Nigeria: CBN Introduces Cybersecurity Assessment Tool to Strengthen Banking Sector Resilience

The Central Bank of Nigeria (CBN) has rolled out a new Cybersecurity Self-Assessment Tool (CSAT) for banks and financial institutions, reinforcing efforts to enhance regulatory compliance and strengthen cybersecurity resilience across Nigeria’s financial system.

In a circular dated March 30, the regulator stated that the tool was introduced under its mandate in the Banks and Other Financial Institutions Act (BOFIA) 2020. The CSAT is designed to evaluate the cybersecurity posture of regulated entities and improve regulatory risk management through structured data collection and analysis.

The directive applies to a broad range of institutions, including deposit money banks, payment service banks, microfinance banks, payment service providers, finance companies, and development finance institutions—highlighting the growing importance of compliance technology and RegTech solutions in safeguarding financial ecosystems.

According to the circular, signed by Olubunmi Ayodele-Oni on behalf of the Director of the Compliance Department, deposit money banks are required to submit their completed assessments within three weeks, while other institutions have a five-week deadline.

Describing the initiative, the apex bank noted that the CSAT serves as a structured supervisory tool to provide comprehensive insights into institutions’ cybersecurity frameworks. It evaluates key areas such as governance structures, risk assessment processes, third-party risk controls, incident response capabilities, and overall operational resilience.

“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the circular stated.

The regulator added that insights generated from the tool will support risk-based supervision, strengthen regulatory monitoring, and enhance compliance analytics across the financial sector. This aligns with broader efforts to improve data privacy, fraud detection, and system-wide resilience.

Institutions are required to submit their assessments through a dedicated portal, with access and guidelines provided to Chief Information Security Officers and other relevant personnel. All submissions must reflect data as of December 31, 2025, and include supporting documentation where necessary.

The CBN also issued a strong warning against inaccurate reporting, noting that the submission of false or misleading information constitutes a breach of regulatory requirements and will attract sanctions in line with BOFIA 2020. This underscores the importance of maintaining robust internal controls and effective compliance management systems.

To ensure data integrity, the apex bank will conduct validation exercises, including off-site reviews and supervisory engagements, to verify the accuracy of submissions. These measures are expected to strengthen regulatory compliance monitoring and improve overall financial compliance within the sector.

The introduction of the CSAT reflects a growing emphasis on proactive cybersecurity governance and the adoption of RegTech innovations to address evolving digital threats. As financial institutions continue to digitise operations, tools like the CSAT will play a critical role in enhancing resilience, ensuring compliance, and supporting long-term stability in Nigeria’s financial system.