CBN gives banks three weeks to deploy cybersecurity self-assessment tools

The Central Bank of Nigeria (CBN) has moved to strengthen cybersecurity oversight across the financial system, mandating banks and other regulated institutions to within three to five weeks, conduct a comprehensive self-assessment of their cyber resilience as digital risks intensify.

In a circular issued on March 30, the apex bank directed deposit money banks, payment service banks, microfinance lenders, fintechs, and other financial institutions to complete its newly deployed Cybersecurity Self-Assessment Tool (CSAT), a structured framework designed to evaluate firms’ exposure to cyber threats and their capacity to respond.

The move signals a shift toward deeper, risk-based supervision as regulators respond to the rapid growth of digital banking and electronic payments, which has expanded the potential attack surface for cybercriminals and heightened systemic vulnerabilities.

According to the CBN, the tool will capture detailed information on cybersecurity governance, risk management practices, third-party exposures, incident response capabilities, and overall operational resilience. Insights generated from the exercise are expected to guide supervisory actions and strengthen regulatory oversight of technology risks across the sector.

Banks have been given a tight timeline of three weeks to complete and submit the assessment, while other regulated institutions have five weeks, underscoring the urgency the regulator is placing on cybersecurity preparedness. All submissions must reflect data as of December 31, 2025, and be accompanied by supporting documentation where applicable.

Related News

The Central bank warned that inaccurate or misleading disclosures would constitute a regulatory breach, with institutions facing sanctions under the Banks and Other Financial Institutions Act. It added that submissions would be subject to validation through off-site reviews and further supervisory engagements.

The directive comes amid rising concerns over cyber threats targeting financial institutions globally, with increasing reliance on digital platforms, third-party service providers, and cloud infrastructure exposing banks to more complex and evolving risks.

For Nigeria’s banking sector, the policy is likely to heighten compliance obligations and accelerate investments in cybersecurity infrastructure, governance frameworks, and risk management systems. Smaller institutions, including microfinance banks and fintech firms, may face steeper adjustment costs as they work to align with the new requirements.

Analysts say the CBN’s move could ultimately strengthen confidence in the financial system by ensuring that institutions adopt more robust safeguards against cyber incidents that could disrupt operations or erode customer trust.

The deployment of the CSAT also positions Nigeria alongside global regulatory trends, where Central Banks are increasingly prioritising cyber resilience as a core pillar of financial stability, particularly as digital finance deepens across emerging markets.

Hope Moses-Ashike

Hope Moses-Ashike is an Associate Editor, Banking and Finance, with more than a decade of experience reporting on Nigeria’s financial system and broader economy. She closely tracks market movements, monetary policy decisions, company disclosures, regulatory actions, economic indicators, and global developments, and interprets what they mean for businesses, investors, policymakers, and households. Her reporting helps readers understand complex issues such as inflation trends, foreign exchange market dynamics, interest rate decisions, bank performance, and investment risks. She also covers major international events and periodically travels to Washington, D.C., to report on the World Bank/IMF Spring and Annual Meetings. Her dedication to financial journalism has earned her multiple recognitions and invitations to high-level professional development programmes. She is an alumna of the International Visitors Leadership Programme (IVLP) in the United States and holds an Advanced Financial Journalism Certificate from the Press Association Training in London, UK. Her other notable achievements include completing the Lagos Business School CMC Programme, the Bloomberg Media Africa Initiative Programme, and a Master Class in Journalism at Rhodes University in South Africa.