East Africa’s digital economy now processes billions of transactions and anchors everything from tax collection to transport fares. But the systems powering that growth are scaling faster than the security built to protect them.

A new report by cybersecurity firm SmartComply, released in Nairobi on Thursday, argues that cyber risk in the region has moved beyond IT departments and into the core of economic stability.

The report frames cyber failure in highly digitised economies as economic infrastructure risk, not a technical outage. In markets where payments, identity systems, and public services operate at a population scale, disruption now carries macroeconomic consequences.

Between April and June 2025, more than 4.5 billion cyber threat events were recorded in Kenya, with estimated losses of KES 29.9 billion ($230 million) over the same period. In a separate three-month window from July to September 2025, regulators detected 842 million threat events, largely automated scanning and hostile probing.

Mobile banking fraud cases have surged 87% in the latest reporting period, driven by social engineering, credential compromise, and SIM-swap schemes. Healthcare ransomware incidents have jumped by 95%, underscoring how cyber risk is colliding with life-critical public services.

The paradox is that digital maturity itself is amplifying exposure. Kenya accounts for 68% of the region’s attack surface, with 200,980 exposed systems, yet has only 0.3% of confirmed breaches. Tanzania, with a far smaller footprint of 54,330 systems, recorded 10,847 compromises, a breach rate of nearly 20%.

Scale without execution depth leaves systems fragile

Artificial intelligence (AI) is widening that gap, as 60% of organisations globally believe they have already faced AI-enabled attacks, yet only 7% have deployed AI-driven defences. Identity-related threats now account for nearly half of observed incidents in East Africa, shifting the battleground to authentication and account recovery.

Gbemisola Osunrinde, chief executive of Smartcomply, described the problem as structural. “Expansion tends to outpace security design,” she said during the report’s launch. In fast-scaling sectors such as telecoms and healthcare, controls are often retrofitted after products go live, creating systemic blind spots.

That weakness surfaced in Uganda’s Pegasus Technologies breach in 2020, where attackers reportedly used 2,000 SIM cards to siphon roughly $3 million by exploiting middleware that links banks to mobile wallets. The breach exposed regulatory gaps in the API layer that underpins the region’s fintech stack.

Despite mounting exposure, preparedness lags. 74% of organisations in East Africa rank cyber risk as a top strategic concern, yet only 29% conduct regular tabletop exercises to simulate crises. The report describes this as an execution gap between boardroom anxiety and operational readiness.

“Resilience improves when organisations plan for failure instead of assuming stability,” Osunrinde said, adding that success should be measured by whether incidents are contained before they escalate.

Mobile money transactions in Kenya account for more than 53% of GDP, and the East African region hosts 459 million mobile money accounts, underscoring the substantial economic stakes. AI spending is projected to grow 34% annually through 2028.