CBN Imposes Strict 3-Week Cybersecurity Deadline on Banks

LAGOS – The Central Bank of Nigeria (CBN) has rolled out a stringent timeline for banks to gauge their cybersecurity defenses, mandating Deposit Money Banks (DMBs) to submit self-assessments within just three weeks.

This directive, detailed in a March 30 letter posted on the CBN’s website, targets DMBs, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions. Other regulated entities get a five-week window. The move deploys a new Cybersecurity Self-Assessment Tool (CSAT) to map out cyber vulnerabilities across Nigeria’s financial sector.

Governor Olayemi Cardoso’s regulator frames this as a core duty under the Banks and Other Financial Institutions Act (BOFIA) 2020. “The CSAT serves as a structured supervisory tool to capture a full picture of institutions’ cybersecurity health,” the CBN stated. It probes key areas: governance, risk management, tech infrastructure, third-party risks, incident response, and operational resilience.

Submissions go through a secure portal, with login details sent to Chief Information Security Officers. Data must mirror positions as of December 31, 2025, backed by documents. The CBN vows rigorous checks via off-site audits and on-site visits, warning that “false, misleading, or incomplete information” invites heavy sanctions.

ADVERTISEMENT

This crackdown arrives amid Nigeria’s exploding cyber threats. NITDA reported a 45% jump in digital fraud last year, costing banks over ₦20 billion ($12 million), per a Reuters analysis. High-profile breaches—like the 2025 Zenith Bank hack exposing customer data—have rattled trust in digital banking, which now handles 70% of transactions (CBN stats). Experts link weak defenses to phishing, ransomware, and insider threats, fueled by rapid fintech growth.

Victor Ologun, a Lagos-based fintech consultant, told this reporter: “Banks’ patchy cyber setups leave customers exposed. This CBN push is overdue—self-assessments will spotlight gaps before attacks do.”

The CSAT builds on CBN’s 2024 Cyber Risk Framework, which mandated basic protections but fell short against sophisticated hacks from groups like SilverTerrier. Insights from these assessments will fuel “risk-based supervision,” letting regulators prioritize high-risk players.

Industry watchers applaud the urgency but flag execution hurdles. “Three weeks is tight for thorough reviews,” said Chuks Amaechi, CEO of a mid-tier microfinance bank. Still, non-compliance risks fines up to ₦1 million daily, per BOFIA penalties.

As Nigeria eyes cashless dominance, this timeline underscores Cardoso’s pledge for a fortified financial ecosystem. Banks now race the clock to prove they’re cyber-ready.