Introduction
On June 29, 2022, the Central Bank of Nigeria ("CBN") issued the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (the "Framework"). This was issued in furtherance of the CBN's commitment to ensure the security of the banking sector. The Framework contains cybersecurity programs and mechanisms designed to combat modern cyberattacks that financial institutions face.
We have highlighted in this article, salient provisions of the Framework.
Who is affected?
The Framework provides the minimum level of cybersecurity for all Other Financial Institutions ("OFIs"). Under the Bank and Other Financial Institutions Act 2020 ("BOFIA"), OFIs are defined to include all Discount Houses, Bureau de Change, Credit Bureau, Finance Companies or Money Brokerage, International Money Transfer Services, Mortgage Refinance Companies, Mortgage Guarantee Companies, Credit Guarantee Companies, Financial Holding Companies.
It is pertinent to note that though the BOFIA defined Payment Service Providers ("PSPs") as OFIs, it appears that PSPs are not covered by this Framework. PSPs are, however, regulated under the 2018 CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers.
What are the salient provisions of the Framework?
- Cybersecurity Governance and
Oversight: OFIs are required to establish
cybersecurity governance which includes:
- ensuring cybersecurity is a standing agenda in the Board meetings and Senior Management meetings of all OFIs;
- ensuring a quarterly report on the cybersecurity status of the OFI is prepared by the Senior Management and reviewed by the Board of Directors;
- preparing a cybersecurity framework which will be submitted to the Director of Other Financial Institutions Supervision Department of the CBN (the "Director").
- Appointment of a Chief Information Security Officer
(CISO): Every OFI is required to appoint a CISO who
shall be primarily responsible for the day-to-day cybersecurity
activities. However, for small OFIs such as Unit Tier 2 MFBs, the
head of IT or a part-time consultant may be appointed as the
CISO.
- Establishment of an Information Security Steering
Committee (ISSC): All OFIs with over 30 employees are
required to establish an ISSC responsible for enforcing policies
developed to manage cybersecurity risks in the organisation. For
OFIs with less than 30 employees, the responsibility of the ISSC
can be carried out by a relevant management committee provided that
the CISO shall be a member and shall lead all cybersecurity
issues.
- Implementing a Cybersecurity Risk Management
System: Each OFI is required to implement a
cybersecurity risk management system based on the threats,
vulnerability and tolerance of the OFI.
- Resilience Assessment and Internal
Audits: OFIs are required to conduct regular
Cybersecurity Resilience assessments and internal audits to
mitigate the risk exposure and ascertain the adequacy of the
cybersecurity measures in place.
- Returns to the CBN: A report of the
cybersecurity self-assessment signed by the CISCO shall be
submitted every year on or before March 31 to the Director. OFIs
are also required to promptly report all potential cyber-threats to
their information assets, to the Director.
- Compliance with other CBN Guidelines: OFIs are to ensure compliance with all other CBN directives and all relevant laws including the Cybercrimes (Prohibition, Prevention etc) Act 2015.
Conclusion
The Framework is set to become fully effective from January 1, 2023. OFIs are, however, advised to commence implementing the requirements of the Framework now to ensure full compliance by the effective date.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.