Introduction

On June 29, 2022, the Central Bank of Nigeria ("CBN") issued the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (the "Framework"). This was issued in furtherance of the CBN's commitment to ensure the security of the banking sector. The Framework contains cybersecurity programs and mechanisms designed to combat modern cyberattacks that financial institutions face.

We have highlighted in this article, salient provisions of the Framework.

Who is affected?

The Framework provides the minimum level of cybersecurity for all Other Financial Institutions ("OFIs"). Under the Bank and Other Financial Institutions Act 2020 ("BOFIA"), OFIs are defined to include all Discount Houses, Bureau de Change, Credit Bureau, Finance Companies or Money Brokerage, International Money Transfer Services, Mortgage Refinance Companies, Mortgage Guarantee Companies, Credit Guarantee Companies, Financial Holding Companies.

It is pertinent to note that though the BOFIA defined Payment Service Providers ("PSPs") as OFIs, it appears that PSPs are not covered by this Framework. PSPs are, however, regulated under the 2018 CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers.

What are the salient provisions of the Framework?

  1. Cybersecurity Governance and Oversight: OFIs are required to establish cybersecurity governance which includes:

    1. ensuring cybersecurity is a standing agenda in the Board meetings and Senior Management meetings of all OFIs;
    2. ensuring a quarterly report on the cybersecurity status of the OFI is prepared by the Senior Management and reviewed by the Board of Directors;
    3. preparing a cybersecurity framework which will be submitted to the Director of Other Financial Institutions Supervision Department of the CBN (the "Director").
  1. Appointment of a Chief Information Security Officer (CISO): Every OFI is required to appoint a CISO who shall be primarily responsible for the day-to-day cybersecurity activities. However, for small OFIs such as Unit Tier 2 MFBs, the head of IT or a part-time consultant may be appointed as the CISO.

  2. Establishment of an Information Security Steering Committee (ISSC): All OFIs with over 30 employees are required to establish an ISSC responsible for enforcing policies developed to manage cybersecurity risks in the organisation. For OFIs with less than 30 employees, the responsibility of the ISSC can be carried out by a relevant management committee provided that the CISO shall be a member and shall lead all cybersecurity issues.

  3. Implementing a Cybersecurity Risk Management System: Each OFI is required to implement a cybersecurity risk management system based on the threats, vulnerability and tolerance of the OFI.

  4. Resilience Assessment and Internal Audits: OFIs are required to conduct regular Cybersecurity Resilience assessments and internal audits to mitigate the risk exposure and ascertain the adequacy of the cybersecurity measures in place.

  5. Returns to the CBN: A report of the cybersecurity self-assessment signed by the CISCO shall be submitted every year on or before March 31 to the Director. OFIs are also required to promptly report all potential cyber-threats to their information assets, to the Director.

  6. Compliance with other CBN Guidelines: OFIs are to ensure compliance with all other CBN directives and all relevant laws including the Cybercrimes (Prohibition, Prevention etc) Act 2015.

Conclusion

The Framework is set to become fully effective from January 1, 2023. OFIs are, however, advised to commence implementing the requirements of the Framework now to ensure full compliance by the effective date.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.