By 
The Central Bank of Nigeria (CBN) has introduced a strict compliance timeline for banks and financial institutions to complete a mandatory Cybersecurity Self-Assessment Tool (CSAT), as part of efforts to strengthen system-wide resilience and enhance regulatory compliance.
In a directive dated March 30, 2026, the apex bank mandated Deposit Money Banks (DMBs) to submit their completed assessments within three weeks, while other regulated institutions—including payment service providers, microfinance banks, and finance companies—have a five-week deadline.
The initiative, which takes immediate effect, reflects the CBN’s commitment under the Banks and Other Financial Institutions Act (BOFIA) 2020 to improve cybersecurity standards and reinforce regulatory risk management across Nigeria’s financial ecosystem.
According to the regulator, the CSAT serves as a structured supervisory instrument designed to provide a comprehensive evaluation of institutions’ cybersecurity posture. The tool assesses key areas such as governance structures, risk assessment frameworks, technology infrastructure, third-party risk exposure, incident response capabilities, and overall operational resilience.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the CBN stated.
The apex bank noted that insights derived from the assessment will support risk-based supervision, strengthen regulatory monitoring, and enhance oversight of emerging cyber threats—particularly as digital transactions and fintech adoption continue to grow.
To ensure adherence, all affected institutions are required to submit their assessments through a dedicated portal, with access credentials provided to Chief Information Security Officers and relevant stakeholders. Submissions must reflect institutional data as of December 31, 2025, and be supported by appropriate documentation.
The CBN emphasised the importance of accuracy and transparency, warning that any false or misleading submissions would constitute a breach of regulatory requirements and attract sanctions.
“Supervised institutions are reminded that all information submitted must be accurate, complete, and verifiable. Submission of false or inaccurate information will result in regulatory penalties,” the directive stated.
As part of its enforcement strategy, the central bank will conduct validation exercises, including off-site reviews and supervisory engagements, to verify the integrity of submitted data. These measures are expected to strengthen compliance monitoring tools, improve compliance analytics, and reinforce internal controls within financial institutions.
The directive signals heightened regulatory scrutiny of cybersecurity risks, aligning with broader trends in the RegTech industry where compliance technology and RegTech solutions are increasingly deployed to combat digital threats, improve fraud detection, and ensure data privacy.
Industry stakeholders have previously raised concerns over rising cyber risks, noting that weak cybersecurity frameworks could undermine customer trust and slow the growth of Nigeria’s digital banking sector.
With this move, the CBN is positioning cybersecurity as a critical pillar of financial compliance, ensuring that institutions adopt proactive measures for risk mitigation and operational resilience in an evolving digital landscape.
Comments