Kenya’s banking sector loses an estimated Ksh20 billion annually to cybercrime, with hackers exploiting weak systems through malware, botnets, and denial-of-service attacks, a new report warns
By TWV Team
Kenya’s banking sector is losing an estimated Ksh20 billion annually to cybercrime, according to the Financial Sector Stability Report 2024, which reviews industry developments over the past year and the first half of 2025.
A stress test conducted in May to assess the sector’s resilience to cyber losses revealed that attacks are largely attributed to malware, web applications, botnet/Distributed Denial of Service (DDOS), and system vulnerabilities or misconfiguration.
The report, compiled by the Central Bank of Kenya (CBK) in collaboration with the Capital Markets Authority (CMA), the Insurance Regulatory Authority (IRA), the Retirement Benefits Authority (RBA), and the Sacco Societies Regulatory Authority (SASRA), notes that investment in cyber defences can reduce both the probability of successful attacks and the costs associated with restoring services.
“Using historical data, it is estimated that the probability of a successful cyber-attack is 5 percent with two standard deviations. Successful attacks result in higher operational costs to restore services and reduced revenue due to distributed denial of service disruptions. The estimated losses are Ksh32.8 million under the baseline scenario, Ksh2.1 billion under a moderate scenario, and Ksh2.9 billion under a severe scenario. Such losses may lead to a decline in capital, with some banks failing the test by falling below the required minimum,” the report states.
It further observes: “Cyber risk has become one of the largest concerns for insurers, with the increasing frequency and sophistication of attacks. The growth of digital transformation, widespread use of advanced technologies, and the rising value of data and intellectual property expose businesses to multiple cyber threats.”
The report recommends closer monitoring of banks to strengthen their cybersecurity frameworks and mitigate these risks. The May 2025 stress test also assessed the potential impact of rising Non-Performing Loans (NPLs), the new core capital requirement of Ksh3.0 billion, and the materialisation of cyber-attacks on banks’ core capital by December 2025.
“This annual stress test evaluated the banking sector’s resilience to hypothetical yet plausible shock scenarios. The shocks were calibrated to reflect prevailing economic conditions, including a significant decline in new lending amid rising NPLs, as banks tighten their lending standards, and the recent increase in core capital from Ksh1 billion to Ksh3 billion by December 2025. The impact is measured in terms of capital shortfall, additional capital required to meet regulatory minimums, and the number of banks at risk of falling short if these scenarios materialise,” the report explains.
The findings conclude that operational risk has increased, as demonstrated by the growing frequency and scale of cyber-attacks, which threaten bank operations and earnings.
