The Central Bank of Nigeria (CBN) has issued cybersecurity guidelines for other financial institutions (OFIs) "as a result of the recent increase in the number of sophistication of cybersecurity threats."
In a letter to all OFIs dated June 29, 2022, Nkiru Aseigbu, CBN's Director of OFIs Supervision Department said "it has become mandatory for institutions to strengthen their cyber defences if they are to remain safe and sound."
"In recent times, threats such as ransomware, targeted phishing attacks and Advanced Persistent Threats (APT) have become prevalent, demanding that financial institutions, including OFIs strengthen their cyber resilience and take proactive steps to secure their critical information assets to ensure their safety and soundness." the guidelines [pdf] stated.
According to the letter, the provisions of the guideline will become effective from January 1, 2023. The 41-paged document comprises six parts: cybersecurity governance and oversight, cybersecurity risk management system, cyber resilience assessment, cybersecurity operational resilience, cyber-threat intelligence and metrics, monitoring, and reporting.
This guideline was released a few days after MTN Nigeria's MoMo Payment Service Bank charged 18 Nigerian commercial banks in court to seek a refund for ₦22.3 billion ($53.7 million) "erroneously transferred to 8,000 bank customers" due to a cyber breach.
The latest cybersecurity guideline mandates every OFI to designate a Chief Information Security Officer (CISO) whose responsibility includes mitigation of cybersecurity risks. The CBN also stated that they should possess relevant Information Security Certifications including but not limited to Certified Information Systems Security Professional (CISSP).
Meanwhile, OFIs with more than 30 employees will have to create an Information Security Steering Committee (ISSC) that will consist of relevant representatives from departments within the OFI, and the committee will be led by the CISO. Non-compliance with the framework and guidelines will attract sanctions as determined by the CBN in line with the CBN Act and the Banks and Other Financial Institutions Act (BOFIA).
"OFIs should note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes," the guidelines stated.
What does the CBN's cybersecurity framework for OFIs want to achieve?
- To create a safer and more secure cyber environment that will support information system security and ultimately ensure the stability of OFIs.
- Contribute towards fighting/preventing cybercrime in the OFIs sector.
- Promote the adoption of best practices and appropriate cybersecurity standards by OFIs.
- Promote and maintain public trust in OFIs.
- Promote a cybersecurity culture and continuous awareness.