News & Events



In June 2018 – in view of the increasing focus on cybersecurity worldwide and the rise in cyber threats both in and outside Nigeria – the Central Bank of Nigeria (CBN) issued a draft risk-based framework and guidelines on cybersecurity for deposit money banks (DMBs) and payment service providers (PSPs), which will come into force on 1 January 2019.(1) The draft guidelines aim to complement and build on the Cybercrimes (Prohibition, Prevention) Act 2015 (the Cybercrimes Act), which the National Assembly passed into law in May 2015, by promoting cybersecurity and protecting computer systems and networks and electronic communications.

One of the key motivations behind cyberattacks is money; as such, the financial sector is particularly susceptible to cybercrime. Financial activity is largely dematerialised and reliant on technology, and crucial market infrastructures (eg, payment and settlement systems) are potential single points of attack which could have wide-ranging and damaging consequences for not only the global economy, but also individual organisations that fall victim to these attacks. Further, technology is increasingly being used in Nigeria for payments and remittances following the African fintech boom. The interconnectivity between financial institutions and their infrastructures also means that there is a significant risk of contagion from any successful cyberattack. As such, there is a need for a robust cybersecurity regime within the Nigerian financial sector. Essentially, the strength of any financial system or institution is the confidence and trust that customers and the general public place therein; thus, it is critical that systems and institutions protect this confidence and trust by appropriately managing the risks and challenges that they face.

Section 37 of the Cybercrimes Act provides that financial institutions’ duties include:

  • verifying the identity of their customers which carry out electronic financial transactions; and
  • applying the know-your-customer principle to customer documentation before executing electronic transfer, payment, debit or issuance orders.

In addition, the Cybercrimes Act provides that financial institutions have a duty to their customers to implement effective counter-fraud measures to safeguard their sensitive information. As such, any person or institution that operates a computer system or network is required to immediately inform the National Computer Emergency Response Team Co-ordination Centre of any attack, intrusion or other disruption liable to hinder the functioning of another computer system or network so that the centre can take the necessary measures to tackle the issues.

With the draft guidelines, the CBN has gone further by providing the minimum cybersecurity framework to be put in place by DMBs and PSPs in Nigeria. The draft guidelines address a number of issues, including:

  • cybersecurity governance;
  • risk management; and
  • the effectiveness of and compliance with the cybersecurity strategy.

Read more  |  Download PDF