info@bumacoinsurance.co.tz
255 746 179 849
Cybersecurity in Tanzania’s Insurance Sector: Protecting Customer Data in a Digital Age

Cybersecurity in Tanzania’s Insurance Sector: Protecting Customer Data in a Digital Age

  • Date 23-10-2025


The Tanzanian insurance sector is undergoing a rapid digital transformation. Online platforms, mobile applications, and cloud services are revolutionizing how insurers operate, improving service delivery and efficiency. Policy enrolment, claims processing, premium payments, and customer support are increasingly digitized. However, this digital shift has significantly expanded the attack surface for cyber threats, making robust cybersecurity a critical priority.

The Growing Threat Landscape:

The insurance industry handles vast amounts of sensitive customer data, including:

  • National Identity Numbers (NIDA)
  • Bank account details
  • Medical histories
  • Financial records

A breach of this data can lead to severe consequences:

  • Reputational Damage: Loss of customer trust and confidence.
  • Financial Losses: Costs associated with data recovery, legal fees, and regulatory fines.
  • Legal Ramifications: Non-compliance with data protection laws.

Common cyber threats facing Tanzanian insurers include:

  • Phishing: Deceptive emails or messages designed to steal login credentials or personal information.
  • Ransomware: Malware that encrypts data and demands a ransom payment for its release.
  • Insider Threats: Malicious or negligent actions by employees or contractors.
  • Supply Chain Vulnerabilities: Weaknesses in the security of third-party vendors and partners.

The Legal and Regulatory Framework:

Tanzania has established a legal framework to protect personal data, primarily through the Personal Data Protection Act, 2022. Key regulatory bodies involved include:

  • Tanzania Insurance Regulatory Authority (TIRA): Requires insurance companies to develop and implement annual data protection strategies. TIRA actively monitors compliance and can impose penalties for violations.
  • Tanzania Communications Regulatory Authority (TCRA): Oversees secure communication systems and has cracked down on unauthorized bulk SMS services, which can be used for phishing and fraud.
  • Office of the Data Protection Commissioner: Registers data controllers, conducts data protection impact assessments, and investigates data breaches.

Roles and Responsibilities of Key Stakeholders:

  • Insurance Companies: Bear the primary responsibility for data security. This includes:
    • Implementing robust security systems, including firewalls, intrusion detection systems, and endpoint protection.
    • Employing strong encryption for sensitive data, both in transit and at rest.
    • Utilizing multi-factor authentication (MFA) for all user accounts.
    • Conducting regular security audits and penetration testing to identify vulnerabilities.
    • Example: Leading insurers like Jubilee Insurance and Sanlam Tanzania have achieved ISO/IEC 27001 certification, demonstrating their commitment to information security management.
  • Customers: Play a crucial role in protecting their own data. This involves:
    • Using strong, unique passwords for all online accounts.
    • Being vigilant against phishing attempts, such as verifying the sender’s email address and avoiding suspicious links.
    • Regularly reviewing bank and insurance statements for any unauthorized activity.
  • IT Providers and FinTech Partners: Must prioritize data protection in their products and services. This includes:
    • Implementing secure coding practices.
    • Conducting thorough security testing.
    • Providing transparent data privacy policies.
    • Example: In 2024, big an App in Tanzania was penalized for failing to encrypt sensitive health data, highlighting the importance of robust security measures.
  • Academic Institutions and Associations: Contribute to sector-wide capacity building through training, research, and policy input.
    • Examples: The Association of Tanzania Insurers (ATI), Tanzania Institute of Bankers (TIBA), the University of Dar es Salaam (UDSM), and the University of Dodoma (UDOM) offer training programs and conduct research on cybersecurity best practices.

Real-World Cases and Lessons Learned:

  • 2023 Phishing Attack: A mid-sized Tanzanian insurer suffered a phishing attack that compromised over 1,500 customer records. The attack involved malicious emails that tricked employees into revealing their login credentials.
  • In 2022 Leading Health Insurance Fund Data Leaks: Data breaches at the one big and leading Health Insurance Fund raised concerns about the security of sensitive patient information.
  • 2024 Sanlam–Jubilee Merger: Data security was a central focus during the due diligence process of the Sanlam–Jubilee merger, demonstrating the importance of data protection in mergers and acquisitions.
  • Regional Parallels:
    • Britam Kenya (2022): Faced a ransomware attack that disrupted its operations.
    • Uganda InsurTech (2023): Penalized for storing unencrypted biometric data offshore, highlighting the risks of inadequate data protection practices.

Collaboration and Training: Building a Resilient Sector:

Sector-wide collaboration and training are essential for strengthening cybersecurity resilience.

  • Bumaco Insurance: Participated in key initiatives in May and June 2025:
    • IASIU Launch (Arusha): Bumaco attended the launch of the Tanzania Chapter of the International Association of Special Investigation Units (IASIU). This event focused on cyber-enabled fraud, digital claims manipulation, and AI-driven risks.
    • AML/CFT Training: Bumaco participated in an Anti-Money Laundering / Combating the Financing of Terrorism (AML/CFT) awareness training session, where the regulator emphasized the need for robust compliance and ongoing awareness among all stakeholders.

 

Recommendations for a Secure Future:

  • Invest in Advanced Infrastructure: Implement robust security systems, including firewalls, intrusion detection systems, and endpoint protection.
  • Prioritize Continuous Staff Training: Provide regular cybersecurity awareness training to all employees, covering topics such as phishing, social engineering, and password security.
  • Strengthen Governance Systems: Establish clear data protection policies and procedures, and appoint a dedicated data protection officer.
  • Launch Customer Awareness Campaigns: Educate customers about phishing, identity theft, and other cyber threats.
  • Integrate Data Protection into Product Development: Ensure that data protection is a core consideration throughout the product development lifecycle.
  • Enhance Regional Cooperation: Strengthen collaboration with East African markets to share best practices and coordinate responses to cyber threats.

Conclusion:

Cybersecurity is not just a technical issue; it’s a fundamental pillar of trust in the insurance industry. By working together – regulators, insurers, customers, and technology partners – we can safeguard sensitive data, maintain public confidence, and foster sustainable growth. Companies must go beyond mere compliance.

Comments

Latest Blog

Popular Blog

About Us

With over 40+ years of operation, Bumaco Insurance has proven to be a long practice in providing insurance services with certainty.

We treat our customers, employees, stakeholders as we would have them treat us.       

Click Here to give us your feedback.


Help Center

Downloads

Blog

FAQ

Careers

Newsroom

Request Quote

Contact Us

Garden Avenue/Azikiwe Street First floor, car & general building
255 746 179 849
255 764 302 860
info@bumacoinsurance.co.tz
         
© Bumaco Insurance.