Introduction

Kenyan companies are facing a surge in cyberattacks at a scale never witnessed before. While reported cyber incidents declined in the third quarter of 2025, data from the Communications Authority of Kenya shows that the National KE-CIRT/CC issued nearly 20 million cyber threat alerts, a 15.53 percent increase from the previous quarter. The spike exposes an uncomfortable reality. Even though organisations are investing in stronger systems and monitoring tools, cybercriminals are innovating at a faster pace and exploiting vulnerabilities across every sector.

Financial institutions and large corporates are frequent targets, but no sector is immune. The recent breach involving M-Tiba, a mobile health wallet used by over four million Kenyans, illustrates the scale of exposure. A hacker known as “Kazu” claimed access to a 2.15 terabyte database containing roughly 17.1 million files, including sensitive personal and medical information, which he offered for sale on the dark web. The incident underscores a simple truth that any organisation that holds personal data or provides digital services is at risk.

Navigating Legal and Regulatory Minefields

When a breach happens, the company’s response in the first few days largely determines whether it maintains credibility or enters a full crisis. The immediate instinct of most companies is to contain the technical problem. While that reaction is understandable, and in many cases urgent, it cannot be the only priority. Containment should happen alongside clear legal, communication and compliance steps. Ignoring the nontechnical aspects of breach management often leads to bigger reputational and regulatory consequences.

Kenya’s Data Protection Act places strict obligations on organisations that control or process personal data. A data controller must notify the Office of the Data Protection Commissioner within seventy-two hours of becoming aware of a breach. A processor on the other hand must inform the controller within forty-eight hours. If the breach exposes personal information, the business may also need to alert the affected individuals, unless strong safeguards such as encryption were in place. These timelines are short, which is why companies need to prepare long before a breach happens.

A credible response requires coordination across the entire organisation. Technical teams must identify the source of the breach and seal the vulnerabilities. Legal and compliance teams must check that the company’s disclosures meet statutory requirements. Corporate communications must craft messages that reassure customers and demonstrate responsibility to regulators. Companies that fail to align these functions tend to suffer twice. They face immediate sanctions, and they lose trust in the long term.

Once initial notifications are made, regulators expect more than simple forms. The Act requires organisations to show that it understands what went wrong, who was affected, what the impact was, and the steps being taken to prevent a repeat incident. For businesses in regulated sectors, scrutiny does not stop with the ODPC. Banks can expect questions from the Central Bank. Listed companies may need to engage the Capital Markets Authority. Companies in critical infrastructure may interact with ICT regulators and the national computer incident response teams. Managing these parallel obligations requires a level of coordination few companies rehearse until they are already under pressure.

There is also the question of accountability. If internal investigations show that an employee acted maliciously or that an external fraudster exploited the system, the organisation may need to consider criminal action. Here, the business steps into the role of complainant, balancing the need for justice with the imperative to protect its reputation. A poorly managed prosecution can attract as much publicity as the breach itself, and businesses must balance the pursuit of justice with the need to protect their reputation.

High Stakes of Mishandling Breaches

The consequences of mishandling a breach are significant. The ODPC can impose administrative fines of up to five million shillings or up to one percent of a company’s annual turnover, whichever amount is lower. In addition, individuals whose information was exposed may claim compensation. As recent determinations by the ODPC have shown, the ODPC have been imposing hefty compensation awards against entities which mishandle breaches. Beyond these direct penalties, businesses may face the cost of system overhauls, forensic investigations, service interruptions and reduced investor and customer confidence. The reputational damage alone can take years to repair.

Trying to keep a breach quiet is one of the riskiest decisions a business can make. The law requires transparency, and in a digital environment, concealment rarely holds. The companies that recover most effectively are those that use these incidents as a turning point. They strengthen their systems, update their crisis plans and reinforce a culture of compliance throughout the organisation.

Transparency and Preparedness Drive Resilience

Data breaches are no longer a question of if but when. For Kenyan businesses, the difference between a temporary setback and a lasting reputational wound lies in how leadership responds. The first seventy-two hours demand speed and coordination. The weeks that follow require transparency, accountability and strategic engagement with regulators, customers and law enforcement. Organisations that prepare now will weather future incidents. Those that delay risk paying through fines, compensation awards, loss of customers and long-term reputational harm. In today’s data driven economy, strong breach management has become a hallmark of corporate resilience.