Cybersecurity: Nigerian banks face tight CBN deadline

The Central Bank of Nigeria (CBN) has issued a strict directive to banks and other financial institutions, requiring them to complete a cybersecurity self-assessment within a specified timeline.

This move is aimed at strengthening the resilience of Nigeria’s financial system against the rising threat of cyberattacks.

In a letter dated March 30, 2026, and published on the CBN’s official website, the apex bank stated that all Deposit Money Banks (DMBs) must submit their completed assessments within three weeks, while other regulated financial institutions, including microfinance banks, finance companies, development finance institutions, and payment service providers, are given five weeks to comply.

The directive introduces a new Cybersecurity Self-Assessment Tool (CSAT), designed to help the CBN evaluate the level of cyber risk across all regulated financial entities. According to the bank, the CSAT is a structured supervisory instrument that provides a comprehensive view of each institution’s cybersecurity posture.

Key areas assessed by the tool include:

Governance structures and policies

Risk management frameworks and processes

Technology systems and infrastructure

Exposure to third-party risks

Incident response plans and capabilities

Overall operational resilience and preparedness

The CBN explained that the insights gathered from the assessments will help strengthen risk-based supervision and enhance regulatory oversight of cybersecurity threats.

This step is part of the bank’s broader commitment to improving cybersecurity standards in the Nigerian financial sector, especially in light of increasing digital banking activity and rising incidents of online fraud.

Banks and other institutions are required to submit their completed CSAT reports through a dedicated online portal. Access credentials will be provided to Chief Information Security Officers (CISOs) and other relevant officials within each institution.

The data submitted must reflect the institution’s position as of December 31, 2025, and must be accompanied by relevant supporting documentation wherever applicable.

The CBN also issued a stern warning against incomplete, false, or misleading submissions.

It emphasized that accuracy, completeness, and transparency are mandatory, and any breach of these requirements will attract appropriate regulatory sanctions.

To ensure compliance, the CBN plans to validate the submissions through off-site reviews and supervisory engagements, confirming the reliability and authenticity of the information provided.

This directive, which takes immediate effect, highlights the growing importance of cybersecurity in Nigeria’s financial system.

As digital transactions increase and financial institutions become more exposed to cyber threats, the CBN’s action is a clear signal of tighter regulatory scrutiny and the need for stronger cybersecurity measures across the sector.