CBN Orders Nigerian Banks And Fintechs To Self‑Audit Cybersecurity Defences

The Central Bank of Nigeria (CBN) has ordered banks, fintechs and other licensed financial institutions to complete a new cybersecurity self-assessment within the next few weeks, as regulators respond to a surge in digital attacks on the country’s financial system.

In a circular dated March 30, the apex bank introduced a Cybersecurity Self-Assessment Tool (CSAT), a structured questionnaire-style framework that requires each institution to evaluate how prepared it is for cyber threats and document its security posture.

Under the directive, deposit money banks have three weeks to complete and submit the CSAT, while other categories of financial institutions have five weeks. Those covered include:

• Microfinance banks
• Payment service providers
• Payment service banks
• Finance companies
• Development finance institutions

The CBN positions the tool as part of a broader push to harden Nigeria’s digital banking infrastructure. The move reflects a shift from responding to incidents after they occur to building ongoing, data-driven surveillance of cyber risk across the sector.

The new requirement comes against a backdrop of intensifying cyberthreats and rapidly growing digital transaction volumes.

Data from Check Point Software Technologies, a cybersecurity platform provider, shows that Nigeria’s banking and financial sector recorded 4,718 weekly cyberattacks in 2024. At the same time, instant payments continue to rise sharply, reaching ₦284.99 trillion (about $185.66 billion) in the first quarter of 2025 alone. With more money moving through web platforms, mobile apps and agent networks, the potential attack surface has expanded significantly.

The impact is showing up in fraud numbers. Figures from the Financial Institutions Training Centre (FITC) indicate that fraud losses jumped 603% year-on-year to ₦3.29 billion (around $2.37 million) in Q1 2025, with more than 12,000 reported cases in that period.

CBN’s latest instructions are intended to respond to this combination of heavier digital usage and growing vulnerability by forcing institutions to map and disclose their own weak points.

According to information seen by TechCabal, the CSAT digs into how institutions organise and execute cybersecurity, including:

• Governance and accountability: how cybersecurity is overseen internally, who is responsible, and how seriously leadership treats it.
• Risk management frameworks: how cyber risks are identified, assessed and managed on an ongoing basis.
• Technology and third-party risk: how institutions handle dependencies on vendors, partners and outsourced technology.
• Incident response readiness: how prepared they are to detect, respond to and recover from cyber incidents.
• Operational resilience: how well critical services can be maintained or restored during disruptions.

The regulator intends to use insights from the CSAT to strengthen “risk-based supervision” and improve its oversight of cybersecurity risks across the financial system. Instead of relying only on periodic examinations or post-incident reporting, the tool is designed to give supervisors a more consistent, structured view of each institution’s defences.

The CBN has set a data cut-off date of December 31, 2025, for information submitted through the tool, meaning institutions must report their cybersecurity posture and supporting evidence as of that date. All submissions must be “accurate, complete, and verifiable”, with the central bank warning that false or misleading data will attract sanctions.

While the circular focuses on self-assessment, the explicit threat of penalties for inaccurate reporting underscores that the exercise is not voluntary or merely advisory. For banks and fintechs, the CSAT now forms part of their regulatory obligations, and the quality of their responses could influence how the CBN evaluates and supervises them going forward.