In a letter dated the 30th day of March 2026, the Central Bank of Nigeria (CBN) introduced the need for Banks and other financial institutions to deploy a Cyber Security Assessment Tool (CSAT). In recent times, the issue of cybersecurity has been a growing concern in the Banking industry in Nigeria. It has placed Banking activities and transactions at a great risk to the Banking sector, and to the average Nigerian who engages daily in Banking transactions. The increased risk of fraud and cyber attacks has resulted in the reduced trust and participation of individuals who engage in these transactions due to the fear of losing their hard-earned money and crashing their economic standing.
This newsletter dissects the CBN directive to Deposit Money Banks and other financial institutions in a bid to monitor and improve cybersecurity in the Banking industry.
THE CBN DIRECTIVE
The CBN directive mandated Banks and select financial institutions and payment service providers (PSP) to submit a comprehensive report on the CSAT within a three-week (for the DMBs) and five-week (all other institutions) deadline (respectively). The CBN mentioned that this directive is in furtherance of fulfilling and promoting the apex Bank’s objective as provided in the Banks and Other Financial Institutions Act (BOFIA) 2020. The alarming cybersecurity attacks in the Banking and financial sector have finally prompted the apex Bank into taking more proactive steps in ensuring that the security gaps that may arise within the institutions are prevented, cured, and curbed, which shows the CBN’s consistency and commitment to strengthening cybersecurity resilience across the financial sector.
This directive applies to the following financial institutions:
- Deposit Money Banks
- Payment Service Banks
- Microfinance Banks
- Payment Service Providers
- Finance Companies, and
- Development Finance Institutions
WHAT IS THE CYBER SECURITY ASSESSMENT TOOL (CSAT)?
As contained in the published policy, “The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions. It covers key areas including cyber security governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience.”
“The insights derived from the CSAT will support risk-based supervision and enhance regulatory oversight of cybersecurity risks across the financial system,” the Bank stated. This particular tool has a select method of being complied with at the designated portal provided by the CBN.
OBLIGATIONS UNDER THE CBN DIRECTIVE
The directive mandates all applicable institutions to complete and submit their CSAT alongside supported documentation to a dedicated portal. The Access credentials to the portal and detailed guidance on completion of the tool will be communicated to the Chief Information Security Officers and other relevant officials of the concerned institutions.
According to the letter, the “Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions in accordance with the provisions of BOFIA 2020.” The applicable institutions are equally enjoined to submit complete, accurate, and updated data showing the institution’s position and status as of 31st December 2025.
ENFORCEMENT STRATEGY
As part of its enforcement strategy, the central Bank will conduct validation exercises, including off-site reviews and supervisory engagements, to verify the accuracy, integrity, and reliability of submitted data. These measures are expected to strengthen compliance monitoring tools, improve compliance analytics, and reinforce internal controls within financial institutions.
The CBN directive takes immediate effect from the 30th day of March 2026 and signals heightened regulatory scrutiny of cybersecurity risks, aligning with broader trends in other industries where similar solutions are increasingly deployed to combat digital threats, improve fraud detection, and ensure data privacy.
In light of the directive’s immediate effect and the stringent submission timelines prescribed by the Central Bank of Nigeria, affected institutions are advised to promptly review their cybersecurity governance framework, risk management practices, and supporting documentation to ensure timely and accurate compliance. Early internal coordination among compliance, information security, and senior management teams will be critical to mitigating regulatory risk and avoiding potential sanctions under BOFIA 2020.
This newsletter is provided for general information purposes only and does not constitute legal, regulatory, or professional advice. While reasonable care has been taken in preparing this publication, readers are advised not to rely on its contents as a substitute for specific legal advice. Institutions and individuals are encouraged to consult their legal, compliance, or other professional advisers to obtain advice tailored to their particular circumstances.
Add your first comment to this post