CBN Gives Banks 21 Days to Grade Their Cyber Defences

Nigeria’s financial landscape is rapidly digitizing, with instant‑payment volumes soaring to $185.66 billion in the first quarter of 2025. This acceleration has attracted a wave of cyber activity; Check Point reports over 4,700 weekly attacks on banks in 2024, and fraud losses exploded by more than six‑fold to $2.37 million in just three months. The expanding attack surface—spanning web portals, mobile apps and agent networks—has pressured regulators to move beyond reactive enforcement and adopt a more preventive stance.

The Central Bank of Nigeria’s new Cybersecurity Self‑Assessment Tool (CSAT) forces deposit banks to submit a detailed scorecard within 21 days, while other licensed entities have five weeks. The questionnaire probes governance structures, risk‑management frameworks, third‑party vendor controls, incident‑response plans and overall operational resilience. By aggregating this data, the CBN can apply risk‑based supervision, targeting resources toward institutions with the weakest controls. The requirement for verifiable documentation and the threat of sanctions underscore the regulator’s intent to raise the baseline of cyber hygiene across the sector.

Globally, regulators are tightening cyber oversight, and Nigeria’s CSAT aligns with trends seen in the EU’s DORA framework and the U.S. OCC’s cyber‑risk guidelines. For Nigerian banks, compliance will likely drive investment in security architectures, staff training and third‑party risk vetting, potentially reducing the $2.37 million fraud loss trajectory. Moreover, transparent self‑rating can improve stakeholder confidence, attracting foreign capital to a market eager to showcase robust digital safeguards. As the country’s payment ecosystem continues to expand, sustained regulatory vigilance will be essential to prevent cyber incidents from undermining financial stability.