The Central Bank of Nigeria (CBN) has instructed banks to complete a mandatory cybersecurity self-assessment within three weeks as part of efforts to strengthen resilience across the financial system.
In a letter dated March 30, 2026, and published on its website on Tuesday, the apex bank stated, “Institutions are required to submit their completed CSAT within the following timelines: i. Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – All other regulated institutions.”
The mandate, targeted to banks, certain other financial institutions, and payment service providers, established a Cybersecurity Self-Assessment Tool to assess regulated companies’ cyber risk exposure.
The CBN added that the measure was consistent with its statutory duty under the Banks and Other Financial Institutions Act 2020, as well as its overall commitment to boosting cybersecurity standards in the industry.
“The Central Bank of Nigeria, in furtherance of its statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 and consistent with its commitment to strengthening cybersecurity resilience across the financial sector, hereby notifies all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions of the deployment of its Cybersecurity Self-Assessment Tool,” the letter read.
According to the regulator, the CSAT is intended to serve as a supervisory tool, providing a comprehensive picture of financial institutions’ cybersecurity posture.
It stated that the tool would evaluate crucial areas such as governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capabilities, and overall operational resilience.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the CBN said.
The apex bank added that insights generated from the exercise would support risk-based supervision and enhance regulatory oversight of cybersecurity threats within Nigeria’s financial ecosystem.
To ensure compliance, the apex bank stated that all concerned institutions must complete and submit the evaluation via a dedicated site, with access credentials provided to their chief information security officers and other necessary personnel.
“All submissions must be fully completed and accompanied by relevant supporting documentation, where applicable,” it stated, noting that the data to be provided must reflect institutions’ positions as of December 31, 2025.
The CBN also warned against false or incomplete disclosures, stressing that accuracy and transparency would be strictly enforced.
“Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions,” the letter added.
It also announced measures to validate submissions through off-site reviews and supervisory interactions to ensure data reliability.
The rule, which goes into force immediately, suggests increased regulatory monitoring of cyber risks in the banking sector as digital transactions grow and cyber attacks become more prevalent.
