As the country prepares for the Jamhuri Day celebrations and the subsequent end-of-year holidays, the Sacco Societies Regulatory Authority (SASRA) has issued a high-priority alert to all regulated SACCOs, warning of a “heightened risk” of cyber-security breaches targeting members’ data and funds.
In a circular dated December 8, 2025, addressed to the Chief Executive Officers of all regulated societies, SASRA Acting CEO CPA David Sandagi flagged the upcoming long weekends as high-risk periods for digital fraud.
Citing periodic cyber-threat analysis and intelligence monitoring, the regulator revealed a specific pattern in how cybercriminals operate within the sector. According to SASRA, historical data consistently demonstrates that the majority of breaches occur during long-weekend public holidays.
The Authority pinpointed the exact timeframe when systems are most vulnerable:
- The Pre-Holiday Window:The last 12 hours prior to the commencement of a long weekend.
- Silent Hours:Late evening and early night hours throughout the holiday period.
“The Authority therefore calls upon all DT-SACCOs and Regulated Non-WDT-SACCOs to strengthen surveillance, monitoring, and response mechanisms across their Management Information Systems,” said CPA Sandagi in the notice.
Specific Dates of Concern
SASRA has directed SACCOs to be on high alert during the following specific periods:
- Jamhuri Day Long Weekend:Friday, December 12, 2025, to Sunday, December 14, 2025.
- Christmas Long Weekend:Thursday, December 25, 2025, to Sunday, December 28, 2025.
- New Year Long Weekend:Friday, January 1, 2026, to Sunday, January 3, 2026.
Vulnerable Channels and Third-Party Risks
The advisory identifies specific digital channels that are “highly pre-disposed” to attacks. These include ATMs, mobile money channels, internet banking, and web-based applications.
Of particular concern are SACCOs operating “Pay Bill float accounts” accessible through third-party vendor systems (bridges) and those offering digital credit products. The regulator warned that these institutions are vulnerable to breaches via third-party systems.
SASRA has mandated that SACCOs and their vendors deploy 24/7 cyber-security monitoring solutions. Crucially, the regulator emphasized the need for human intervention, requiring “appropriate human resource response mechanisms” to detect and disrupt intrusions in real-time, rather than relying solely on automated software.
Beyond external hackers, SASRA has warned societies to look inward. The circular instructs SACCOs to institute round-the-clock internal controls to prevent “insiders (employees) from colluding with third parties” to commit fraud.
Management has been urged to pay special attention to:
- Electronic linking of members’ FOSA savings accounts to mobile phone numbers.
- Linkages of mobile numbers to funds held in mobile money wallets or float accounts.
- Unusual fund transfers originating from third-party financial institutions into SACCO Pay Bills.
In a move to enforce accountability, SASRA warned that any financial loss resulting from third-party contracts that do not comply with the Authority’s Circular No. SASRA/GG/1/2023 (dated June 6, 2023) will be pinned on individual officers.
“Any loss of funds… shall be visited upon the officers of the SACCO Society responsible for engaging such third-party vendors and integrators,” stated CPA Sandagi.
The notice has also been copied to the Techpesa Association, underscoring the need for technical partners to align with these heightened security protocols immediately.
