Kenya’s insurance industry is staring at a regulatory showdown as experts warn that most firms remain dangerously unprepared for new cybersecurity rules requiring all major breaches to be reported within 24 hours.

The Insurance Regulatory Authority (IRA) directive—issued by chief executive Godfrey Kiptum in July 2024—demands that every insurer and reinsurer log any material cyber incident within a day of detection and develop board-approved cybersecurity policies. But industry insiders say many companies lack the systems, skills and coordination needed to comply.

Peter Gitau, chief information officer at Liberty Kenya, says the reforms have fundamentally shifted cybersecurity oversight into the boardroom.

“Cybersecurity is no longer just an IT issue. It’s now the defining measure of trust—and a test of whether an insurer is fit to operate,” Gitau says.

Under the new framework, the 24-hour reporting requirement is triggered by: Disruptions to critical platforms such as claims systems, unauthorised access to or loss of customer data,financial losses involving clients or third parties, Ransomware attacks, including those that expose customer records.

Insurers must also file quarterly incident reports within 15 days and update internal cybersecurity policies annually.

Kenya’s cyber threat levels have surged. The Communications Authority of Kenya logged more than 860 million cyber threat events in 2023. Financial-sector breaches cost an average of $5.9 million this year, according to IBM’s Cost of a Data Breach Report.

Gitau says these risks justify IRA’s aggressive stance.

“Cyber threats have evolved into operational risks that affect every institution and individual,” he notes.

The IRA now recommends that boards include at least one director with cybersecurity expertise, placing responsibility for cyber resilience squarely on top leadership.

PwC’s Africa Insurance Outlook 2023 ranks cybersecurity among the continent’s top five insurance sector risks. Yet Gitau warns that the biggest blind spot may be outside insurers’ walls.

Cloud providers, outsourced claims processors and digital onboarding partners all create additional entry points for attackers.

“A single breach in one system can cascade across multiple insurers downstream,” he says.

The rapid rise of artificial intelligence is fuelling a new class of digital fraud. Criminals can now deploy deepfakes, forged documents and synthetic identities that bypass outdated verification tools.

“For insurers, the priority is stronger fraud detection systems and tighter authentication controls,” Gitau warns. “Teams must be trained to recognise AI-driven manipulation.”

He adds that policyholders now expect seamless digital service but zero compromise on data safety.

“When that trust is broken, no press release can fix it. Immediate, transparent communication after a breach is now part of core fiduciary duty,” he says.

IRA also urges insurers to run regular phishing simulations, strengthen data backups and train their entire staff in cyber hygiene.

Gitau cautions that one high-profile breach could shatter public confidence across the insurance sector.

“Sharing incident data, conducting joint drills and embracing transparent reporting will lift the whole industry,” he says.

He argues that the new regulations support Kenya’s Vision 2030 ambition of building a resilient, tech-driven financial sector.

“Without secure systems, those ambitions are at risk,” he says, adding that future industry leadership will be defined by preparedness—not luck.

“The firms that weave cybersecurity into strategy will set the standard for responsible governance in this era,” Gitau says.