The Central Bank of Nigeria (CBN) has given deposit money banks three weeks to complete a new Cybersecurity Self-Assessment Tool (CSAT), as part of intensified efforts to strengthen the resilience of the financial sector against rising cyber threats.
In a circular dated March 30, 2026, the apex bank directed all financial institutions — including banks, fintechs, payment service providers, microfinance banks, finance companies, and development finance institutions — to assess and report their cybersecurity preparedness using the structured supervisory instrument.
Deposit money banks have until April 20, 2026 (21 days from the circular date) to submit their assessments, while other financial institutions have five weeks, with a deadline of May 4, 2026.
The CSAT is designed to evaluate key areas such as cybersecurity governance, risk management frameworks, technology and third-party risks, incident response capabilities, and overall operational resilience. The CBN said the tool will help regulators adopt a more proactive, risk-based approach to supervision and improve oversight of cybersecurity vulnerabilities across the industry.
This latest directive comes amid a sharp rise in cyberattacks targeting Nigeria’s financial sector. According to cybersecurity firm Check Point Software Technologies, the banking and financial industry recorded 4,718 weekly attacks in 2024. Fraud losses also surged dramatically, jumping 603% year-on-year to ₦3.29 billion in the first quarter of 2025, with over 12,000 cases reported during the period.
The rapid growth of instant payments, which reached ₦284.99 trillion ($185.66 billion) in Q1 2025, has further expanded the cyberattack surface, as transactions increasingly occur through web platforms, mobile apps, and agent networks.
CBN Governor Olayemi Cardoso has repeatedly stressed the need for stronger cybersecurity measures as Nigeria’s financial system becomes more digital and interconnected. The self-assessment exercise is seen as a shift from reactive enforcement to proactive surveillance, ensuring that institutions are better prepared to detect, prevent, and respond to threats.
The CBN warned that all submissions must be accurate, complete, and verifiable, with false or misleading information attracting sanctions. Institutions are required to provide data as of December 31, 2025, along with any relevant supporting documentation.
This move is part of the regulator’s broader strategy to safeguard the integrity of the financial system, protect customer funds, and maintain public confidence in digital banking channels as Nigeria continues to deepen its digital economy.
Financial institutions are expected to treat the exercise with urgency, as the results will inform future supervisory actions and help shape industry-wide cybersecurity standards.
