CYBERSECURITY | SACCO
Saccos rarely build their own technology. They buy it, outsource it, and integrate it. Core banking platforms, Paybill connectors, mobile money gateways, ATM networks — each is a third-party system with its own security posture and its own access to member data. That dependency is also an attack surface.
A supply chain attack does not break down the front door. It exploits a trusted side entrance — a vendor, a shared platform, an unpatched integration — to gain access that no firewall is configured to block, because the connection itself is legitimate. The attacker does not target the Sacco directly. They target the vendor. The Sacco and its members are downstream.
The scale of the problem is well documented. The Sacco Societies Regulatory Authority (SASRA) confirmed that Saccos lost Ksh 106 million to hackers in the 17 months to March 2021, averaging Ksh 201,000 daily. The primary entry point, SASRA noted, was software vendors engaged by the Saccos themselves. Globally, third-party breaches now account for 30 percent of all data breaches — double the rate recorded just two years prior.
Security researchers and regulators have identified four dominant attack vectors, each exploiting a different dimension of vendor dependency. The most dangerous is the fintech and Paybill integrator compromise. Once an attacker gains access to an integrator’s platform, they inherit a trusted network position that simultaneously reaches every connected Sacco. Defences on the Sacco side are largely irrelevant at that point, because the intrusion does not look like one.
The second pathway is tampering with management information systems and core banking platforms through vendor support credentials. Because access originates from a trusted service account, detection requires behavioural monitoring that most Saccos do not have. The third vector is shared cooperative infrastructure. Platforms like Co-op Tech concentrate risk across every member institution — a single breach cascades instantly, mirroring the MOVEit attack that compromised hundreds of organisations through one shared file-transfer platform. The fourth, and hardest to catch, is insider-facilitated access, where employees with knowledge of vendor credentials or monitoring blind spots enable external attacks that are technically indistinguishable from legitimate activity.
The vulnerabilities are not new. Serianu’s past Sacco Cyber Security Reports have documented them consistently: 60 percent of Saccos have no cybersecurity strategy, 84 percent have no IT governance standards, 44 percent allocate Ksh 100,000 or less annually to cybersecurity, 42 percent have no monitoring or alerting capabilities, and 16 percent only investigate vendor activity after an incident has already occurred. These are not simply resource constraints. They reflect a governance assumption — prevalent across the sector — that outsourcing IT is equivalent to outsourcing security accountability. It is not. Vendors are responsible for the security of their platforms. Saccos remain responsible for the security of their members’ funds. The two obligations are not interchangeable.
Addressing this exposure requires immediate action on several fronts. Saccos should begin by auditing all vendor contracts against the SASRA Circular No. SASRA/GG/1/2023 and mapping every third-party access point into their networks. From there, 24/7 SOC monitoring must cover ATMs, MIS, mobile channels, and Paybill integrations — SASRA’s mandate on this is explicit, and holiday windows carry the highest risk. Offline data backups before every long weekend are now a regulatory directive, not a recommendation. Internally, controls must separate vendor onboarding, access provisioning, and transaction authorization, with system access revoked within 24 hours of any staff departure. All vendors should be held to contractual security guarantees covering breach notification, indemnification, annual penetration testing, and right-to-audit provisions. Finally, independent penetration testing of all integration touchpoints is essential — vendor-issued assurances are not a substitute for external verification.
SASRA’s repeated warnings are not administrative caution. They reflect an active, documented, and escalating threat. For any Sacco that loses member deposits through a preventable vendor breach, the reputational consequences are existential.
The cost of inaction is not measured in regulatory penalties. It is measured in member savings.
