Kenyan businesses are facing an escalating wave of cyber threats, with experts and government agencies urging immediate action to address software vulnerabilities and enhance digital security. The call comes amidst a significant increase in detected cyber incidents, posing substantial risks to the nation's rapidly digitising economy.

The Communications Authority of Kenya (CA) reported a staggering 2.54 billion cyber threat incidents between January and March 2025, marking a 201.7% increase from the previous quarter. This surge highlights the urgent need for robust cybersecurity measures across all sectors. In 2023 alone, Kenya lost an estimated KES 10.7 billion (approximately USD 83 million) to cybercrime, positioning it as one of the most affected countries in Africa.

Historical and Political Context

Kenya has progressively strengthened its cybersecurity framework in response to the evolving threat landscape. The Computer Misuse and Cybercrimes Act (CMCA) of 2018 provides a legal foundation for addressing cyber-related offences, aiming to protect computer systems, data, and facilitate the investigation and prosecution of cybercrimes. This Act criminalises activities such as cyberespionage, data breaches, computer fraud, and identity theft.

Further reinforcing this commitment, the Government of Kenya launched the National Cybersecurity Strategy (2022-2027) on Thursday, August 5, 2022. This strategy outlines a roadmap to tackle emerging cyber threats through established governance structures, strong policy frameworks, protection of critical information infrastructure, and the development of a skilled cybersecurity workforce.

Laws, Policy, and Governance

The National Cybersecurity Strategy 2022-2027 is anchored on six main pillars, including enhancing institutional frameworks, strengthening legal and regulatory frameworks, protecting Critical Information Infrastructure (CII), building capacity, minimising cyber risks and crimes, and fostering cooperation. The strategy also aligns with the Cybersecurity Master Plan for Africa (CMCA) 2018.

Recent legislative developments include the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024. These regulations aim to streamline cybersecurity efforts by establishing a National Cybersecurity Operation Centre (NSOC) and enhancing reporting mechanisms for cybercrimes.

Stakeholders and Testimonies

The National Computer and Cybercrimes Coordination Committee (NC4), established under the 2018 Act, plays a crucial role in coordinating cybersecurity efforts across 11 government agencies. The National Kenya Computer Incident Response Team – Coordination Centre (KE-CIRT/CC), overseen by the Communications Authority of Kenya, is responsible for detecting, protecting, and responding to cyber threats.

David Mugonyi, Director General of the Communications Authority of Kenya, acknowledged that many attacks target system vulnerabilities, often due to insecure Internet of Things (IoT) devices, outdated software, and emerging technologies like Artificial Intelligence. He emphasised the need for localised solutions to address threats specific to Kenya and the region.

Evidence and Data

A significant portion of cyberattacks in Kenya, 97.3% of incidents in Q1 2025, exploit known vulnerabilities in unpatched software. This highlights a critical weakness, as many businesses, particularly small and medium-sized enterprises, still rely on outdated operating systems and applications. For instance, over 40% of Point-of-Sale (POS) software in Kenyan retail businesses is more than five years old, lacking crucial security updates.

Phishing attacks, ransomware, and malware remain prevalent threats. Email is a common vector for malicious file delivery, accounting for 70% of attacks in a recent period. Poor credential management and weak passwords also contribute significantly to successful cyber intrusions.

Risks and Implications

The economic implications of cyber threats are profound, leading to increased costs for cybersecurity measures, potential data breaches, and erosion of consumer trust. High-profile incidents, such as the KES 179 million stolen from Equity Bank customer accounts in April 2024 and a ransomware attack on Naivas supermarket, demonstrate the severe financial and reputational consequences for businesses.

Beyond financial losses, cyberattacks can disrupt critical services and undermine investor confidence, hindering economic growth. The Data Protection Act of 2019 also imposes significant penalties for data breaches, making robust cybersecurity crucial for compliance.

Timeline and Next Steps

The Government of Kenya launched its National Cybersecurity Strategy (2022-2027) on August 5, 2022. The Computer Misuse and Cybercrimes (Amendment) Bill, 2024, is currently moving through Parliament. This bill proposes expansions to the 2018 Act, including granting the National Computer and Cybercrimes Coordination Committee (NC4) authority to block websites and applications promoting illegal activities. Draft cybercrime and computer misuse regulations are also nearing completion and are expected to be tabled for public participation.

What to Watch

Stakeholders are keenly watching the progress of the Computer Misuse and Cybercrimes (Amendment) Bill, 2024, particularly concerns raised by digital rights groups regarding potential government overreach and limitations on free speech. The implementation of the National Cybersecurity Strategy 2022-2027 and the effectiveness of new regulations in mitigating the escalating cyber threats will be critical. Businesses should prioritise regular software updates, employee cybersecurity training, and the adoption of robust security solutions to safeguard their operations in Kenya's evolving digital landscape.