The Central Bank of Nigeria (CBN) has introduced a mandatory Cybersecurity Self-Assessment Tool (CSAT) for all regulated financial institutions, in a decisive move to strengthen the resilience of Nigeria’s banking sector against escalating cyber threats.
In a statement issued by the apex bank, the initiative was anchored on its statutory mandate under the Banks and Other Financial Institutions Act 2020, reinforcing its oversight role in safeguarding financial system stability.
The CSAT is designed as a supervisory instrument to evaluate the robustness of cybersecurity frameworks across banks and other financial entities. It focuses on critical areas such as risk management protocols, incident response mechanisms, governance structures, and controls around third-party technologies.
According to the CBN, the tool will provide “comprehensive information on the cybersecurity posture of regulated institutions,” enabling more effective risk-based supervision and strengthening regulatory oversight across the financial system.
“It covers key areas including cybersecurity governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience,” the statement noted.
All affected institutions are required to complete and submit the assessment via a dedicated portal, with access credentials and guidelines to be communicated to Chief Information Security Officers and other designated officials.
Compliance timeline, sanctions
The CBN set clear compliance deadlines for submissions:
- Deposit Money Banks (DMBs): 3 weeks
- Other institutions, including Microfinance Banks (MFBs), Payment Service Providers (PSPs), and fintechs: 5 weeks
Submissions must reflect each institution’s cybersecurity status as of December 31, 2025. The apex bank added that validation exercises, including off-site reviews, will be conducted to verify the integrity of submitted data.
It warned that any false or misleading disclosures will attract regulatory sanctions.
Stronger anti-fraud measures
The CSAT rollout follows a series of recent regulatory actions by the CBN to curb fraudulent activities within the banking system.
In March 2026, the bank issued an addendum to its revised framework on Bank Verification Number (BVN) operations, introducing stricter controls on suspected fraudulent transactions, identity management, and data access.
Under the updated guidelines, financial institutions are required to maintain a temporary watch-list for BVNs linked to suspicious transactions. Such BVNs may remain flagged for up to 24 hours, within which the account holder must be contacted for clarification.
The measures, according to the CBN, are aimed at strengthening fraud monitoring systems, improving identity verification processes, and safeguarding the integrity of financial transactions nationwide.
Towards automated financial crime detection
The latest directive builds on the CBN’s broader push towards automated financial crime detection, a regulatory shift that industry observers say positions Nigeria ahead of several advanced markets in proactive risk monitoring.
Under this evolving framework, banks, fintechs, and payment companies are expected to demonstrate full compliance with enhanced standards within an 18-month window—marking a significant transition from routine regulatory filings to a more data-driven, real-time supervisory regime.
