Insurers caught flat-footed as cyber breach clock ticks

Insurance companies must strengthen their cybersecurity defences to meet regulatory requirements for 24-hour breach reporting, industry experts are warning.

This comes even as the Insurance Regulatory Authority (IRA) directive issued by chief executive Godfrey Kiptum requires insurers to report all material cybersecurity incidents within 24 hours of either confirming or substantively detecting the breach, with many firms remaining unprepared for the enforcement requirements.

The directive, issued in July 2024, compels all licensed insurers and reinsurers to develop detailed cybersecurity policies that receive board-level approval.

Peter Gitau, chief information officer at Liberty Kenya, says the regulation has moved cybersecurity oversight from information technology departments to boardrooms.

"In today's digital economy, cybersecurity goes beyond defence; it's also the new benchmark of trust and a decisive factor in whether an insurer is truly fit to operate," says Gitau.

Reportable incidents include disruptions to critical systems, services or platforms, unauthorised access to or loss of sensitive customer data and financial losses affecting the insurer, its clients or third parties.

Under the rules, a ransomware attack that shuts down a claims platform or exposes customer data triggers the mandatory 24-hour reporting window.

Companies must also submit quarterly incident reports within 15 days after the end of each quarter and update internal cybersecurity policies at least annually.

The warning comes as Kenya faces an escalating cyber threat landscape. The Communications Authority of Kenya recorded over 860 million cyber threat events in 2023.

Data breaches in financial services cost an average of $5.9 million in 2024, according to IBM's Cost of a Data Breach Report.

Gitau notes that the scale of threats justifies the regulatory response.

"Between July and September 2023, the Communications Authority of Kenya recorded over 860 million cyber threat events. Cyber threats have become operational risks affecting institutions and individuals alike," he explains.

IRA recommends that insurance boards include at least one director with cybersecurity expertise, placing ultimate responsibility for cybersecurity frameworks with boards and senior management.

Cybersecurity ranks among the top five risks facing insurers across Africa, according to PwC Africa Insurance Outlook 2023.

Gitau observes that third-party vulnerabilities present a concern for the sector. Partnerships with cloud providers, external claims processors and digital onboarding vendors expand the attack surface.

"A single compromise in one system can cascade across multiple insurers downstream," he says.

Advances in artificial intelligence now enable criminals to create deepfakes, fabricated documents and synthetic identities that evade verification processes.

"For insurers, the imperative is clear: strengthen fraud detection systems capable of identifying deepfakes, implement tighter controls on digital document submissions and equip teams with the skills to recognise and counter manipulation," Gitau adds.

He warns that policyholders today expect digital convenience but also demand that their data be handled securely.

"When that trust is broken, it takes more than a PR statement to rebuild it. Fast, transparent communication following a breach is now a core part of any insurer's responsibility to its clients," he notes.

The regulator recommends regular phishing simulations, staff-wide cyber hygiene training and stronger data backup protocols.

Gitau says a single high-profile breach could erode public confidence across the entire industry, making collective action essential.

"By sharing incident data, running joint simulations and adopting transparent reporting frameworks, the sector can raise standards across the board," he explains.

The regulation supports Kenya's Vision 2030 goals, positioning financial services as drivers of economic transformation.

"Without secure systems and digitally resilient insurers, these goals risk falling short," Gitau observes.

He notes that leadership will be defined not by the absence of incidents but by the quality of response.

"The insurers that embed cybersecurity into strategic planning will define what strong governance looks like in this era," says Gitau.