The Central Bank of Nigeria has issued a strict directive mandating banks and other financial institutions to complete a comprehensive cybersecurity self-assessment within tight timelines, as part of efforts to reinforce the resilience of Nigeria’s financial system.
In a circular dated March 30, 2026, the apex bank instructed Deposit Money Banks (DMBs) to submit their completed assessments within three weeks, while other regulated institutions—including microfinance banks, payment service providers, and finance companies—have up to five weeks to comply.
The directive introduces a newly developed Cybersecurity Self-Assessment Tool (CSAT), designed to evaluate the level of exposure to cyber risks across financial institutions. According to the CBN, the initiative aligns with its regulatory responsibilities under the Banks and Other Financial Institutions Act 2020 and forms part of broader efforts to strengthen cybersecurity standards in the sector.
The apex bank explained that the CSAT will serve as a supervisory mechanism, enabling regulators to gain deeper insight into institutions’ cybersecurity frameworks. The assessment will cover key areas such as governance structures, risk management processes, technological infrastructure, third-party vulnerabilities, incident response capabilities, and overall operational resilience.
CBN noted that data gathered from the exercise would enhance risk-based supervision and improve its ability to monitor and respond to emerging cyber threats within Nigeria’s financial ecosystem.
To ensure compliance, affected institutions are required to submit their assessments via a dedicated portal, with login credentials to be issued to Chief Information Security Officers and other designated officials. The regulator emphasized that all submissions must be complete and supported with relevant documentation, reflecting each institution’s status as of December 31, 2025.
The bank also warned against inaccurate or misleading disclosures, stressing that any false information would constitute a regulatory violation and attract sanctions. It added that submitted data would undergo validation through off-site reviews and supervisory engagements.
The latest move underscores growing regulatory concern over cybersecurity risks, especially as increased digital banking activities continue to expose financial institutions to sophisticated cyber threats. It follows earlier calls by regulators urging banks to strengthen their security infrastructure amid rising cases of digital fraud that have impacted customer confidence in the banking system.
