Kenya's central bank has asked commercial banks to raise their cybersecurity budgets to tackle a growing range of digital threats, including those driven by artificial intelligence, cloud computing, and mobile money fraud, as it moves to revise its existing cybersecurity guidelines.

In a new report, the Central Bank of Kenya (CBK) said the current framework, established in 2017, had become outdated due to the rapid advancement of technology and the emergence of complex cyber risks.

It noted that the revision will focus on areas that were not fully captured in the original guidance, including the growing role of artificial intelligence, machine learning, and application programming interfaces.

CBK observed that most banks currently allocate between Sh2.5 million and Sh600 million annually for cybersecurity.

However, the regulator noted that these allocations are often based on the cost of licensing cybersecurity tools, rather than reflecting the true scale of threats facing the financial system.

“As cyber threats evolve in scale and sophistication, updated guidance from central banks plays a critical role in safeguarding the stability, trust, and integrity of the financial system,” CBK stated in its latest Cybersecurity Survey.

The regulator has now started the process of reviewing and updating the 2017 Cybersecurity Guidance, saying the pace at which new cyber threats are emerging has outpaced the current regulatory approach.

While acknowledging the progress made under the existing framework, CBK stressed the need for more robust measures to match the sector's growing digital exposure.

Findings from the CBK survey, which covered 37 commercial banks and one mortgage finance institution, show that 95 percent of the banks have set aside specific cybersecurity budgets.

However, five percent admitted they operate without a dedicated budget, opting instead to allocate funds as the need arises.

The survey also highlighted that the proposed updates to CBK’s guidance could lead to an increase in banks’ cybersecurity spending, especially as more mandatory compliance requirements are introduced.

Cybersecurity budgets typically cover areas such as licensing fees, staff training, penetration testing, and the setup of Security Operations Centres.

“About one-third of the surveyed banks reported relying heavily on manual monitoring tools, which are often insufficient in detecting real-time threats. CBK’s expected update may push more banks toward adopting automated threat detection and response systems,” the report reads in part.

Financial institutions have called on CBK to ensure that the revised guidelines reflect emerging digital threats, with a focus on securing modern technologies now at the core of banking operations.

These include cloud platforms, artificial intelligence systems, and APIs—tools that are increasingly critical in digital finance.

Banks are also urging the regulator to address gaps in the current framework by including areas such as cyber risk insurance, enhanced controls to prevent mobile money fraud, and stronger data protection and privacy measures.

They further want CBK to introduce a threat intelligence-sharing mechanism that allows for anonymous exchange of information between institutions to strengthen collective defence.

Mobile money services, which have become central to Kenya’s financial ecosystem, were flagged as a growing concern due to increased cases of fraud.

Financial leaders argue that improved detection tools and updated regulatory requirements will enhance the sector’s resilience and offer greater protection to customers in the face of escalating digital risks.