CBN Deploys Cybersecurity Self-Assessment Tool for Banks and Financial Institutions
By Patience Ikpeme
The Central Bank of Nigeria (CBN) has announced the deployment of a new Cybersecurity Self-Assessment Tool (CSAT) aimed at strengthening the digital resilience of the nation’s financial sector. This move aligns with the apex bank’s statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 to ensure a secure and stable financial environment.
In a circular issued on March 30, 2026, titled “Letter to Banks, Selected Other Financial Institutions and Payment Service Providers: Deployment of Cybersecurity Self-Assessment Tool (CSAT),” the regulator notified all Deposit Money Banks, Payment Service Banks, Microfinance Banks, and other financial entities of the mandatory reporting requirement. The document, signed by Olubunmi Ayodele-Oni for the Director of the Compliance Department, describes the CSAT as a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions.
The regulator noted that the assessment covers several critical operational areas, including cybersecurity governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience. According to the apex bank, insights derived from the tool will support risk-based supervision and enhance regulatory oversight of cybersecurity risks across the entire financial system.
To facilitate the process, the CBN directed all referenced institutions to complete and submit the assessment through a dedicated online portal. Access credentials and detailed guidance for the exercise are expected to be communicated directly to Chief Information Security Officers and other relevant officials within the various organizations.
The circular specified strict timelines for compliance, granting Deposit Money Banks three weeks to complete their submissions, while all other regulated institutions have a five-week window. The regulator further clarified that the cut-off date for the data to be provided in this exercise is December 31, 2025.
Supervised institutions received a stern reminder that all information submitted to the CBN must be accurate, complete, and verifiable. The apex bank warned that the submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions in accordance with the provisions of BOFIA 2020.
To ensure the integrity of the data, the CBN stated that it will undertake validation exercises, including off-site reviews and supervisory engagements, to verify the reliability of the information provided by the banks. The directive, which takes immediate effect, encourages institutions requiring clarification to contact the Enterprise Security Supervision Division of the Compliance Department.
