On 13 August 2021, the Central Bank of Nigeria (the “CBN”) issued an exposure draft of the risk-based cybersecurity framework guidelines for other financial institutions (“OFIs”) in Nigeria (the “Draft Guidelines”). The Draft Guidelines have been issued further to the CBN’s effort to strengthen the cyber resilience of OFIs especially following the increase in the number and sophistication of cybersecurity threats and attacks against OFIs.
The Draft Guidelines outline the minimum requirements that OFIs are required to observe in developing and implementing strategies, policies, procedures and related activities aimed at mitigating the risks of cyber threats and attacks.
The Draft Guidelines was addressed to all OFIs. Pursuant to the Banks and Other Financial Institution Act 2020 (the “BOFIA 2020”), an OFI now includes international money transfers services, financial holding company and payment service providers among others. The implication of the expanded definition of an OFI under the BOFIA 2020 is that the Draft Guidelines will also apply to financial technology (FinTech) companies (especially switching and processing companies, mobile money operators, payment solution services) among others.
It should be noted that the CBN had earlier issued the Risk-based Cybersecurity Framework and Guidelines for Deposit Framework and Payment Service Providers dated 10 October 2018 (the “2018 Framework”) which applies to all banks and payment service providers (PSPs). Given that OFIs now include PSPs by virtue of the BOFIA 2020, stakeholders should engage the CBN to clarify if the Draft Guidelines when approved will supersede the 2018 Framework with respect to PSPs or whether the 2018 Framework will continue to apply to PSPs (especially as the Draft Guidelines substantially mirror the 2018 Framework).
The Draft Guidelines are divided into six parts: cybersecurity governance and oversight, cybersecurity risk management system, cyber resilience assessment, cybersecurity operational resilience, cyberthreat intelligence and metrics, monitoring and reporting.