The regulator has directed all regulated SACCO societies to implement mandatory offline data back-ups and deploy round-the-clock cybersecurity monitoring ahead of the upcoming long weekends.
The Sacco Societies Regulatory Authority (SASRA) has issued a directive to all regulated SACCO societies in Kenya, ordering heightened cybersecurity vigilance during the Easter and Labour Day long weekend holidays. The circular, dated 30th March 2026 and signed by Acting CEO David Sandagi, warns that cyber-attacks on SACCOs spike sharply during public holiday periods.
Intelligence and trend analysis by SASRA reveals that a majority of cybersecurity breaches in the regulated SACCO subsector occur during long-weekend public holidays — with attacks concentrated in the last 12 hours before a holiday commences and during late evening and early morning hours throughout those periods.
Holiday periods under watch
- Good Friday & Easter Monday — Friday 3rd April to Monday 6th April 2026
- Labour Day — Friday 1st May to Sunday 3rd May 2026
What SACCOs must do
SASRA’s directive applies to both Deposit-Taking SACCOs (DT-SACCOs) and Regulated Non-WDT-SACCOs. All are required to undertake a mandatory offline back-up of critical data, information, and records in line with the Sacco Societies Act and its regulations. Beyond back-ups, SACCOs must intensify monitoring and surveillance across their Management Information Systems (MIS), digital financial delivery channels, and all other ICT infrastructure used to serve members.
Third-party vendors and system integrators engaged by SACCOs are equally bound by the directive, with SASRA requiring the deployment of 24/7 cyber-monitoring solutions complete with human-resource response mechanisms capable of detecting, disrupting, and immediately reporting any intrusion or attempted breach in real time.
High-risk channels
The regulator has flagged specific SACCO operations as particularly vulnerable. These include:
- SACCOs offering ATM access, mobile money channels, internet banking, and web-based applications for member account access.
2. SACCOs operating Pay Bill float accounts through Third-Party Vendor bridges, and those offering digital credit products.
3. SACCOs that rely on third-party vendors for electronic service delivery, or which have outsourced their cybersecurity functions.
Insider threat
SASRA has also drawn attention to the risk of insider collusion, directing SACCOs and their vendors to institute internal control measures to detect and prevent employees from facilitating cyber-attacks. Special scrutiny is called for around FOSA savings account access, the linking of member accounts to mobile phone numbers and ATM cards, mobile money wallet linkages, and any unusual fund transfers originating from third-party financial institutions.
SASRA has also reminded SACCOs to ensure all contractual engagements with third-party system vendors and integrators comply with its Circular No. SASRA/GG/1/2023 dated 6th June 2023. The regulator has warned that any fund losses attributable to non-compliant third-party contracts will be the personal liability of the SACCO officers who authorised those engagements.
Source: SASRA Circular Ref. SASRA/P&R/800/ENF/40/VOL. I (51)
