THE CBN RISK-BASED CYBERSECURITY FRAMEWORK
THE CBN RISK-BASED CYBERSECURITY FRAMEWORK

Nigeria's Guide to Cybersecurity in the Financial Services Industry

The Central Bank of Nigeria

The Central Bank of Nigeria (CBN) is the apex bank in Nigeria. It is primarily tasked with regulating the activities of the Nigerian financial services industry and administering the Banks and other financial institutions (BOFI) Act (1991) with the sole aim of ensuring high standards of banking practice and financial stability (Read More).

As part of its objectives to promote a sound financial system in Nigeria, the CBN is giving greater consideration to cybersecurity operational resilience in Nigeria's financial services industry. This is because, in recent times, cybersecurity threats targeted at the financial services industry have increased in both number and sophistication (ransomware, targeted phishing attacks and advanced persistent threats are now more prevalent).

Consequently, due to the rate of cyber-attacks targeted at financial institutions, the CBN, in July 2018, released the CBN Risk-Based Cybersecurity Framework and Guidelines ("CBN Framework") to guide Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) in running their cybersecurity programmes

The CBN Framework

The CBN Framework is a set of guidelines set out by the apex Nigerian Bank CBN (in June 2018) to serve as minimum requirements for DMBs and PSPs' respective cyber-security programs. The CBN has mandated all DMBs/PSPs to comply with all the CBN Framework requirements by 1 January 2019. The Framework outlines what activities Nigerian DMBs and PSPs must undertake to attain the expected cybersecurity maturity level.

Specifically, some of the key expectations of DMBs/PSPs as contained in the Framework are:

  • Strengthen cybersecurity governance by ensuring that the Board provides leadership for the firm's cyber programme
  • Appoint a CISO who would oversee the firm's end to end cyber-security program
  • Perform regular cybersecurity self-assessments and submit an annual assessment by 31 March
  • Set up a security operations centre (SOC)
  • Develop Cyber-Threat Intelligence capabilities. 

For simplicity, the Framework is divided into 5 domains:

  • Cybersecurity Governance and Oversight: This domain outlines the need for DMBs and PSPs' Board of Directors and Senior Management to provide strategic leadership, oversight and corporate governance for their cybersecurity programme. Here, the CBN mandates these executives to operate a hands-on approach by participating in cybersecurity awareness training, receiving and reviewing quarterly cybersecurity summary reports, approving relevant cybersecurity policies and budget. The CBN also mandates the creation of an Information Security Steering Committee to directly oversee the cybersecurity programme and report to the Board of Directors.
  • Cybersecurity Risk Management System: The CBN mandates DMBs and PSPs to adequately assess the cybersecurity risks posed to their information systems and to proactively implement measures and controls to mitigate these risks. DMBs and PSPs are also required to develop a cybersecurity strategy which defines a target (and actionable steps to be taken to attain the target).
  • Cybersecurity operational Resilience: DMBs and PSPs are mandated to develop capabilities and implement controls to ensure that, in the event of cyber-attacks, normal operations can resume with minimal loss of data and time. DMBs and PSPs are also mandated to assess these capabilities and controls and send an annual cybersecurity self-assessment report to the Central Bank of Nigeria.
  • Metrics, Monitoring & Reporting: The CBN mandates DMBs and PSPs to implement metrics and monitoring processes to ensure compliances to the Framework and to provide feedback on the effectiveness of implemented controls. DMBs and PSPs are also required to report all cybersecurity threats, incidents and attacks to the Central Bank of Nigeria.
  • Compliance with Statutory & Regulatory Requirements: The CBN mandates DMBs and PSPs to comply with the CBN Framework by 1 January 2019.

The CBN Risk-Based Cybersecurity Framework (Exposure Draft) can be found here.