Kenyan insurance firms are being warned to bolster their cybersecurity defenses as the Insurance Regulatory Authority (IRA) introduces a mandatory 24-hour breach reporting timeline for all material cybersecurity incidents, effective July 2024.

• The IRA directive by chief executive Godfrey Kiptum requires insurers to report breaches within 24 hours of confirmation or detection.
• Peter Gitau, chief information officer at Liberty Kenya, emphasizes that cybersecurity is now a boardroom-level concern, not just an IT department issue.
• Reportable incidents include critical system disruptions, unauthorized data access, and financial losses, with annual policy updates also mandated.
• The Communications Authority of Kenya recorded over 860 million cyber threat events in 2023, and data breaches in financial services cost an average of $5.9 million in 2024.
• IRA recommends that insurance boards include at least one director with expertise in cybersecurity to strengthen governance.