The Central Bank of Nigeria (CBN) on Wednesday released the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (OFIs), following the recent increase in the number and sophistication of cybersecurity threats against financial institutions.
The central bank has set January 1, 2023, as the effective date for full compliance with the provisions of the guidelines.
The bank said the directive became mandatory for institutions to strengthen their cyber defenses if they were to remain safe and sound.
The circular dated June 29, 2022, and signed by Nkiru Asiegbu, Director of OFIs Department, was addressed to all OFIs under the regulation of the banking sector regulator.
The apex bank added that the guidelines represented the minimum requirements to be put in place by all OFIs.
The regulator stressed that the safety and soundness of OFIs required that they operate in a safe and secure environment, hence the platform on which information is processed and transmitted should be managed in a way that ensures confidentially, integrity and availability of information as well as the avoidance of financial loss and reputation risks among others.
The CBN noted that considering the reliance of financial institutions on information and communications technology (ICT) to operate their business and the rising incidences of cyber threats and attacks targeted at financial institutions, it became necessary to implement cybersecurity measures to mitigate against those risks.
The bank specifically noted that threats including ransomware, targeted phishing attacks and Advanced Persistent Threats (APT) had become prevalent, demanding that financial institutions boost cyber resilience as well as take proactive steps to secure their critical information assets to ensure their safety and soundness.
The objective of the guidelines is to among other things create a safer and more secure cyber environment that supports information system security and promotes stability of the OFI sub-sector.
It also seeks to promote and maintain public trust and confidence in the sub-sector as well as contribute towards the prevention and combating of cybercrime in the OFI sub-sector.
Essentially, the framework provides a risk-based approach to managing cybersecurity risk and consists of six parts including Cybersecurity Governance, and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring and Reporting.
The document also explained the roles of the board of directors in relation to cybersecurity as well as the appointment and responsibilities of the Chief Information Security Officer (CISO) among others.