Juliet Ezeh
The Central Bank of Nigeria (CBN) has issued a sweeping directive mandating banks and other financial institutions to complete a cybersecurity self-assessment within strict timelines, in a move that signals a major shift in regulatory oversight and digital risk management.
In a letter dated March 30, 2026, the apex bank introduced a Cybersecurity Self-Assessment Tool (CSAT) designed to evaluate the cyber resilience of regulated institutions across the country. According to the directive, Deposit Money Banks (DMBs) are required to submit their completed assessments within three weeks, while other financial institutions have five weeks to comply.
A Shift Toward Proactive Cyber Regulation
The directive marks a transition from traditional compliance monitoring to a more proactive and data-driven regulatory approach. Rather than relying solely on periodic audits and reports, the CBN is now demanding measurable insights into how financial institutions manage cyber risks.
The CSAT is structured to assess key areas including governance frameworks, risk management processes, technology infrastructure, third-party exposure, incident response capabilities, and overall operational resilience. This comprehensive scope highlights the regulator’s intent to gain a deeper understanding of vulnerabilities within the financial system.
By requiring institutions to provide detailed and verifiable data, the CBN is effectively placing cybersecurity at the center of financial stability.
Rising Digital Threats Drive Urgency
The directive comes at a time when Nigeria’s financial sector is experiencing rapid digital transformation. Increased adoption of mobile banking, online payments, and fintech solutions has significantly expanded the attack surface for cybercriminals.
Experts have warned that weak cybersecurity frameworks could erode customer confidence and slow the growth of the digital economy. Incidents of digital fraud and cyberattacks have continued to rise, making it imperative for regulators to act decisively.
The CBN’s move underscores a growing recognition that cyber risk is no longer just a technical concern but a systemic threat capable of disrupting the entire financial ecosystem.
Strict Compliance and Sanctions
To ensure compliance, the apex bank has made it clear that all submissions must be accurate, complete, and supported by relevant documentation. Institutions are required to submit their assessments through a dedicated portal, with access credentials to be provided to Chief Information Security Officers and other designated officials.
Importantly, the CBN has warned against false or misleading disclosures, stating that any inaccuracies will be treated as regulatory breaches and may attract sanctions. This introduces a new layer of accountability, where institutions are not only evaluated on their cybersecurity posture but also on the integrity of their reporting.
The regulator also disclosed plans to validate submissions through off-site reviews and supervisory engagements, further reinforcing its commitment to transparency and enforcement.
Implications for Banks and Financial Institutions
For Deposit Money Banks, the three-week deadline signals urgency and underscores the importance of immediate action. Institutions are expected to conduct internal reviews, identify gaps, and provide a realistic assessment of their cybersecurity capabilities.
Smaller institutions, including microfinance banks and payment service providers, may face greater challenges due to limited resources and infrastructure. However, the directive ensures that all players within the financial ecosystem are held to a consistent standard.
Industry observers note that the directive could reshape competition within the sector. Banks with robust cybersecurity frameworks are likely to gain customer trust and strengthen their market position, while those with weak defenses may face reputational damage and regulatory penalties.
Strengthening Trust in the Digital Economy
At its core, the CBN’s directive is aimed at safeguarding trust in Nigeria’s financial system. As digital transactions continue to grow, the need for secure and resilient systems becomes increasingly critical.
Cybersecurity is now a key determinant of customer confidence. A single breach can have far-reaching consequences, affecting not only individual institutions but also the broader perception of the banking sector.
By enforcing stricter standards and enhancing oversight, the CBN is positioning Nigeria’s financial system to better withstand emerging cyber threats and support sustainable digital growth.
A Defining Moment for Cybersecurity in Banking
The introduction of the CSAT represents a defining moment in Nigeria’s approach to cybersecurity regulation. It reflects a broader global trend where regulators are prioritizing digital resilience as a cornerstone of financial stability.
For banks and other financial institutions, the message is clear: cybersecurity is no longer optional, it is a fundamental requirement for survival and growth in an increasingly digital world.
As the compliance deadlines approach, all eyes will be on how institutions respond to the directive and whether the exercise will lead to meaningful improvements in cybersecurity standards across the sector.
