In June 2018, the CBN published a draft of the Risk-Based Cyber Security Framework and Guidelines. The Framework, which will apply to only deposit money banks (DMB) and payment service providers (PSP), is designed to enhance cybersecurity resilience of our banking and payment systems and thereby preserve user confidence.
The Framework contains a top-down approach for minimising cybersecurity risks and sets out responsibilities of the board and senior management of DMBs and PSPs. Going forward, every DMB and PSP must appoint a Chief Information Security Officer and establish an Information Security Steering Committee to oversee the cybersecurity programme approved by the Board.
The Framework also provides guidance on the risk management systems that DMBs and PSPs should adopt and how to assess their cybersecurity resilience. Once the Framework is adopted, DMBs and PSPs must submit to CBN copies of the results of their self-assessment twice a year, and immediately report all cyber-incidents.
Speaking at the 2018 Nigeria – JP Morgan Chase Cybersecurity Conference, the Deputy-Governor, Financial System Stability Mrs Aisha Ahmad enumerated some of the cybersecurity threats that proper implementation of the Framework would mitigate against, including identity theft, phishing, email spamming, dissemination of viruses, and hacking and theft.
The window for comments on the draft closed on 31 July 2018, so we can expect the CBN to publish the final Framework in the coming months. The draft Framework is available here.