Kenya’s Insurance Regulatory Authority (IRA) has introduced mandatory cybersecurity reporting requirements. Insurance companies must now report major cyber attacks within 24 hours of detection and develop comprehensive cybersecurity strategies approved by their boards and the regulator.

As insurers increasingly use digital platforms for customer onboarding and claims processing, they face heightened cybersecurity risks. The regulator has shifted cybersecurity from an IT department concern to a boardroom responsibility.

Under the new guidelines, insurance companies must develop detailed cybersecurity strategies that receive approval from both their boards of directors and the regulatory authority.

This means cybersecurity is now a strategic business imperative requiring executive-level oversight, at least for insurance companies.

According to Business Daily, reportable incidents include those causing major disruption to critical services, unauthorized access to sensitive customer data, or financial losses to the insurer, its clients, or third parties.

While major incidents will trigger immediate 24-hour reporting requirements, insurers must also submit quarterly reports tracking all cybersecurity incidents within 15 days of each quarter’s end.

The new rules place ultimate responsibility for cybersecurity governance on boards of directors and senior management. The regulator recommends that boards include at least one member with cybersecurity experience.

This new framework addresses AI-related cyber risks and third-party vulnerabilities. More and more, insurance companies are relying on AI for underwriting, claims processing, and customer service.

As a result, they are inheriting new categories of risk that traditional cybersecurity measures weren’t designed to address.

IRA has emphasized that cybersecurity must become a company-wide responsibility rather than remaining siloed within technology departments.

This implies increased staff training, regular phishing simulations, and robust backup protocols should become standard practice across all levels of the organization.

Cyber attacks on insurance companies can compromise personal and financial information of thousands of policyholders, disrupt claims processing, and erode trust in the insurance relationship.

Unlike other industries where cyber attacks might cause temporary inconvenience, insurance breaches can leave vulnerable individuals without access to critical financial protection.

Companies must reassess their cybersecurity policies at least once per year or whenever significant changes occur in their ICT environment, threat landscape, or regulatory obligations.

This kind of approach will prevent cybersecurity structures from becoming outdated as threat actors constantly adapt their tactics.