Critical Information Infrastructure and Cybercrime Management Regulations, 2024

By James Njui

April 27, 2024

image by Freepik

Equity Bank recently faced a significant cybersecurity threat, with a recent cybercrime resulting in the loss of Sh179 million. The breach, reported by Kenya Insights, involved unauthorized transfers from the bank’s MasterCard GL to 551 accounts. Gerald Munyiri, Equity Bank’s General Manager of Security & Investigations, urgently requested assistance from the Banking Fraud Investigations Department. The hackers efficiently moved stolen funds not only within Equity Bank but also to Safaricom’s M-Pesa platform and other banks.

Equity Bank is actively mitigating the breach by blocking compromised accounts and engaging Safaricom to recover remaining funds. However, this incident is not isolated, with a history of cybersecurity vulnerabilities. Previous cases, including a syndicate jailed in Rwanda for targeting the bank, underscore ongoing challenges in safeguarding assets from digital threats. Recent arrests, including Equity Bank Uganda’s former Executive Director, highlight the gravity of the situation.

The Central Bank underscores the prevalence of card fraud, which occurs through various means such as phishing attacks and card skimming. Despite efforts to combat such crimes, Kenyan banks collectively lost a substantial amount to fraud last year, with only a fraction of the stolen funds recovered by investigators.

To address the growing threat of cybercrime, the Kenyan government recently enacted the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024. In a tweet dated 12th April 2024, on their official handle for the Ministry of Interior and National Administration, Republic of Kenya on X, “We’ve established new standards with the new Computer and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024 that now require all data and information of critical infrastructure sectors to be stored within Kenya.”


Phoyo courtesy of X, Ministry of Interior and National Administration

These regulations empower security agencies to regulate cyberspace activities more effectively, particularly in critical sectors such as telecommunications, banking, transportation, and energy. Additionally, the regulations aim to enhance cybersecurity preparedness across public and private entities to mitigate the risks posed by online threats. “Critical information infrastructure” means a system designated pursuant to section 9 of the Act and includes critical information infrastructure system or data and national critical information infrastructure

Kenya’s increasingly digitized economy, combined with the widespread adoption of mobile money services, has inadvertently made it a prime target for cybercriminals. Therefore, proactive measures, both in terms of technological advancements and regulatory frameworks, are crucial to bolster the nation’s cybersecurity posture and safeguard against future attacks.

JM Associates LLP is pleased to announce a sensitization series for identified stakeholders on the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024. This series aims to provide comprehensive insights into the regulatory framework established by the new regulations and its implications for various sectors on this website. Stay tuned for insights into how your organization is affected by or could take advantage of these newest changes to our nation’s digital infrastructure.

Subcribe to Newsletter