Kenyan insurance firms are reportedly unprepared for a new Insurance Regulatory Authority (IRA) directive requiring them to report cyber breaches within 24 hours of detection. This mandate, effective July 2024, highlights widespread concerns about the industry's cybersecurity resilience amidst escalating digital threats.

• The IRA directive compels all licensed insurers and reinsurers to develop board-approved cybersecurity policies and report material incidents within 24 hours.
• Timothy Mburu, Chief Information Officer at Liberty Kenya, emphasized that cybersecurity is now a "new benchmark of trust" and a boardroom-level responsibility.
• Reportable incidents include critical system disruptions, unauthorized access to customer data, and financial losses, with annual policy updates and quarterly incident reports also required.
• Kenya faced over 860 million cyber threat events in 2023, and data breaches in financial services cost an average of $5.9 million in 2024.
• The IRA recommends that insurance boards include at least one director with cybersecurity expertise, as cybersecurity ranks among the top five risks for African insurers.