CBN Issues Risk-Based Cybersecurity Framework & Guidelines

On June 29, 2022, the Central Bank of Nigeria (CBN) released its Risk-based Cybersecurity Framework and Guidelines for Other Financial Institutions (OFI). The guidelines focus on monitoring and reporting procedures, risk management systems, and cybersecurity governance.

According to the guidelines:

“In recent times, threats such as ransomware, targeted phishing attacks, and Advanced Persistent Threats (APT) have become prevalent, demanding that financial institutions, including OFIs, strengthen their cyber resilience and take proactive steps to secure their critical information assets to ensure their safety and soundness.”

Aim of CBN’s Cybersecurity Framework

The CBN has had to issue cybersecurity guidelines for OFIs (Other Financial Institutions) due to the recent increase in the number of cybersecurity threats. Nkiru Aseigbu, Director of the CBN's OFIs Supervision Department, believes that it has become imperative for institutions to upgrade their cyber defenses to remain secure and sound.

The purpose of the guideline is to:

• Create a safe and more secure cyber environment that supports information system security and promotes stability of the OFI sub-sector;
• Contributes to the prevention and combating of cybercrime in the OFI sub-sector;
• Promote the adoption and implementation of best practices and appropriate cybersecurity standards by OFIs;
• Promote and maintain public trust and confidence in the OFI sub-sector; and
• Promote a cybersecurity culture and awareness through continuous capacity building and skills development.

OFIs must integrate the guideline into their business goals and objectives to combat increasing cyber threats. Additionally, the guideline serves as a benchmark for overall risk management processes.

Letter to all OFIs

The letter states that the guidelines' provisions will take effect on January 1, 2023. All OFIs are expected to comply on or before the date. The 41-page document comprises six parts:

Cybersecurity Governance and Oversight

Sets the agenda and boundaries for cybersecurity management and controls through defining, directing, and supporting security efforts of the OFIs. It holds the Board of Directors, Senior Management, and Chief Information Security Officer accountable for implementing the cybersecurity framework, and each of them has respective obligations under the Framework.

The Senior Management is responsible for implementing processes and procedures to protect customer data, transactions, and systems and creating a post-incident analysis framework to determine corrective actions in response to security incidents. It is also responsible for evaluating and managing any risks introduced by third-party service providers.

The Chief Information Security Officer is responsible for maintaining an updated record of users, devices, applications, and their relationships, including software and hardware asset inventory, network utilization, and performance data. He/she is also responsible for ensuring regular cyber risk assessments and frequent data backups of critical IT systems to a separate storage location.

Cybersecurity Risk Management System

OFIs must incorporate cyber-risk management by addressing threats, mitigating exposure, and reducing vulnerability across their institution to reduce the incidence of significant adverse impacts. The Risk Management System must cover risk assessment, risk measurement, risk mitigation, and risk monitoring and reporting.

Cybersecurity Resilience Assessment

Cyber Resilience Assessment evaluates an organization’s defense posture and readiness to tackle cybersecurity risks. The Cybersecurity Resilience Assessment must do the following:

• Determine the current cybersecurity profile (present state)
• Establish a target cybersecurity profile (desired state)
• Report cybersecurity self-assessment

Cybersecurity Operational Resilience

OFIs must build, enhance and maintain their cybersecurity operational resilience. This will help reduce cybercrime and strengthen the banking sector's cyber defense.

Cyber-Threat Intelligence

OFIs must be aware of all emerging threats, cyberattacks, and attack vectors to make timely informed decisions regarding cybersecurity. OFIs must establish a Cyber-Threat Intelligence (CTI) program, which shall proactively identify, detect and mitigate potential cyber threats and risks.

Metrics, Monitoring, and Reporting

OFIs must introduce metrics and monitoring processes to ensure compliance, provide feedback on the effectiveness of controls and provide the basis for appropriate management decisions.

Additionally, compliance with statutory and regulatory requirements such as the Nigerian Cybercrimes (Prohibition, Prevention, etc.) Act 2015 is essential to avoid breaches of legal, statutory, and regulatory obligations.

Securiti allows organizations to discover, analyze and protect large datasets. It offers effective and automated Data Mapping, Incident Response and Management, and Data Intelligence that help organizations gain visibility to their datasets, identify datasets as a result of security incidents and achieve regulatory compliance.

Ask for a DEMO to understand how Securiti can help you achieve compliance.