News Highlights:
- The CBN has mandated banks and other financial institutions to complete a Cybersecurity Self-Assessment Tool (CSAT), with strict deadlines of three weeks for Deposit Money Banks and five weeks for others.
- The regulator warned that inaccurate or misleading submissions will attract sanctions, as the exercise will feed into tighter risk-based supervision and enhanced oversight of cyber threats across Nigeria’s financial system.
The Central Bank of Nigeria (CBN), Nigeria’s banking regulator, is ramping up scrutiny of cyber risks, directing financial institutions to conduct and submit a comprehensive self-assessment of their cybersecurity posture within strict timelines, as digital threats continue to evolve across the sector.
In a letter dated March 30, 2026, and published on Tuesday, the Central Bank of Nigeria (CBN) introduced a mandatory Cybersecurity Self-Assessment Tool (CSAT) aimed at evaluating the exposure of regulated entities to cyber risks.
The directive applies to banks, selected financial institutions, and payment service providers, with the apex bank setting clear deadlines for compliance.
“Institutions are required to submit their completed CSAT within the following timelines: i. Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – All other regulated institutions,” the CBN stated.
Framing the move within its legal and supervisory mandate, the regulator emphasized that the initiative aligns with its responsibilities under the Banks and Other Financial Institutions Act 2020 and its broader push to reinforce cybersecurity standards.
“The Central Bank of Nigeria, in furtherance of its statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 and consistent with its commitment to strengthening cybersecurity resilience across the financial sector, hereby notifies all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions of the deployment of its Cybersecurity Self-Assessment Tool,” the letter read.
According to the CBN, the CSAT will serve as a structured supervisory instrument, offering regulators deeper visibility into institutions’ cybersecurity frameworks. It is designed to assess critical areas such as governance structures, risk management systems, technology infrastructure, third-party exposures, incident response capabilities, and overall operational resilience.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the apex bank said.
Insights derived from the exercise, the regulator noted, will strengthen risk-based supervision and enhance oversight of cyber threats within Nigeria’s financial ecosystem.
To ensure uniform compliance, affected institutions are required to submit their assessments via a dedicated portal, with login credentials to be shared directly with Chief Information Security Officers and other designated officials.
“All submissions must be fully completed and accompanied by relevant supporting documentation, where applicable,” the CBN added, specifying that all data must reflect institutions’ positions as of December 31, 2025.
The bank also issued a stern warning on data integrity, stressing that transparency is non-negotiable. “Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions,” the letter added.
Further reinforcing its oversight stance, the CBN disclosed that submissions will undergo validation through off-site reviews and supervisory engagements to confirm their accuracy.
The directive, which takes immediate effect, underscores a shift toward tighter regulatory control of cyber risks in Nigeria’s banking industry, especially as the surge in digital transactions continues to heighten exposure to cyber threats.
The move follows earlier concerns raised in December 2025, when banks were urged to strengthen their cybersecurity systems amid rising digital fraud incidents that have continued to erode customer trust and slow the growth of the country’s digital banking ecosystem.
