The Central Bank of Nigeria has introduced a mandatory cybersecurity self-assessment regime for lenders and fintech firms, stepping up oversight as digital fraud and cyber risks rise across the financial system.
In a statement issued in Abuja on March 30, 2026, the regulator said all licensed institutions must complete a Cybersecurity Self-Assessment Tool (CSAT), a move designed to give supervisors deeper visibility into banks’ risk controls and incident response capabilities.
The directive, signed by Olubunmi Ayodele-Oni on behalf of the CBN’s Compliance Department, is anchored on the Banks and Other Financial Institutions Act (BOFIA) 2020 and forms part of broader efforts to strengthen operational resilience.
The CSAT will require institutions to disclose detailed information on governance structures, cyber risk management, third-party technology exposure and response readiness to attacks. The regulator said the tool would serve as a core supervisory instrument, enabling risk-based oversight of vulnerabilities across the sector.
“Insights derived from the CSAT will support risk-based supervision and enhance regulatory oversight of cybersecurity risks,” the CBN said.
All regulated entities are required to submit their assessments through a dedicated portal, with access credentials to be issued to chief information security officers and other designated officials.
The rollout comes weeks after the central bank tightened controls on fraud monitoring and identity management within the banking system. In a circular dated March 12, 2026, the CBN amended its framework for Bank Verification Number (BVN) operations, introducing additional safeguards to track suspicious transactions.
Under the revised rules, banks must place BVNs linked to suspected fraud on a temporary watch list for up to 24 hours while customers are contacted for clarification. The measure is aimed at curbing illicit transfers and strengthening real-time response to fraud alerts.
The CSAT framework extends that push into cybersecurity, an area regulators globally are prioritising as financial services become increasingly digitised. Nigerian banks and fintech firms have expanded rapidly in recent years, exposing the system to more complex technology and third-party risks.
The CBN said compliance timelines will vary by institution type. Deposit Money Banks have three weeks to complete and submit the assessment, while microfinance banks, payment service providers and fintech companies have five weeks.
Submissions must reflect each institution’s cybersecurity posture as of December 31, 2025. The central bank will conduct validation exercises, including off-site reviews, to verify the accuracy of disclosures.
The regulator warned that false or misleading submissions would attract sanctions, signalling a stricter enforcement stance as it seeks to standardise cybersecurity practices across the industry.
The move effectively introduces a uniform benchmarking framework, allowing the CBN to compare institutions and identify systemic weaknesses. It also aligns Nigeria’s regulatory approach more closely with global standards that emphasise continuous monitoring and proactive risk management.
For banks, the requirement is expected to increase compliance costs in the short term, particularly for smaller lenders and fintech firms with less mature security infrastructure. However, analysts say the measure could strengthen confidence in the financial system over time by reducing exposure to cyber incidents and fraud losses.
The CBN did not specify whether the CSAT would be a one-off exercise or part of a recurring supervisory cycle, though the structure suggests it could evolve into a periodic reporting requirement.
As digital transactions continue to grow, regulators are under pressure to balance innovation with risk containment. The CSAT rollout indicates the CBN is moving to close supervisory gaps before vulnerabilities translate into systemic threats.
The initiative places cybersecurity alongside liquidity and capital adequacy as a key pillar of regulatory scrutiny, underscoring the increasing role of technology risk in financial stability.