Breach notification

Three independent clocks start the moment your institution becomes aware of an incident. The Suite's cyber-incident module starts all three timers automatically and surfaces them on the DPO dashboard with red/amber/green colours as deadlines approach.

Cyber incidents
Breach record with CBK 24-hour notification.

The three notification clocks

ClockWindowTriggerRecipient
CBK cyber24 hoursCyber incident, any severityCentral Bank of Kenya — Cyber Resilience Office
ODPC72 hoursPersonal data breach, any sizeOffice of the Data Protection Commissioner
Subjects72 hoursHigh-risk personal data breachEach affected data subject

What triggers the 72-hour clock

  • Unauthorised access to member personal data (whether confirmed or suspected)
  • Loss of a device containing personal data (lost laptop, stolen phone)
  • Accidental disclosure (email to wrong recipient, misdirected SMS)
  • Successful phishing attack giving an attacker session access
  • Ransomware encrypting member data
  • Vendor / processor notifies you of their breach involving your data

The auto-flow

  1. Anyone reports an incident → opens mfi.cyber.incident
  2. DPO triages within 1 hour → classifies severity + scope
  3. If personal data involved → 72h ODPC clock starts
  4. If CBK-supervised processing → 24h CBK clock starts
  5. If high risk to subjects → 72h subject clock starts
  6. DPO drafts notifications in the incident form; templates pre-filled
  7. DPO + CEO sign off
  8. Auto-sent to cyber@centralbank.go.ke + complaints@odpc.go.ke
  9. Subject notifications sent via SMS + email + iBANK banner
  10. Post-incident review within 7 days; lessons learned logged

Worked scenarios

Scenario — Phishing email harvests an officer's credentials

Setting: Tuesday 14:30. A loan officer clicks a phishing link and enters her credentials.

CharacterRole
Mary MutuaLoan officer (compromised)
Samuel KibetIT security lead
Florence AchiengDPO
Aisha HassanCEO

Timeline

  1. Tue 14:30: Mary clicks 'M-Pesa account suspended' phishing link. Enters credentials.
  2. Tue 14:32: Attacker logs into iBANK with Mary's creds, downloads 200 member records before MFA challenge.
  3. Tue 14:45: Samuel notices unusual export pattern in audit log. Alerts Florence. (mfi.cyber.incident opened, severity=high)
  4. Tue 15:00: Samuel rotates Mary's password + revokes session; reviews the 200 records that were accessed. (Containment in 30 min)
  5. Tue 15:30: Florence confirms 200 members had personal data exposed (names, IDs, balances). Starts all three clocks. (CBK 24h deadline = Wed 14:45; ODPC 72h = Fri 14:45; subjects 72h = Fri 14:45)
  6. Tue 16:00: Florence drafts CBK + ODPC notifications using the template. Aisha countersigns.
  7. Tue 18:00: CBK notification sent (within 6 hours of detection — well under the 24h deadline).
  8. Wed 09:00: ODPC notification sent + 200 SMS + email + iBANK banner to affected members. (All three clocks met)
  9. Tue+7: Post-incident review concluded: phishing simulation will run quarterly; MFA on all sensitive endpoints; SAR module added. (Incident state = closed)

Outcome — Breach contained in 30 min; all 3 regulatory clocks beaten; subjects warned in time; lessons learned drove control improvements.

Reference

Notification templates shipped

RecipientTemplate pathAuto-filled fields
CBK Cyber Resilience/policy_pack/03_incident_response_plan.md#cbkInstitution, date detected, severity, members affected, containment status, lessons learned
ODPC/policy_pack/03_incident_response_plan.md#odpcSame as CBK + processing basis, data categories, subject rights affected
Data subject (SMS)templates/breach_sms.txtMember name, what was exposed, what we did, who to contact
Data subject (email)templates/breach_email.htmlAll of the above + DPO email + ODPC complaint URL
Press / regulator joint/policy_pack/03_incident_response_plan.md#pressFor very large breaches; requires CEO sign-off

Troubleshooting

SymptomLikely causeFix
Detection at the weekend — clocks running but DPO unavailableOut of hours; no on-call DPOActing DPO appointed in BCP; CEO authorises notifications using templates. DPO informed on return.
Cannot identify which 200 members were exposedAudit log incompleteAssume worst case — notify all members who logged into the channel in the window. Better safe.
ODPC notification rejected as incompleteMissing fields (e.g., 'measures to mitigate')Resubmit with complete information; clock pause requires written justification to ODPC.
Subjects receive duplicate notificationsSMS + email + iBANK banner all sentBy design — multiple channels increase reach. Apologise if member complains, but defend the redundancy.

See also

Was this page helpful?