The Central Bank of Nigeria has directed banks to complete a mandatory cybersecurity self-assessment within three weeks as part of measures to strengthen resilience across the country’s financial system.
In a letter dated March 30, 2026, and published on its website on Tuesday, the regulator said Deposit Money Banks must submit their completed Cybersecurity Self-Assessment Tool (CSAT) within three weeks, while other regulated institutions have up to five weeks to comply.
“Institutions are required to submit their completed CSAT within the following timelines: i. Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – All other regulated institutions,” the apex bank stated.
The directive was addressed to Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions.
According to the CBN, the move aligns with its statutory mandate under the Banks and Other Financial Institutions Act 2020 and its commitment to strengthening cybersecurity standards across the financial sector.
The regulator explained that the Cybersecurity Self-Assessment Tool was introduced to evaluate the cyber risk exposure of regulated institutions and enhance oversight within Nigeria’s financial ecosystem.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the CBN said.
The tool will assess several critical areas, including governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capacity, and overall operational resilience.
The apex bank added that insights generated from the exercise would support risk-based supervision and help improve regulatory oversight of cybersecurity threats.
To ensure compliance, affected institutions are required to complete and submit the assessment through a dedicated portal. Access credentials will be communicated directly to Chief Information Security Officers and other relevant officials within the institutions.
The CBN emphasised that all submissions must be fully completed and supported with relevant documentation where applicable.
It also clarified that the information provided must reflect each institution’s cybersecurity position as of December 31, 2025.
The regulator warned against inaccurate or incomplete disclosures, stressing that transparency and accuracy are mandatory.
“Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions,” the bank said.
The apex bank further disclosed that it would validate submissions through off-site reviews and supervisory engagements to ensure the reliability of the information provided.
The directive, which takes immediate effect, signals tighter regulatory scrutiny of cyber risks in Nigeria’s banking sector amid rising digital transactions and increasing exposure to cyber threats.
Cybersecurity experts have repeatedly warned that growing digital banking adoption has also increased the risk of online fraud and cyberattacks.
A marketing professional in Nigeria’s financial services industry, Victor Ologun, noted that weak cyber defences could expose customers to higher risks and undermine trust in digital banking platforms.
Industry analysts say the CBN’s latest directive is expected to push financial institutions to strengthen their cyber defence frameworks and improve overall operational resilience.
