Kenyan banks tighten oversight of third-party tech firms amid rising cyber threats

Financial institutions are updating their contracts and improving monitoring systems to protect themselves from growing risks related to external service providers.
Kenyan banks are intensifying their management of third-party technology service providers as cyber threats linked to outsourced partners become more frequent and costly, according to a recent survey by the Central Bank of Kenya (CBK).
Financial institutions are updating their contracts and improving monitoring systems to protect themselves from growing risks related to external service providers.
More To Read
- CBK targets rogue lenders with new draft regulations, seeks public feedback
- Borrowers exposed to costly loans despite banks cutting interest rates by one per cent
- CBK moves to revise 2017 cyber rules as fraudsters exploit new technology
- Kenya records historic cyber attack surge with 4.6 billion threats in four months this year
- CBK rolls out reforms to stop counties from diverting billions in funds meant for suppliers
- Kenya’s financial outlook steady amid strong Treasury bill demand and stable shilling - CBK
The survey highlights a shift from simple compliance checks to ongoing, dynamic supervision that aligns with changing technological risks and business priorities.
Banks now see the need for stronger partnerships with tech firms, while carefully managing vulnerabilities introduced through these relationships.
Technology service providers deliver crucial support to banks by developing mobile and internet banking platforms, offering cloud storage, and applying artificial intelligence tools.
They also assist with core banking functions such as payment processing, credit assessments, anti-money laundering, fraud prevention, and cybersecurity defences. Despite their importance, banks report increasing challenges managing these external vendors.
“Financial institutions face several challenges when engaging third-party TSPs, including but not limited to high costs of third-party services, adaptability and response to new requirements, limited visibility into subcontractors, longer response times to fix issues, and delayed response to incidents or breaches,” the CBK noted in the survey.
Concerns over cybersecurity and data privacy top the list, with more than 70 per cent of banks naming them as critical issues.
Official data reveals that cyberattacks against Kenyan institutions surged by over 100 per cent in the 12 months to June 2025.
The Communications Authority of Kenya recorded a 146 per cent rise in detected cyber threats, climbing from 3.5 billion to 8.6 billion during the period.
The survey also showed that 26 per cent of banks lack proper systems to continuously monitor third-party providers. Additional problems include regulatory compliance hurdles and vendor lock-in, where switching suppliers becomes difficult and costly.
In response, banks are adopting more rigorous procedures when selecting technology partners. This includes detailed assessments of vendors’ technical ability, financial health, regulatory compliance, and cybersecurity measures. Banks are also conducting joint security exercises and audits to better prepare for potential incidents.
“Evaluating a vendor’s technical capacity, financial stability, regulatory compliance, and cybersecurity posture must go beyond basic checklists and include in-depth assessments, joint disaster recovery drills, and security audits,” the CBK said, quoting feedback from financial institutions.
Updated contracts now feature specific clauses addressing data protection and clear procedures for terminating agreements to avoid confusion and reduce risks. These steps reflect banks’ efforts to stay ahead of emerging cyber threats and protect customers’ information in an increasingly digital banking environment.
Top Stories Today