CBN Orders Banks to Complete Cybersecurity Self-Assessment Within Five Weeks
The Central Bank of Nigeria (CBN) has moved to strengthen cybersecurity oversight across the financial system, mandating banks and other regulated institutions to within three to five weeks, conduct a comprehensive self-assessment of their cyber resilience as digital risks intensify.
In a circular issued on March 30, the apex bank directed deposit money banks, payment service banks, microfinance lenders, fintechs, and other financial institutions to complete its newly deployed Cybersecurity Self-Assessment Tool (CSAT), a structured framework designed to evaluate firms’ exposure to cyber threats and their capacity to respond.
The move signals a shift toward deeper, risk-based supervision as regulators respond to the rapid growth of digital banking and electronic payments, which has expanded the potential attack surface for cybercriminals and heightened systemic vulnerabilities.
According to the CBN, the tool will capture detailed information on cybersecurity governance, risk management practices, third-party exposures, incident response capabilities, and overall operational resilience. Insights generated from the exercise are expected to guide supervisory actions and strengthen regulatory oversight of technology risks across the sector.
Banks have been given a tight timeline of three weeks to complete and submit the assessment, while other regulated institutions have five weeks, underscoring the urgency the regulator is placing on cybersecurity preparedness. All submissions must reflect data as of December 31, 2025, and be accompanied by supporting documentation where applicable.
The Central bank warned that inaccurate or misleading disclosures would constitute a regulatory breach, with institutions facing sanctions under the Banks and Other Financial Institutions Act. It added that submissions would be subject to validation through off-site reviews and further supervisory engagements.
The directive comes amid rising concerns over cyber threats targeting financial institutions globally, with increasing reliance on digital platforms, third-party service providers, and cloud infrastructure exposing banks to more complex and evolving risks.
For Nigeria’s banking sector, the policy is likely to heighten compliance obligations and accelerate investments in cybersecurity infrastructure, governance frameworks, and risk management systems. Smaller institutions, including microfinance banks and fintech firms, may face steeper adjustment costs as they work to align with the new requirements.
Analysts say the CBN’s move could ultimately strengthen confidence in the financial system by ensuring that institutions adopt more robust safeguards against cyber incidents that could disrupt operations or erode customer trust.
The deployment of the CSAT also positions Nigeria alongside global regulatory trends, where Central Banks are increasingly prioritising cyber resilience as a core pillar of financial stability, particularly as digital finance deepens across emerging markets.
