CBN rolls out cybersecurity tool for banks, sets compliance deadlines
The Central Bank of Nigeria (CBN) has introduced a new cybersecurity assessment tool for banks and other financial institutions as part of efforts to strengthen the safety of Nigeria’s financial
The Central Bank of Nigeria (CBN) has introduced a new cybersecurity assessment tool for banks and other financial institutions as part of efforts to strengthen the safety of Nigeria’s financial system.
In a circular dated March 30, 2026, the apex bank directed all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions to complete and submit the Cybersecurity Self-Assessment Tool (CSAT).
The circular, titled “Deployment of Cybersecurity Self-Assessment Tool (CSAT)” and signed by Olubunmi Ayodele-Oni for the Director of the Compliance Department, said the initiative aligns with the provisions of the Banks and Other Financial Institutions Act.
According to the CBN, the CSAT is designed to assess how well financial institutions are prepared to prevent and respond to cyber threats. “The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the bank said.
It explained that the tool will examine key areas such as cybersecurity governance, risk management, control of technology and third-party risks, ability to respond to cyber incidents, and overall operational strength.
The apex bank said information gathered through the exercise will help it monitor risks more effectively and improve oversight across the financial system. “Insights derived from the CSAT will support risk-based supervision and enhance regulatory oversight of cybersecurity risks,” it said.
The CBN directed all affected institutions to submit their responses through a dedicated online portal, adding that login details and guidelines will be sent to their Chief Information Security Officers and other relevant officials.
It gave Deposit Money Banks three weeks to complete and submit the assessment, while other financial institutions have five weeks to comply. “All submissions must be fully completed and accompanied by relevant supporting documentation,” the bank said, adding that the data required should reflect the institution’s position as of December 31, 2025.
The regulator warned that all provided information must be accurate and verifiable, stressing that false or misleading submissions will attract penalties. “Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions,” the CBN said.
It added that it will carry out verification checks, including off-site reviews and further supervisory engagements, to confirm the accuracy of the submitted data.
The CBN said the directive takes immediate effect, urging all institutions to comply within the specified timelines.
