The Central Bank of Nigeria (CBN) has directed all deposit money banks to complete a mandatory cybersecurity self-assessment within three weeks, while other regulated financial institutions are given a five-week deadline. The order establishes a standardized evaluation process intended to strengthen sector resilience and improve regulatory oversight of digital vulnerabilities.
In a correspondence dated March 30, 2026, the apex bank announced the deployment of its Cybersecurity Self-Assessment Tool (CSAT). The structured framework requires financial institutions to report on governance models, risk management practices, core technology infrastructure, third-party vendor exposure, incident response protocols, and operational continuity measures. According to the regulator, the initiative fulfills statutory obligations under the Banks and Other Financial Institutions Act 2020 and will supply supervisors with a clear baseline of institutional security postures across Nigeria’s financial ecosystem.
Affected entities must submit completed evaluations through a dedicated digital portal, with access credentials issued directly to Chief Information Security Officers and authorized compliance personnel. All filings must include supporting documentation where applicable and accurately reflect each institution’s operational status as of December 31, 2025. The CBN stressed that submitted data must be precise and verifiable, warning that false or incomplete disclosures will trigger regulatory sanctions. To ensure reliability, the bank will cross-check reported information through off-site monitoring and targeted supervisory engagements.
The mandate follows a December 2025 advisory in which Nigerian lenders were instructed to upgrade digital security measures amid rising fraud incidents that have strained consumer confidence and constrained growth in electronic payment channels. As online transactions scale and fintech integration expands, financial authorities have prioritized cyber readiness as a core component of systemic stability.
The requirement takes immediate effect, marking a shift toward more rigorous, standardized threat evaluation within the Nigerian banking sector. Supervised institutions are expected to synchronize internal control frameworks with the CSAT parameters while regulators intensify risk-based oversight and reinforce minimum cybersecurity benchmarks across all licensed financial operators.
