Three independent clocks start the moment your institution becomes aware of an incident. The Suite's cyber-incident module starts all three timers automatically and surfaces them on the DPO dashboard with red/amber/green colours as deadlines approach.
Breach record with CBK 24-hour notification.
The three notification clocks
Clock
Window
Trigger
Recipient
CBK cyber
24 hours
Cyber incident, any severity
Central Bank of Kenya — Cyber Resilience Office
ODPC
72 hours
Personal data breach, any size
Office of the Data Protection Commissioner
Subjects
72 hours
High-risk personal data breach
Each affected data subject
What triggers the 72-hour clock
Unauthorised access to member personal data (whether confirmed or suspected)
Loss of a device containing personal data (lost laptop, stolen phone)
Accidental disclosure (email to wrong recipient, misdirected SMS)
Successful phishing attack giving an attacker session access
Ransomware encrypting member data
Vendor / processor notifies you of their breach involving your data
The auto-flow
Anyone reports an incident → opens mfi.cyber.incident
DPO triages within 1 hour → classifies severity + scope
If personal data involved → 72h ODPC clock starts
If CBK-supervised processing → 24h CBK clock starts
If high risk to subjects → 72h subject clock starts
DPO drafts notifications in the incident form; templates pre-filled
DPO + CEO sign off
Auto-sent to cyber@centralbank.go.ke + complaints@odpc.go.ke
Subject notifications sent via SMS + email + iBANK banner
Post-incident review within 7 days; lessons learned logged
Worked scenarios
Scenario — Phishing email harvests an officer's credentials
Setting: Tuesday 14:30. A loan officer clicks a phishing link and enters her credentials.
Tue 14:32: Attacker logs into iBANK with Mary's creds, downloads 200 member records before MFA challenge.
Tue 14:45: Samuel notices unusual export pattern in audit log. Alerts Florence. (mfi.cyber.incident opened, severity=high)
Tue 15:00: Samuel rotates Mary's password + revokes session; reviews the 200 records that were accessed. (Containment in 30 min)
Tue 15:30: Florence confirms 200 members had personal data exposed (names, IDs, balances). Starts all three clocks. (CBK 24h deadline = Wed 14:45; ODPC 72h = Fri 14:45; subjects 72h = Fri 14:45)
Tue 16:00: Florence drafts CBK + ODPC notifications using the template. Aisha countersigns.
Tue 18:00: CBK notification sent (within 6 hours of detection — well under the 24h deadline).
Wed 09:00: ODPC notification sent + 200 SMS + email + iBANK banner to affected members. (All three clocks met)
Tue+7: Post-incident review concluded: phishing simulation will run quarterly; MFA on all sensitive endpoints; SAR module added. (Incident state = closed)
Outcome — Breach contained in 30 min; all 3 regulatory clocks beaten; subjects warned in time; lessons learned drove control improvements.
Reference
Notification templates shipped
Recipient
Template path
Auto-filled fields
CBK Cyber Resilience
/policy_pack/03_incident_response_plan.md#cbk
Institution, date detected, severity, members affected, containment status, lessons learned
ODPC
/policy_pack/03_incident_response_plan.md#odpc
Same as CBK + processing basis, data categories, subject rights affected
Data subject (SMS)
templates/breach_sms.txt
Member name, what was exposed, what we did, who to contact
Data subject (email)
templates/breach_email.html
All of the above + DPO email + ODPC complaint URL
Press / regulator joint
/policy_pack/03_incident_response_plan.md#press
For very large breaches; requires CEO sign-off
Troubleshooting
Symptom
Likely cause
Fix
Detection at the weekend — clocks running but DPO unavailable
Out of hours; no on-call DPO
Acting DPO appointed in BCP; CEO authorises notifications using templates. DPO informed on return.
Cannot identify which 200 members were exposed
Audit log incomplete
Assume worst case — notify all members who logged into the channel in the window. Better safe.
ODPC notification rejected as incomplete
Missing fields (e.g., 'measures to mitigate')
Resubmit with complete information; clock pause requires written justification to ODPC.
Subjects receive duplicate notifications
SMS + email + iBANK banner all sent
By design — multiple channels increase reach. Apologise if member complains, but defend the redundancy.