CBN Introduces Cybersecurity Assessment Tool, Sets Deadlines for Banks and Financial Institutions

The Central Bank of Nigeria (CBN) has directed banks and other financial institutions to complete a newly introduced Cybersecurity Self-Assessment Tool (CSAT) within specified timelines as part of efforts to strengthen digital security in the sector.

In a circular dated March 30, 2026, the apex bank stated that Deposit Money Banks must submit their assessments within three weeks, while other regulated institutions have up to five weeks to comply.

New Tool to Measure Cyber Risk Exposure

The directive applies to a wide range of financial entities, including banks, payment service providers, microfinance institutions, and development finance organisations.

According to the CBN, the CSAT is designed to evaluate the level of cyber risk across the financial system by examining key areas such as:

• Governance and oversight structures
• Risk management systems
• Technology infrastructure
• Third-party vulnerabilities
• Incident response readiness
• Overall operational resilience

The regulator explained that the tool will serve as a supervisory mechanism to better understand and monitor the cybersecurity posture of institutions.

Part of Broader Regulatory Mandate

The initiative is backed by provisions of the Banks and Other Financial Institutions Act (BOFIA) 2020, reinforcing the CBN’s role in safeguarding the stability of Nigeria’s financial system.

The bank noted that insights from the assessment will support risk-based supervision and improve its ability to respond to evolving cyber threats.

Strict Compliance and Verification Measures

The CBN emphasized that all submissions must be accurate, complete, and supported by relevant documentation. Institutions are required to provide data reflecting their cybersecurity status as of December 31, 2025.

Access to the submission portal will be granted to Chief Information Security Officers and other designated officials.

The regulator warned that any false or misleading information would be treated as a violation and could attract sanctions.

To ensure credibility, the CBN also plans to verify submissions through off-site reviews and supervisory checks.

Growing Focus on Cybersecurity

The directive comes amid rising concerns over digital fraud and cyber threats in Nigeria’s financial sector, which have continued to affect customer confidence and the growth of digital banking services.

With the new policy taking immediate effect, the CBN is signaling a stronger regulatory stance on cybersecurity as financial transactions increasingly move online.