The Sacco Societies Regulatory Authority (SASRA) has warned all regulated SACCOs in Kenya to strengthen cybersecurity on their digital financial platforms.
The directive covers ATMs, mobile money channels, internet banking, and web-based applications.
According to SASRA, most cyber-attacks and security breaches targeting SACCOs occur during public holidays, particularly in the hours immediately before and during long weekends.
Hence, the regulator has directed SACCOs to conduct mandatory offline backups of critical data and to intensify monitoring of their Management Information Systems (MIS) and other digital financial channels.
All SACCOs are required to deploy round-the-clock cybersecurity monitoring, including dedicated human response teams, to detect, disrupt, and report intrusions in real time.
“All regulated SACCOs, both deposit-taking and non-deposit-taking, are hereby called upon to undertake a mandatory offline back-up of all critical data, information, and records in compliance with the Sacco Societies Act and related regulations,” part of the statement read.
The long weekends covered run from Friday, April 3, to Monday, April 6, for Good Friday and Easter Monday, and from Friday, May 1, to Sunday, May 3, for Labour Day.
Digital SACCO Services Face High Cyber Risk
The regulator has stated that SACCOs must ensure the security alert is communicated to their third-party vendors, integrators, or other relevant partners to ensure proper implementation.
High-risk areas idenfied include:
- SACCOs using ATMs, mobile money platforms, internet banking, web-based applications, or other electronic channels that allow member account access.
- SACCOs operating pay-bill float accounts through third-party vendor systems, as well as those offering digital credit products, which are also susceptible to breaches via these systems.
- SACCOs relying on third-party vendors or integrators for access to electronic service channels, or those that have outsourced cybersecurity functions, are similarly exposed to potential cyber-attacks.
Also Read: Govt Names All Licensed and Authorised Saccos in 2026
SASRA Issues Further Directive
Additionally, regulated SACCOs and their third-party vendors must maintain continuous internal controls to prevent employee collusion with external parties that could lead to cyberattacks.
They should focus on:
- The electronic and digital access to members’ FOSA savings accounts.
- Requests or attempts to link members’ FOSA accounts to mobile phone numbers or ATM cards.
Also Read: Guide on What You Need to Know Before Joining a SACCO in 2026
- Digital connections between mobile numbers and funds in mobile money wallets, float accounts, pay-bill accounts, or any other settlement accounts.
- Any unusual or suspicious fund transfers from third-party financial institutions into SACCO pay-bill accounts, mobile wallets, or other digital aggregation accounts.
SACCOs are further reminded that all engagements with third-party vendors or integrators must strictly comply with the SASRA regulation, issued on June 6, 2023.
Any financial losses or risks arising from contracts that violate the regulation will be the responsibility of the SACCO officers who authorized such engagements.





