The Central Bank of Nigeria has directed banks to complete a mandatory cybersecurity self-assessment within three weeks as part of efforts to strengthen resilience across the financial system.
In a letter dated March 30, 2026, and published on its website on Tuesday, the apex bank said, “Institutions are required to submit their completed CSAT within the following timelines: Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – All other regulated institutions.”
The directive, addressed to banks, selected other financial institutions, and payment service providers, introduced a Cybersecurity Self-Assessment Tool to evaluate the cyber risk exposure of regulated entities.
The CBN stated that the move was in line with its statutory mandate under the Banks and Other Financial Institutions Act 2020 and its broader commitment to improving cybersecurity standards in the sector.
“The Central Bank of Nigeria, in furtherance of its statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 and consistent with its commitment to strengthening cybersecurity resilience across the financial sector, hereby notifies all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions of the deployment of its Cybersecurity Self-Assessment Tool,” the letter read.
According to the regulator, the CSAT is designed as a supervisory instrument to provide a comprehensive view of financial institutions’ cybersecurity posture. It explained that the tool would assess critical areas, including governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capacity, and overall operational resilience.
