection.

Being Systemically Important Payment Systems (SIPS), any disruption could prove costly and therefore the LVPS should be owned, designated and operated as per internal rules set by a bank. Additionally for the retail sector, firms could self-assess operational reliability of their internal systems.

3. Acquire an internal security officer

PSPs being incredibly sensitive need a technical person to facilitate protection of resources and information. To this end, firms need a Chief Internal Security Officer (CISO) whose key role is to oversee and implement the institution’s cyber security programme and enforce the subscribed policy.

As cyber-attacks evolve, any organisation should benefit and indeed invest in a person who can ably design cyber security controls with the consideration of users at all levels. On a regular basis, he would be assessing the confidentiality, integrity and availability of the information systems in the institutions.

4. Risk management solutions for users

All PSPs should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident.

Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes. In addition, a PSP should identify, monitor and manage the risks that its operations might pose to others.

5. Dependency strategies and cyber resilience

The understanding of the cyber threat landscape for the institution requires a collaborative approach between its internal and external stakeholders. Proper understanding of the cyber threat landscape will therefore require the implementation of risk management strategies.

Both internal and external dependency management systems are critical priority areas of any organisation. The institution should have an explicit internal dependency management strategy (IDMS) integrated into the overall strategic and cyber risk management plan.

6. Incidence response and cyber resilience

The PSPs should plan for, respond to, contain and be able to rapidly recover from disruptions caused by cyber incidents, thereby strengthening their cyber resilience. The organisations should, therefore, have the capability of operating critical business functions in the face of attacks and while continuously enhancing cyber resilience.

It should also conduct testing that addresses a disruptive, destructive, corruptive or any other cyber event that could affect the ability to serve customers and avoid incurring significant downtime that would affect the business operations of customers.

7. Training and awareness

PSPs should implement as a matter of urgency informational technology security awareness training programme to provide essential information on good IT practices, common threat types under the institution’s policies and procedures.

The trainings should be provided to all employees including senior management and the board. Additionally, a formalised plan should be put in place to provide ongoing technical training to cyber security specialists within the PSP.

8. Outsourcing Security Services

The PSPs are rapidly expanding their reliance on outsourcing, cloud providers and other services that are time saving and reduce operation costs.

However, with this trend, cyber risk could also crop up. PSPs should, therefore, ensure that their third-parties service providers comply with legal and regulatory frameworks as well as the international best practices.

The organisations should have in place adequate governance framework for outsourcing agreements including due diligence on prospective service providers, documented outsourcing agreements and adequate monitoring of service delivery.

9. Understanding risk management

This comprises risk, control, compliance and oversight functions which ultimately ensure that the PSP’s management of data, processes, risks and controls are effective.

Risk management ensures that cyber security risks are managed within the enterprise management portfolio.It is also important to maintain comprehensive cyber risk registers: Key cyber security risks should be regularly identified and assessed. Risk identification should be forward looking and include the security incident handling.

10 . Reporting

It is strongly advisable that all PSPs periodically review their internal cyber security strategies in the wake of more advanced cyber attacks in Kenya and beyond. Issues around framework and policy are mandatory in terms of threats and vulnerability assessment.

PSPs are required to report or notify the Central Bank of Kenya within 24 hours of any cyber security incident that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition.