CBN mandates Banks, others to undergo cybersecurity audit

The Central Bank of Nigeria has issued a mandatory directive to all financial institutions, including commercial banks and payment service providers, to submit comprehensive reports on their cybersecurity resilience.

This move, announced through the Compliance Department, marks the formal deployment of the Cybersecurity Self-Assessment Tool, a structured supervisory instrument designed to evaluate the industry's readiness against evolving digital threats.

According to the circular referenced CMD/DIR/PUB/ESSD/001/2026, the assessment covers critical operational areas such as cybersecurity governance, risk management practices, and third-party infrastructure controls.

The apex bank intends to use the data collected to enhance risk-based supervision and strengthen the overall resilience of the Nigerian financial system.

The initiative is backed by the statutory mandate provided under the Banks and Other Financial Institutions Act 2020.

The regulator has established a tiered timeline for compliance, requiring Deposit Money Banks to complete their submissions through a dedicated portal within three weeks.

All other regulated entities, including Microfinance Banks and Development Finance Institutions, have been granted a five-week window to finalize their reports. All submissions must reflect the institutions' status as of the December 31, 2025, cut-off date and must be accompanied by verifiable supporting documentation.

Olubunmi Ayodele-Oni, writing for the Director of the Compliance Department, emphasized that the central bank will undertake rigorous validation exercises to ensure the reliability of the data.

The directive explicitly warns that providing inaccurate or misleading information constitutes a regulatory breach.

This oversight measure arrives at a critical time as the banking sector continues to expand its digital footprint, necessitating a more transparent and robust security posture across all licensed financial operators.