Kenyan insurers must disclose major cybersecurity breaches within 24 hours, regulator says

Amid growing concerns over data breaches and digital vulnerabilities, insurers have been instructed to report major cybersecurity incidents to the Insurance Regulatory Authority (IRA) within 24 hours.

The directive is part of new compliance rules designed to bolster digital risk management.

According to the IRA, the move is intended to improve accountability and oversight across the sector as more insurers embrace technology-driven operations.

A newly issued guidance note on cybersecurity highlights the rising risk of cyber threats and data breaches, driven by the industry's increasing reliance on digital platforms for customer onboarding and claims processing.

The document outlines minimum standards for managing cybersecurity risks and requires all insurers to establish formal cybersecurity strategies, policies, and procedures. These frameworks must be approved by company boards and the IRA.

“All licensed insurers and reinsurers are required to familiarise themselves with the contents of the guidance note and ensure full and timely implementation,” IRA CEO Godfrey Kiptum said in a circular accompanying the guidelines.

Insurers are now required to report all material cybersecurity incidents to the regulator within 24 hours of either confirming or substantively detecting the breach, whichever occurs first.

Reportable incidents

According to the IRA, reportable incidents include significant disruptions to critical systems, services, or platforms; unauthorised access to or loss of sensitive customer data; and financial losses affecting the insurer, its clients, or third parties.

The guidance further mandates insurers to regularly review and update their cybersecurity policies, at least annually, or whenever there are major changes in ICT infrastructure, the threat environment, or legal requirements. Companies must also continuously monitor cyber incidents and submit quarterly reports to the IRA within 15 days of each quarter’s end.

The IRA said the directive is intended to improve visibility into cyber breaches across the insurance sector.

“Cyber incidents in the industry can significantly affect policyholders through compromise of personal and financial data, disruption of claims processing, denial of service, or erosion of trust,” reads the guidance note.

Responsibility

A key shift under the new rules is the assignment of cybersecurity accountability to top leadership.

According to the IRA, boards of directors and senior management now hold ultimate responsibility for overseeing cybersecurity frameworks, marking a departure from the traditional IT department-focused approach.

Other Topics To Read

• Headlines
• National
• cybersecurity
• Insurance Regulatory Authority
• IRA
• Godfrey Kiptum
• financial data
• Kenyan insurers
• Kenyan insurers must disclose major cybersecurity breaches within 24 hours
• regulator says

“The ultimate responsibility for an insurer’s cybersecurity framework rests with the Board of Directors and senior management,” the note states.

To strengthen governance, the guidance recommends that insurer boards include at least one member with expertise in cybersecurity to improve oversight and decision-making.

Insurers are also required to enhance company-wide security awareness through measures such as regular staff training, phishing simulations, and secure backup protocols.

The IRA further highlights emerging risks related to artificial intelligence and third-party service providers, acknowledging that such trends have expanded insurers’ exposure to cyber threats.

The regulator maintained that the guidance positions cybersecurity as a company-wide responsibility, urging insurers to adopt proactive measures to protect sensitive data and critical systems amid a rapidly evolving digital landscape.