The Central Bank of Nigeria (CBN) has rolled out a mandatory Cybersecurity Self-Assessment Tool (CSAT) for all regulated institutions, including deposit money banks, microfinance banks, payment service providers, fintechs, and other financial entities.
The directive, contained in a circular dated March 30, 2026, and signed by Olubunmi Ayodele-Oni on behalf of the Director of the Compliance Department, underscores the apex bank’s determination to strengthen oversight and build resilience in an era of sophisticated digital attacks.
“This initiative forms part of the CBN’s statutory responsibilities under the Banks and Other Financial Institutions Act (BOFIA) 2020,” the statement explained. The CSAT is designed as a structured supervisory instrument to gather detailed insights into the cybersecurity posture of institutions, enabling more effective, risk-based regulation.
The tool will scrutinize several critical domains:
– Cybersecurity governance
– Risk management practices
– Technology and third-party risk controls (particularly important as banks increasingly rely on external vendors and cloud services)
– Incident response capabilities
– Overall operational resilience
Insights from the assessments will feed directly into the CBN’s supervisory processes, helping regulators identify vulnerabilities, prioritise interventions, and enhance system-wide protection against cyber threats that have targeted financial institutions globally and locally in recent years.
Institutions must complete and submit the CSAT through a dedicated online portal. Access credentials and detailed guidance will be shared with Chief Information Security Officers (CISOs) and other relevant officials in the coming days.
Strict deadlines have been set to ensure swift implementation:
– Deposit Money Banks (DMBs): Must submit within 3 weeks.
– Other institutions (including Microfinance Banks, Payment Service Providers, Fintechs, and similar entities): Have 5 weeks to comply.
Submissions must reflect the institution’s cybersecurity status as of December 31, 2025. The CBN plans to conduct validation exercises, including off-site reviews, to verify the accuracy and integrity of the information provided.
The apex bank issued a clear warning: any submission of false or misleading information will attract regulatory sanctions. This stern stance reflects the regulator’s zero-tolerance approach to compliance lapses in critical risk areas.
The CSAT rollout comes hot on the heels of another major regulatory tightening. Earlier this month, on March 12, 2026, the CBN issued an addendum to the Revised Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-List for the Nigerian Banking Industry 2021.
That circular, aimed at curbing fraudulent transactions and bolstering identity management, requires financial institutions to maintain a temporary watch-list for BVNs linked to suspected fraud. Such BVNs can remain on the list for a maximum of 24 hours, during which the account holder must be contacted for clarification.
Additional measures in the BVN addendum include stricter controls on BVN enrolment, data access, and limitations on phone number changes linked to a single BVN. These steps, effective from May 1, 2026, in some aspects, are intended to safeguard the integrity of banking transactions and reduce the window for fraudsters to exploit the system.
Nigeria’s financial sector has witnessed a surge in digital transactions, driven by mobile banking, fintech innovation, and cashless policies. While this has boosted inclusion and efficiency, it has also expanded the attack surface for cybercriminals — ranging from phishing and ransomware to sophisticated supply-chain compromises involving third-party technology providers.
By introducing the CSAT, the CBN is shifting from reactive measures to a more proactive, data-driven supervisory regime.
The tool will allow regulators to benchmark institutions, spot systemic weaknesses, and encourage continuous improvement in cybersecurity practices.
Industry stakeholders expect the self-assessment to prompt banks and fintechs to review and upgrade their governance structures, incident response plans, and vendor risk management protocols. Chief Information Security Officers are likely to play a central role in coordinating responses within the tight deadlines.
As Nigeria’s economy becomes increasingly digital, the CBN’s latest interventions signal a clear message: robust cybersecurity is no longer optional — it is a regulatory imperative for the stability and trustworthiness of the financial system.
Institutions that treat this exercise as a mere compliance checkbox risk falling short. Those that use it as an opportunity to genuinely strengthen their defences will be better positioned to navigate the evolving threat landscape.
The CBN has indicated that further guidance on the portal and completion process will be communicated shortly. Affected institutions are advised to prepare their teams and ensure accurate, comprehensive reporting to avoid penalties.
This development is the latest in a series of measures by Governor Yemi Cardoso’s leadership at the CBN to fortify the sector against both traditional and emerging risks in an increasingly complex operating environment.
WHAT YOU SHOULD KNOW
The Central Bank of Nigeria has made the Cybersecurity Self-Assessment Tool (CSAT) mandatory for all banks, microfinance banks, PSPs, and fintechs to strengthen the sector against rising cyber threats.
Financial institutions must complete and submit the CSAT via the dedicated portal within tight deadlines — 3 weeks for Deposit Money Banks and 5 weeks for other institutions — with data reflecting their status as of 31 December 2025. False or misleading submissions will attract strict regulatory sanctions.
This move, following the recent BVN watch-list tightening, shows the CBN’s firm commitment to proactive risk-based supervision and safeguarding the integrity of Nigeria’s financial system.
Institutions should treat compliance seriously and use the exercise to genuinely bolster their cybersecurity defences.
