Surveying Cybersecurity Readiness

of SACCOs in Kenya


The World Council of Credit Unions’ (WOCCU), Technology and Innovation for Financial Inclusion (TIFI) project, funded through USAID’s Cooperative Development Program (CDP), partnered with the Kenya Union of Savings and Credit Cooperatives (KUSCCO) and IRNet Coop Kenya (ICK) Limited to conduct an assessment of 18 savings and credit cooperatives (SACCOs) in Kenya to study their current cybersecurity strategies and experiences with cyberrisks.

The survey, conducted between April and May 2020, uncovered some interesting findings:

    • five SACCOs reported having experienced a cyberattack in the past, with four out of this five reporting to have no system for transaction monitoring;
    • eight cases where SACCOs did not have a digital transformation strategy;
    • five cases where there was no cybersecurity policy; and
    • nine cases where there was no budget allocated to cybersecurity priorities.

These findings are in line with an earlier survey completed in 2018 by Serianu Ltd. which found that 97% of SACCOs in Kenya spend less than USD 10,000 a year on cybersecurity. As alarming as this finding is, it is reflective of broader under-investment in cybersecurity in Kenya, as Serianu found that only 7% of Kenyan companies across the 12 sectors surveyed in 2017 spent more than USD 10,000 a year on cybersecurity.


Challenges Identified By SACCOs

If cybersecurity is known to be an integral part of any digital transformation strategy, why is an investment in cyber secure systems lagging behind investment in other key areas?

1. Prohibitive Costs

Through the survey completed by the TIFI team, many SACCOs indicated that the high cost of acquiring and maintaining ICT hardware and software, and the dynamic nature of cyberattacks were the major cybersecurity concerns that they have. They added that they are unable to keep up with these changes, and the situation is made worse by limited human resource capacity to handle threats as they emerge. Additionally, the absence of critical policies and procedures lead to the ineffectual implementation of digital technologies, which in turn cause operational and technical inefficiencies and associated financial costs that are difficult to manage down the road.


2. Lack of Innovation

From the survey, it was observed that the cybersecurity gaps could be symptoms of a larger problem. As an IT manager at one of the SACCOs pointed out, “SACCOs are not innovative! The benchmarking culture has changed to the copy-paste culture.” He laments the failures of the learning and collaboration efforts among SACCOs “that have brought with them many avoidable problems.” He recommends that solutions be customized to fit unique situations and increased information sharing between the extensive SACCO network not only in Kenya, but around the globe.

WOCCU’s Digital Transformation Lab (DTL) is actively seeking to promote the lessons learned from credit unions around the world and hopes to be an integral player in promoting best practices from our member network. Please connect with us to share your experiences.


3. Limited Consumer Knowledge

Further, the survey noted that many members lack enough information or knowledge on the cybersecurity landscape, and best practices that they should use to protect themselves, according to the SACCOs. They are unaware of the sophisticated cyberattacks that face them, while others do not take simple measures to protect sensitive information that leaves them open to attacks. Some members, due to illiteracy or trust, openly share their personal identification numbers with family members or close associates. Members, for many of the same reasons already stated, are also susceptible to social engineering and phishing attacks.


How SACCOs are Responding

KUSCCO’s Education and Training Department has already taken a step in the right direction by providing training to SACCOs on building their cyber resilience. During one such training, trainers recommended that SACCOs do not focus on the budget so much, rather, emphasis should shift to understanding the SACCO needs and the personnel capacity as well, adding that “cybercrime is a society issue, not a technology issue.” Personnel training and good policies could address some of the challenges SACCOs face. Additionally, WOCCU provided an analysis of three core banking systems and laid out a benchmark for systems' selection based on the suitability to SACCO needs, but that is also efficient, secure, fast and cost-effective.

According to IRNet, essential steps towards managing cyberattack incidences include:

  • familiarization with the laws governing data collection and privacy;
  • identification of essential data assets;
  • mapping out virtual or physical threat points;
  • reviewing terms and conditions of contracts with vendors;
  • creating a cybersecurity incident response team and identifying their tasks and responsibilities;
  • enabling automated activity logging and monitoring;
  • planning primary and secondary communication channels.

Continued Engagement

Core to any digital transformation strategy is the security of the systems that are being implemented. Lack of investment and attention throughout leads to system vulnerabilities, additional costs required later in the implementation of new systems and decreased trust in the financial institution. A well-developed digital transformation strategy should allocate adequate budget for the continued testing of the system and to ensure their IT teams are equipped with enough resources to modify their systems to meet new and growing threats. WOCCU looks to continue our engagement with our members as they develop and refine their cybersecurity capabilities. As part of our engagement, we look to you, our partners, to share your experiences and we encourage you to reach out to our project team and let us know your thoughts. To spur the conversation, we have included some framing questions below. We would love to hear your feedback and thoughts on the questions below and beyond!

  • Does your credit union have a standalone cybersecurity strategy in place? If so, how often is it reviewed and updated?
  • What sort of training do you provide for your staff? Have there been trainings that have been more effective than others? Are there gaps in training that cannot be filled by internal resources?
  • If you have a digital transformation strategy, how is cybersecurity integrated into your plan?
  • Have you experienced a cyber attack or disruption? If so, would you be willing to share details of the attack, how you have responded since, and what lessons you learned from your experience?