Unlocking the Potential of Cybersecurity: Navigating the Computer Misuse and Cyber Crime Regulations 2024

The introduction of the Computer Misuse and Cyber Crime (Critical Information Infrastructure and Cybercrime Management) Regulations 2024 (the Regulations) marks a significant milestone in shaping Kenya's cybersecurity landscape.

Published as Legal Notice No. 44 of 2024, the Regulations have undergone comprehensive review and have now been officially enacted. This enactment aligns with the Constitution, the Statutory Instruments Act of 2023, and Section 70 of the Computer Misuse and Cybercrimes Act 2018 (the Act). These Regulations not only serve to operationalize the existing provisions of the Act but also elevate the role of the National Computer and Cybercrimes Coordination Committee as the primary authority overseeing cybersecurity matters in the country. By fostering collaboration with Cybersecurity Operation Centers, these Regulations aim to fortify cybersecurity defenses and ensure a safer digital environment for all stakeholders. 

Various sectors and entities will fall under the purview of these Regulations, necessitating proactive measures to mitigate cyber threats and protect critical infrastructure. The Regulations have broad implications, including impacting, the general public who will benefit from clearer guidelines on cybersecurity responsibilities and rights. Secondly, owners of critical information infrastructure who oversee critical information infrastructure will be affected as they will be tasked with adhering to stringent security measures and reporting requirements outlined in the Regulations. Thirdly, internet service providers and cybersecurity service providers must align their operations with the Regulations to ensure compliance and enhance the overall security posture of the nation. 

Enhancing Cybersecurity Operations

The Regulations establish Cybersecurity Operation Centers (COC), including the National Cybersecurity Operations Centre (NCOC), Sector Cybersecurity Operations Centres (SCOC) and Critical Information Infrastructure Cybersecurity Operations Centre (CIICOC). These centers will play a pivotal role in monitoring, detecting and investigating cybersecurity threats, providing real-time information and ensuring prompt responses to cyber incidents.

The COC will also be tasked with submitting monthly briefs and annual compliance reports to the committee to evaluate adherence. These briefs will detail cyber risks, threats, and incidents encountered. The NCOC will serve as the primary point for national cybersecurity monitoring and investigation. The SCOC will focus on sector-specific threats and reporting to the national centre and the CIICOC will be responsible for real-time monitoring, detection and investigation of threats to critical infrastructure, reporting to both the national and sector centres.

Critical Information Infrastructure 

Designated under Section 9 of the Act, critical information infrastructure (CII) encompasses systems or data deemed essential for national security and public welfare. A system is classified as CII if its disruption would result in interrupting life-sustaining services such as water supply, health services and energy, adversely affecting the Republic's economy, causing massive casualties or fatalities, disrupting the money market significantly and if severely impacting national security, including intelligence and military operations. 

The Regulations mandate critical information sectors to conduct annual cyber risk assessments and business impact analyses for all activities, products, services, business functions, and processes. Furthermore, every owner of CII must complete a risk assessment within twelve (12) months of the Regulations' commencement to identify and prioritize potential internal and external threats.

Upon designating a system as CII, the Director of the committee must inform the system's owner or operator within seven days, providing reasons for the designation. The Director's directives may require the owner to:

• Conduct annual risk assessments;
• Develop incident response plans;
• Implement suitable security measures; and
• Ensure personnel are adequately trained in security best practices.

The owner may appeal any decisions to the High Court under Section 10 of the Act if dissatisfied with the committee's directives. An owner can apply in writing for a system to be declared as CII, with the Director required to respond within seven days. Any significant changes to CII must be notified to the Director in advance.

Owners of CII must ensure that the infrastructure housing critical information is located within Kenya. Any plans to locate critical information outside Kenya require committee approval, ensuring compliance with security standards. Periodic reviews of cybersecurity awareness programs must be conducted to ensure their adequacy and relevance. A Chief Information Security Officer (CISO) must be appointed by the owner to oversee cybersecurity matters.

Integration with other infrastructures is only permitted if safety standards are met. The Regulations stipulate that CII must always be protected, with access restricted to authorized personnel. A backup system must be maintained to ensure information retrieval in case of loss.

Mandatory Requirements

Firstly, owners of CIIs must conduct comprehensive annual cyber risk assessments and business impact analyses, meticulously scrutinizing all facets of their CII to identify potential vulnerabilities and prioritize risk mitigation strategies. They will be obligated to implement robust security measures tailored to safeguard their CII, encompassing the development and implementation of incident response plans, and the provision of adequate training to personnel in adherence to established security protocols. 

They must annually formulate, review and update organizational policies, procedures and codes of practice to safeguard CII. This includes specifying storage and archiving procedures and sharing data within the organization. Licensed operators of international or national internet gateways must comply with cybersecurity standards and provide safety compliance reports upon request. They must report any traffic congestion or suspicious activities to the committee, detailing causes and solutions. Timely reporting of cybersecurity incidents is essential, with owners of critical information infrastructure mandated to notify relevant authorities within twenty-four (24) hours of detection. Enhanced penalties for cybercrimes underscore the seriousness with which such offenses are viewed. Non-compliance may result in the committee recommending the restriction, suspension, or revocation of the operator's license in consultation with the sector regulator. To ensure compliance, organizations are required to formulate, review and update organizational policies and procedures regularly. Licensed operators of internet gateways are obligated to comply with cybersecurity standards and report compliance to regulatory bodies, with penalties imposed for non-compliance. 

Further, the Regulations emphasis on the implementation of the Data Protection Act 2019, when processing of personal data under the Act. Non-compliance with the Data Protection Act, 2019 in Kenya may result in fines of up to KES five (5) million or one (1%) percent of an entity's annual turnover, and individuals responsible may face imprisonment for up to two years. Additionally, the Data Protection Commissioner can impose administrative sanctions, including enforcement notices and suspension of data processing activities.

The Regulations herald a new era in combating cybersecurity threats in Kenya. By instituting robust regulatory frameworks and fostering collaboration between stakeholders, these Regulations aim to bolster cybersecurity defenses, reduce cyber incidents and safeguard critical information infrastructure. As your trusted legal advisors, we are committed to helping you navigate these regulatory changes, ensuring compliance and harnessing cybersecurity as a competitive advantage in today's digital landscape.