Financial institutions get new cybersecurity rules, compliance starts 2023 | The Guardian Nigeria News
The Central Bank of Nigeria (CBN) has rolled out a new set of regulatory guidelines, which come into effect on January 1, 2013, to scale up the cybersecurity frameworks of Other Financial Institutions (OFIs).
The document addressed to all OFIs operating in the country and signed by the Director of Other Financial Institutions Supervision Department, Nkiru Asiegbu, aimed to ensure “safety and safety” in the ecosystem.
The regulator said “confidentiality, integrity and availability of information, as well as the avoidance of financial loss and reputation risk” are important in achieving a safe financial system. It added that rising threats require that the operators strengthen their cyber reliance and take proactive steps to ensure the safety of data.
The 43-page document details expectations from OFIs in implementing strategies, policies, procedures and related activities to mitigate cyber-risks. It also specifies key officials needed to oversee each player’s cybersecurity architecture and qualifications of the officials, while spelling out the responsibilities of boards of directors, senior management and chief information security officers (CISO) of the organisations.
The guidelines saddle the board with the overriding responsibility for the cyber safety of the operators with each member expected to “understand the nature of their institution’s business and the cyber threats involved.”
“The board of directors directly or through its appropriate committee(s) shall have oversight and overall responsibility for the OFI’s cybersecurity programme. The board shall promote a cybersecurity-conscious culture within the institution through robust oversight and engagement in cybersecurity.
“The board shall ensure that cybersecurity is completely integrated with business functions and managed across the OFI. The board shall ensure that cybersecurity governance aligns with corporate and information technology (IT) governance. It shall also ensure that cybersecurity governance is cyber-threat intelligence-driven, proactive, resilient and communicated to all internal and external stakeholders,” CBN said.
The board is also required to formulate cybersecurity strategy, policy and procedures while setting minimum standards for the institution to maintain safe operating platforms.
Cybersecurity policies, to be documented and made available for the CBN and the Nigeria Development Insurance Corporation (NDIC) examiners for review, are required from the operators.
When the new framework comes into effect, cybersecurity is to become a standing item on the agenda of board meetings.
The board also has a responsibility for reviewing management’s report on cybersecurity status quarterly and appointing CSIOs, who oversee the day-to-day cybersecurity operations of their organisations.
Gloss