Nigeria’s central bank has released a draft risk-based framework and guidelines on cyber security for deposit money banks and payment service providers (PSPs).
A publication signed by K O Balogun for the Central Bank’s director of banking supervision released via the twitter page of the apex bank on Wednesday, noted that the requirements were in light of a recent increase in the number and sophistication of cyber security threats against banks and PSPs.
“It has become mandatory for these institutions to strengthen their cyber defenses if they are to remain safe and sound,” the statement read.
The draft guidelines stipulating minimum requirements ranging from cybersecurity self assessment tools to reporting templates were thus released for comments and inputs from these financial institutions on or before 31st July 2018.
“In recent times, cybersecurity threats have increased in number and sophistication as DMBs and PSPs, use information technology to expedite the flow of funds among entities.
“In this regard, threats such as ransomware, targeted phishing attacks and Advanced Persistent Threats (APT), have become prevalent; demanding that DMBs and PSPs remain resilient and take proactive steps to secure their critical information assets including customer information that are accessible from the cyberspace.
“It is in this regard that this framework, which outlines the minimum cybersecurity baseline to be put in place by DMBs and PSPs, is being issued.
“The framework is designed to provide guidance for DMBs and PSPs in the implementation of their cybersecurity programmes towards enhancing their resilience.
“Cybersecurity resilience is considered as an organisation’s ability to maintain normal operations despite all cyber threats and potential risks in its environment. Resilience provides an assurance of sustainability for the organisation using its governance, interconnected networks and culture.
“DMBs/PSPs should note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.
“The framework provides a risk-based approach to managing cybersecurity risk. The document comprises six parts: Cybersecurity Governance and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring & Reporting,” the circular noted.
The CBN further noted that the safety and soundness of DMBs and PSPs require that they operate in a safe and secure environment.
“Hence, the platform on which information is processed and transmitted should be managed in a way that ensures the confidentiality, integrity and availability of information as well as the avoidance of financial loss and reputation risk, amongst others.”