The Central Bank of Nigeria has directed banks to complete a mandatory cybersecurity self-assessment within a set timeline as part of efforts to strengthen resilience across the financial system.
In a letter dated March 30, 2026, and published on its website on Tuesday, the apex bank said, “Institutions are required to submit their completed CSAT within the following timelines: i. Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – All other regulated institutions.”
The directive, addressed to banks, selected other financial institutions, and payment service providers, introduced a Cybersecurity Self-Assessment Tool to evaluate the cyber risk exposure of regulated entities.
The CBN said the move aligns with its statutory mandate under the Banks and Other Financial Institutions Act 2020 and its effort to improve cybersecurity standards in the sector.
“The Central Bank of Nigeria, in furtherance of its statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 and consistent with its commitment to strengthening cybersecurity resilience across the financial sector, hereby notifies all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions of the deployment of its Cybersecurity Self-Assessment Tool,” the letter read.
ALSO READ: CBN gives new update on instant transfers, dormant accounts
The apex bank explained that the CSAT is designed as a supervisory instrument to provide a clear view of financial institutions’ cybersecurity posture.
It added that the tool will assess key areas such as governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capacity, and overall operational resilience.
“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the CBN said.
The bank noted that insights from the exercise will support risk-based supervision and strengthen oversight of cybersecurity threats within Nigeria’s financial system.
Earlier in December 2025, banks in Nigeria were urged to strengthen their cybersecurity systems as rising digital fraud continued to affect customer trust and slow the growth of digital banking.
In the latest directive, the CBN asked banks to ensure compliance, stating that all affected institutions must complete and submit the assessment through a dedicated portal. Access details will be sent to Chief Information Security Officers and other relevant officials.
“All submissions must be fully completed and accompanied by relevant supporting documentation, where applicable,” it stated, adding that the data provided must reflect institutions’ positions as of December 31, 2025.
The CBN also warned against false or incomplete disclosures.
“Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions,” the letter added.
It also said submissions will be reviewed through off-site checks and supervisory engagements to confirm the accuracy of the data.
The directive takes immediate effect, signalling closer regulatory attention to cyber risks in the banking sector as digital transactions continue to grow.