CYBERSECURITY RISKS AND INSURANCE IN KENYAN SMES

Executive Summary

Kenyan businesses face rapidly growing cyber threats. The Communications Authority (CA) reported a 943% quarterly surge in detected cyber threat events (from 123 million to 1.29 billion) between Q3 and Q4 of 2023. High-profile attacks – such as the LockBit ransomware hacking Jubilee Insurance (exfiltrating 662 GB of data) and Medusa targeting Kenya Airports Authority – underscore the danger. Phishing and malware attacks also persist (Kaspersky found 8.4% of Kenyan users hit in 2022).

In response, Kenyan insurers now offer dedicated cyber insurance products covering both first-party losses (e.g., data restoration, business interruption, cyber extortion) and third-party liabilities (e.g., data privacy breaches, regulatory fines). Major insurers – including Britam, Jubilee, AAR, Apollo (APA) and multinational carriers like AIG (Kenya) – market these covers.

Nevertheless, uptake remains very low: a Marsh survey reports only ~10% of African businesses carry cyber insurance (vs ~30% in Europe), and Kenyan adoption is similarly minimal, limited mainly to large corporations and financial/tech firms. Key barriers include low awareness and understanding, perceived high premiums, limited actuarial data for pricing, and restrictive policy conditions.

Insurers are reacting by innovating: for example, offering bundled policies or risk-management services (breach response teams, system audits), and rewarding good cyber hygiene with better terms. Regulators are also active: Kenya's Data Protection Act (2019) imposes stringent data-handling and breach-notification rules, and the Insurance Regulatory Authority (IRA) is conducting outreach (e.g., Bima Mashinani campaigns) to raise insurance awareness.

In summary, Kenya's cyber threat landscape is intensifying, the insurance market is nascent, and coordinated action by businesses, insurers and regulators is needed to manage cyber risk.

Introduction and Background

Kenya is a rapidly digitalizing economy – with tens of millions of mobile and internet users – making it a regional ICT hub. With this growth has come rising cyber risk: fraud, data breaches, ransomware and online scams are increasing both globally and in Africa. According to industry reports, Africa now faces the highest attack rates worldwide, averaging 1,848 cyberattacks per week per organization.

In Kenya, the Communications Authority (which houses the national Cyber Incident Response Centre, KE-CIRT/CC) has documented an exponential rise in cyber incidents. The CA's 2023 report notes that most detected threats exploit system vulnerabilities and misconfigurations, matching global trends in malware and ransomware use.

For example, Kenya's financial and critical infrastructure sectors have seen targeted attacks: in March 2023 the LockBit ransomware gang breached Jubilee Insurance, exfiltrating hundreds of gigabytes of data, and the Medusa group hit the Kenya Airports Authority demanding a KSh 67M ransom. Phishing remains a common threat vector – a 2022 study found 8.4% of Kenyan corporate users were hit by phishing schemes – while fraudsters also exploit mobile money platforms and supply-chain vulnerabilities (as seen globally in incidents like SolarWinds).

Kenya's legal framework is evolving: the Computer Misuse and Cybercrimes Act (2018) and attendant Computer Incident Response Coordination (multi-agency NC4) aim to prosecute cybercriminals, while the Data Protection Act (2019) and its Office of the Data Protection Commissioner (ODPC) impose strict rules on personal data security. These regulations increase the stakes for businesses: data breach fines and compliance obligations can be severe.

Recognizing this, both large and small enterprises are considering cyber insurance as a complement to technical safeguards. Cyber insurance transfers financial risk of cyber incidents, covering costs such as forensic investigation, legal fees, ransoms, and liability claims. However, Kenya's cyber insurance market is still in early stages: while some insurers have launched products and private-sector uptake is growing, much of the market remains untapped, especially among SMEs. This report examines current cyber risk trends, the insurance products available, adoption patterns and challenges in Kenya, insurer responses, and regulatory factors influencing the market.

Data and Analysis

Cyber Risk Trends

Recent data show Kenya's cyber threat environment is intensifying. The CA's 32nd-quarterly cybersecurity report (Oct–Dec 2023) recorded 1.29 billion threat events – nearly 10 times the 123 million events from the prior quarter. This surge is attributed to enhanced monitoring and rampant exploitation of system weaknesses (e.g., unpatched software and insecure IoT devices). Attack vectors in Kenya include:

• System/Misconfiguration attacks: The vast majority of detections (≈1.27 billion events) were system-level exploits, reflecting attackers scanning for known vulnerabilities.
• Malware and Ransomware: Over the same quarter, malware attacks numbered ~13.2 million. Kenyan firms report increasing ransomware extortion attempts. Beyond Jubilee, other organizations (public and private) have reported or experienced ransomware locks and data theft.
• Brute-force and Bot Attacks: Nearly 10 million brute-force login attempts were detected, indicating credential stuffing and login hacks are prevalent.
• Phishing and Social Engineering: While CA detection focuses on automated threats, independent studies highlight pervasive phishing: Kaspersky found ~8.4% of Kenyan users (individuals and businesses) encountered phishing in 2022, a rate comparable to regional peers. SMEs in Kenya are especially vulnerable to spear-phishing and business-email compromise, often lacking robust anti-phishing defenses.
• Emerging Threats: Global trends such as supply-chain attacks and nation-state campaigns also pose risks to Kenyan organizations. For example, third-party service breaches (notably in cloud or software supply) could indirectly impact Kenyan firms that rely on international IT providers. While no major Kenyan supply-chain incident has been publicly reported, the risk is acknowledged by security experts.

These cyber threats carry significant potential losses. A mid-size Nairobi retailer reported a $150,000 loss from a 2021 breach (legal costs, compensation, and sales drop). More generally, Kenya's broad attack surface – including banks, telecoms, mobile money, healthcare, and government services – means that a severe attack on one entity (as with the July 2023 eCitizen portal DDoS incident) can have cascading effects on trust and business continuity.

Cyber Insurance Products in Kenya

Kenyan insurers now offer various cyber risk insurance products, typically separating first-party from third-party coverage:

• First-Party Coverage: Protects the insured's own losses from a cyber incident. Common features include data restoration costs, business interruption (BI) compensation, and cyber extortion (ransomware) cover. For example, Britam's policy explicitly covers "loss or damage to electronic data" and business interruption net profit losses caused by a cyber-event. AIG Kenya's CyberEdge plan likewise provides funds to restore or recreate lost data and pay ransoms if needed. These policies often include breach notification expenses and public relations/forensics to manage an incident.
• Third-Party Liability Coverage: Covers the insured's legal liabilities to others. This includes privacy/network security liability (claims by customers or partners over exposed personal data), media/technology liability (e.g., IP infringement or defamatory content posted by an employee), and regulatory fines. Britam's brochure, for instance, lists "network security & privacy liability" and "media liability" as key coverages. AIG's CyberEdge explicitly covers "costs of a data protection regulator's investigation and fines" following a breach, reflecting the new obligations under Kenya's DPA.
• Incident Response Services: Many cyber policies bundle advisory and response services at no extra premium. These can include access to forensic experts, legal counsel, crisis PR teams, and breach coaches to guide companies during an attack. AIG describes a 24/7 Breach Response Team for clients, providing technical and legal help to "respond in a crisis" and manage reputational fallout. Such service add-ons are now common selling points.

Major Kenyan insurers offering these products include Britam, Jubilee Insurance, APA Insurance, ICEA Lion, CIC, and AAR Insurance, among others. International insurers also underwrite cyber policies in Kenya: AIG (Kenya) sells CyberEdge, and global reinsurers (e.g., Africa Re, Munich Re) support local carriers. For example, Britam's policy materials (a local firm listed on NSE) market comprehensive cyber cover, and brokers like Kenbright or Dawit have advertised similar liability and first-party packages. In summary, Kenyan cyber insurance products mirror global norms, covering data loss, BI, extortion, and liability – but are relatively new to the market.

Adoption Trends

Quantifying cyber insurance uptake in Kenya is difficult due to limited public data. However, regional and industry indicators suggest low penetration, especially among small businesses. A recent Marsh Africa survey found only about 10% of African businesses carry cyber insurance, far below rates in developed markets (≈30% in Europe, 40% in the U.S. according to the same report). Global surveys indicate that large firms (those with >$1B revenue) and mid-sized companies in developed countries often purchase cyber cover – Sophos reports over 90% of medium enterprises surveyed had some cyber insurance – but such figures do not generalize to Kenya.

Available evidence implies Kenyan uptake is mostly confined to large corporations and sectors with high cyber awareness. For example, major banks, telecoms, and fintech companies are increasingly insuring cyber risk as part of enterprise risk management (and sometimes to meet contractual or regulatory requirements). Anecdotal accounts suggest a few multinationals and corporates (including some NGOs and international firms in Nairobi) have policies.

In contrast, SMEs (defined as micro, small or family-run businesses) rarely hold standalone cyber policies; most rely on generic business insurance with no specific cyber cover, or they simply assume they are too small to be targeted. One local insurance broker notes that Kenyan SMEs often lack any digital risk assessment, and when approached, question the value of cyber insurance, citing cost concerns.

In lieu of Kenyan statistics, a useful proxy is the comparative regional adoption. Marsh and industry reports imply that cyber insurance is an emerging niche in Kenya: growing from virtually zero a few years ago to perhaps only a few hundred policies today across all carriers (mostly tailor-made commercial products). Many Kenyan insurers themselves acknowledge the market is nascent. AIF (African Insurers Federation) and Ksh. Market surveys (if any) have not reported sizeable volumes for cyber lines.

Key Market Challenges

Kenya's cyber insurance market faces several structural challenges:

• Low Awareness and Understanding: Many Kenyan businesses do not appreciate their cyber exposures. A guest analysis on citizen.digital notes that "majority of businesses are not aware of their level of exposure to cyber risks". With limited cyber training and risk culture in many companies, especially SMEs, decision-makers often overlook cyber threats. This keeps demand muted.
• Perceived High Costs: Even when aware, businesses often view premiums as unaffordable or unjustified. The same analysis points out that many see cyber insurance as "too expensive or an unnecessary expense". Premiums can indeed be steep for smaller firms, given the insurers' limited data and conservative pricing. Without competitive pricing or subsidies, uptake among smaller businesses remains low.
• Limited Actuarial Data: Insurers globally struggle with sparse loss experience in emerging markets. Kenya has no long track record of cyber claims to inform pricing. Insurers often rely on global data or analogies (e.g., policy limits in advanced markets) to underwrite, which may not reflect local realities. The lack of local loss statistics means insurers remain cautious, often requiring high deductibles or excluding certain losses.
• Policy Exclusions and Conditions: Typical cyber policies worldwide exclude "acts of war" (including nation-state cyberattacks) and sometimes have carve-outs (e.g., no cover if controls were grossly inadequate). It is unclear how these apply in Kenya's context (e.g., attacks allegedly linked to geopolitical events). Additionally, insurers may impose strict pre-conditions (like up-to-date patching, firewalls, or ISO 27001) for coverage. For many Kenyan firms, especially those with legacy systems, meeting these conditions is difficult and can deter purchases.
• Complex Underwriting Process: Acquiring cyber insurance often involves detailed surveys of IT security, which many businesses are unprepared for. Brokers note that the "process of acquiring cyber insurance can be lengthy and complicated". Documentation and compliance steps may overwhelm SMEs, creating friction for insurers.
• Supply of Suitable Products: While standard cyber products exist, specialized needs are underserved. For example, banks or telcos may need bespoke contingent covers, and rising trends (like social engineering fraud) may not be fully addressed by existing wordings. Limited competition in Kenya (few insurers offering cyber lines) also constrains innovation.

These challenges – low demand, high uncertainty and product gaps – have kept Kenya's cyber insurance market small. However, both regulators and insurers are keen to expand it, as they recognize its role in overall cyber resilience.

Key Findings

• Escalating Threats: Kenyan businesses face rapidly increasing cyber risk. The national cyber incident data show an explosive growth of detected attacks. High-impact breaches (e.g., Jubilee and KAA in 2023) and ongoing waves of phishing and ransomware signal a mature threat landscape. Without stronger controls and risk transfer, Kenyan firms are vulnerable to potentially catastrophic losses.
• Available Coverage: A range of cyber insurance products exists locally. Insurers now market policies covering data loss, ransomware/extortion, business interruption and both first-party and third-party liabilities. Kenyan offerings closely resemble international standards: for example, Britam's cyber policy includes network security/privacy liability and extortion cover, and AIG's policy covers regulator fines and data restoration. In some cases, cyber cover is sold standalone; in others it may be bundled as an endorsement on commercial liability or property policies.
• Low Uptake: Despite product availability, adoption remains very low in Kenya. Market estimates and surveys suggest only a small fraction of businesses hold cyber insurance. Marsh Africa reports ~10% of African firms are insured (much lower than 30–40% in developed regions). Global studies indicate high penetration in developed markets (e.g., Sophos found ~90% of mid-sized companies had coverage), highlighting the gap in Kenya. Adoption is skewed toward larger firms and certain sectors (finance, telecoms, large manufacturing), whereas most SMEs have no cyber policy.
• Multiple Barriers: Key inhibitors include awareness and education (many firms simply don't recognize cyber risk) and cost/perceived value (premiums are seen as high for uncertain benefits). Underwriters also face data scarcity, leading to cautious pricing. The regulatory context (e.g., stringent Data Protection Act requirements) adds potential liabilities but also complexity. Additionally, policy terms often have restrictive conditions. These factors collectively slow market growth.
• Insurer Initiatives: Kenyan insurers are responding by product innovation and service offerings. For instance, many carriers now offer bundled cyber response services – forensic experts, legal and PR support – as part of the policy. Insurers are also adopting a "carrot-and-stick" approach seen internationally: they encourage or require minimum security controls (firewalls, MFA) to qualify, while rewarding good practices with lower premiums or higher limits. Some insurers and brokers are partnering with cybersecurity firms to offer risk assessment tools. Additionally, there are moves to bundle cyber cover with other lines (e.g., combining cyber liability with directors & officers or professional indemnity insurance for tech firms).
• Regulatory Support and Challenges: The regulatory environment is gradually raising the profile of cyber risk. Kenya's Data Protection Act (2019) enshrines data security obligations and breach-notification rules. The IRA has explicitly incorporated data privacy into its insurance conduct guidelines. Moreover, the IRA's public campaigns (e.g., "Bima Mashinani") and partnerships aim to improve overall insurance literacy, which can indirectly benefit cyber insurance uptake. On the other hand, regulators do not yet mandate cyber coverage; the Insurance Act lacks specific cyber provisions. Ongoing efforts (e.g., national cybersecurity strategy) may in future influence firms to adopt comprehensive risk management, of which insurance is a part.

In summary, Kenya's cyber insurance market is evolving: threats are severe and growing, products are emerging, but many businesses remain uninsured. Overcoming the knowledge gap and pricing/data hurdles will be critical to expand coverage and enhance cyber resilience.

Recommendations

For Businesses:

1. Assess Risks and Train Staff. Conduct regular cybersecurity risk assessments (using frameworks like ISO 27001/NIST) to identify vulnerabilities. Train employees in cyber hygiene: phishing awareness, strong password management and multi-factor authentication.
2. Implement Controls and Response Plans. Strengthen IT defenses (patching, firewalls, endpoint security) and develop an incident response/continuity plan. Ensure data is backed up offline or on segregated networks to mitigate ransomware impact. As one expert notes, companies should have a cyber incident response plan integrated into their disaster preparedness.
3. Consider Cyber Insurance. Treat cyber insurance as part of risk management. Even SMEs can benefit from basic cover (e.g., for data loss or legal costs) at a modest cost. Engage with insurance brokers to understand policy terms; ensure any chosen policy matches the firm's risk profile (scope of cover, limits, deductibles). Cyber insurance can facilitate faster recovery (financing for recovery costs) and offer access to incident response experts. As cyber threats rise, having insurance is increasingly prudent.
4. Maintain Compliance. Under Kenya's Data Protection Act, breaches can lead to fines. Businesses should ensure compliance with the Act (and sector-specific ICT regulations) by securing personal data. Demonstrating good security practices can also help in negotiating favorable insurance terms.

For Insurers:

1. Awareness and Education Campaigns. Lead outreach to business communities (especially SMEs) about cyber risk and insurance benefits. Use seminars, online content and partnership with trade associations to demystify cyber cover. Simplify product language and underwriting questionnaires to encourage uptake.
2. Product Innovation and Pricing. Develop scalable products for different market segments. For SMEs, consider smaller limits, higher deductibles or parametric triggers (e.g., pay-out on confirmed breach rather than loss-based) to lower premiums. Bundle cyber coverage with popular lines (e.g., business package policies) to introduce more firms to cyber protection.
3. Value-Added Services. Strengthen the value proposition by including cybersecurity services in policies: free vulnerability scans, risk workshops, or hotline access to experts. Insurers should market these services prominently, as they both improve client security and reduce claim costs. AIG's model of 24/7 breach response teams and PR coaching is an example to emulate.
4. Data and Partnerships. Work with regulators, industry groups or international partners to collect and share anonymized cyber-claim data, building a local actuarial base. Partner with global cyber reinsurers (Africa Re, Munich Re, etc.) and insurtechs to leverage best practices and risk models for Kenyan context.
5. Underwriting Incentives. Continue the "carrot-and-stick" approach: require or verify that insureds maintain certain security controls, and then offer premium discounts or higher limits for demonstrably mature security programs. This will gradually raise security standards and stabilize loss ratios.

References

• Communications Authority of Kenya, Cyber Security Report Q2 2023-24.
• Musalia, W., "Medusa Hackers Demand Over KSh 67m Ransom…Jubilee Insurance Hack," TUKO Business (Apr 2023).
• Marucha, J., "Cyber insurance – A must-have for businesses in Africa," Citizen Digital (Feb 2024).
• PwC Kenya, Regulatory Alert: Data Protection in the Insurance Industry (Apr 2021).
• IRA urges public to take up insurance cover to mitigate risk, Kenya News Agency (Jan 2025).
• Britam Kenya, Cyber Insurance Brochure (2023).
• AIG Kenya, CyberEdge Insurance product page.
• Serianu Ltd., Africa Annual Cybersecurity Report – Kenya 2023 (abridged).
• Risk & Insurance (2024), "Cyber Insurance Provides Both Carrot and Stick for Cyber Security".
• Step By Step Insurance (Nov 2024), "How Small Businesses in Kenya Benefit from Cyber Insurance".