Central Bank of Nigeria (CBN) has directed banks and other financial institutions to complete a newly deployed cybersecurity self-assessment tool (CSAT) as part of efforts to strengthen resilience across the financial system.
In a circular dated March 30, the apex bank said the tool was introduced in line with its mandate under the Banks and Other Financial Institutions Act 2020 and is designed to assess the cybersecurity posture of regulated entities.
According to the circular signed by Olubunmi Ayodele-Oni for the director of the compliance department, deposit money banks are required to submit their completed assessments within three weeks, while other institutions have five weeks.
The directive, which takes immediate effect, applies to deposit money banks, payment service banks, microfinance banks, payment service providers, finance companies, and development finance institutions.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the circular reads.
“It covers key areas including cybersecurity governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience.
“Insights derived from the CSAT will support risk-based supervision and enhance regulatory oversight of cybersecurity risks across the financial system.
“Accordingly, all the referenced institutions are required to complete and submit the CSAT through a dedicated submission portal.”
The regulator added that access to the submission portal and guidance would be provided to chief information security officers and other relevant officials of the affected institutions.
CBN said all submissions must reflect data as of December 31, 2025, and be accompanied by relevant supporting documentation where applicable.
The apex bank warned that “submission of false, misleading, or inaccurate information constitutes a regulatory breach,” and would attract sanctions in line with BOFIA 2020.
CBN also said validation exercises, including off-site reviews and supervisory engagements, would be conducted to verify the accuracy of submissions.
