Every time a long public holiday approaches in Kenya, something else happens quietly: cyber-criminals begin circling the country’s savings and credit cooperatives. That pattern is no longer anecdotal. It is now documented — and the regulator is acting on it.
The Sacco Societies Regulatory Authority (SASRA) has been issuing formal circulars regularly every year, ordering every regulated Sacco to heighten its cybersecurity posture ahead of long weekends and holidays. The directives are not precautionary in the abstract sense but are grounded in specific intelligence findings.
SASRA’s own trend analysis of cybersecurity incidents across the regulated Sacco subsector reveals a consistent pattern: the majority of breaches occur during long-weekend public holidays, with attacks concentrated most heavily in the 12-hour window immediately before a holiday begins. Late-night and early-morning hours during the holiday period itself are also flagged as peak attack times.
The logic is straightforward. Staffing drops. IT teams are on reduced duty. Incident response slows. For attackers, a cooperative’s digital infrastructure at 11 p.m. on a public holiday eve is a softer target than the same system on a Tuesday morning.
The circulars apply to all entities regulated under the Sacco Societies Act — both Deposit-Taking Saccos (DT-Saccos) and non-withdrawable deposit-taking Saccos. Together, these institutions hold the savings and loan portfolios of millions of Kenyans, many of whom access their accounts through digital channels.
SASRA has identified the highest-risk operations as those involving:
- ATM access, mobile money channels, internet banking, and web-based member portals
- Pay Bill float accounts operated through third-party vendor bridges, and digital credit products
- Any Sacco that has outsourced electronic service delivery or cybersecurity functions to an external provider
What SACCOs Are Required to Do
The directives are consistently specific on four fronts. First, all Saccos must complete a mandatory offline backup of critical data, records, and information before each holiday period, in compliance with existing provisions of the Sacco Societies Act.
Second, Saccos must intensify monitoring and surveillance across all their Management Information Systems (MIS), digital financial delivery channels, and ICT infrastructure for the duration of each holiday period.
Third — and notably — the obligation extends to third-party vendors. System integrators and outsourced service providers engaged by Saccos are equally bound by the directive and must deploy 24/7 cyber-monitoring solutions with the human-resource capacity to detect, disrupt, and report any intrusion in real time.
Fourth, Saccos and their vendors must put in place internal controls specifically designed to detect and prevent insider collusion — the risk that an employee facilitates an attack from within.
Insider Threat
SASRA’s attention to insider risk is unusually explicit in these directives. The regulator calls for heightened scrutiny around FOSA savings account access, the linking of member accounts to mobile phone numbers and ATM cards, mobile money wallet linkages, and any unusual fund transfers originating from third-party financial institutions.
Some past breaches may have involved collusion between internal staff and external actors, and the regulator wants that channel closed.
SASRA reminds all Saccos that any contractual engagements with third-party system vendors must comply with its Circular No. SASRA/GG/1/2023, issued on 6 June 2023.
The consequences of non-compliance are stark: any financial losses arising from contracts that do not meet the required standards will be treated as the personal liability of the Sacco officers who authorised those engagements — not of the institution. That represents significant personal financial exposure, and it signals that SASRA is done treating cybersecurity lapses as institutional failures alone.
The sector has grown rapidly as a vehicle for financial inclusion, with millions of members — particularly in the public sector, farming communities, and small business ecosystems — relying on cooperatives for savings and credit. That growth has been matched by a push into digital service delivery, considerably expanding the attack surface.
SASRA’s directives are a reminder that the expansion into digital channels carries security obligations that cannot be delegated away — not to vendors, not to IT departments, and not to the calendar.
