CBN gives banks 21 days to grade their cyber defences

The Central Bank of Nigeria (CBN) is tightening the screws on cybersecurity, and this time, it wants the industry to grade itself first.

In a circular dated March 30, the CBN directed banks, fintechs, and other financial institutions to complete a new cybersecurity self-assessment tool (CSAT), a structured supervisory instrument designed to expose how prepared, or unprepared, they are for cyber threats.

Deposit money banks have three weeks to comply. Other financial institutions, including microfinance banks, payment service providers, payment service banks, finance companies, and development finance institutions, get five weeks.

The new directive is part of the regulator’s latest effort to strengthen Nigeria’s digital banking infrastructure against a surge in cyberattacks. 

According to Check Point Software Technologies, a cybersecurity platform provider, the Nigerian banking and financial sector recorded 4,718 weekly attacks in 2024.

Also, as instant payments continue to grow,  reaching ₦284.99 trillion ($185.66 billion) in the first quarter of 2025, the cyberattack surface has widened with money flowing through web, mobile apps, and agent networks.

Data from the Financial Institutions Training Centre (FITC) shows fraud losses jumped 603% year-on-year to ₦3.29 billion ($2.37 million) in Q1 2025, with more than 12,000 cases reported during the period.

The CBN’s latest move signals a shift from reactive enforcement to proactive surveillance, at a time when Nigeria’s financial system is becoming more digital and more vulnerable.

What the CBN is asking for

The CSAT goes deep into how institutions run their security and explores cybersecurity governance, who is accountable, and how seriously it is treated. It interrogates risk management frameworks, technology and third-party risks, incident response readiness, and overall operational resilience.

Insights from the CSAT, TechCabal learnt, are meant to support risk-based supervision and enhance regulatory oversight of cybersecurity risks across the financial system.

According to the CBN, all submissions must be fully completed and accompanied by relevant supporting documentation, where applicable, and the cut-off date for the data to be provided is December 31, 2025.

The CBN noted that all submissions must be accurate, complete, and verifiable. 

False or misleading data will attract sanctions, it stressed.