Assessing CBN’s cybersecurity framework and guidelines 

BY LAWAL NASIR

Technology has continued to impact the way things are done across the world. It has permeated every facet of human endeavour across all industries, from financial to military, entertainment, agriculture, and more. 

In the banking sector, technology has completely changed (and continues to change) the way banks and other financial institutions operate and relate with their customers. Today, internet-based banking allows customers to use their mobile phones or computers to open and manage bank accounts and carry out transactions online, in real-time, without walking into any office. Already, in many climes, digital-only banks have become the norm. With artificial intelligence (AI) improving and becoming ubiquitous, the possibilities are endless, going forward.

However, these positive technological disruptions are not without their risks and dark sides. Billions can be stolen with just a click of a button. Details can also easily be compromised. For example, the same biometrics and other details such as passwords, tokens, and pass keys that people use for authentication can be exposed online through glitches or become accessible to hackers. Both banks and their customers have suffered financial and emotional losses through the use of technology. 

In Nigeria, also, as in other countries, banks and other financial institutions have continued to leverage technology to remain competitive and offer more convenient, seamless, secure, and personalized services to their customers. ‘Over the counter’ transactions are fast becoming a thing of the past, even as banks deliver improved services and increase their profitability.

However, just like their counterparts in other parts of the world, financial institutions have become targets of cybercrime and other forms of online attacks. This reality, in addition to limited digital literacy, has made many Nigerians less enthusiastic about adopting technology in their financial dealings. Many would rather move with physical cash, despite the attendant risk, than perform mobile transactions, which is simpler. Their pessimism is made worse by the prevalence of fraud perpetrated through digital channels. With more people coming online and becoming more vulnerable to hackers, the federal government, according to a report by BusinessDay newspaper, has had to issue at least 33 cyberattack advisories in 2024, the highest number on record.

The attempted hack on the Guaranty Trust Bank Plc (GTBank) website last year is a clear example of the enormity of the threats Nigerian banks face. A day after GTBank renewed its domain name, hackers went for its jugular. The cyberattack happened just days after GTBank closed its offer for a subscription of 9 billion ordinary shares at N44.50 per share, aiming to raise N400.5 billion, in line with the recapitalisation guideline. The attack was shortlived and addressed successfully, but the hackers temporarily disrupted GTBank’s online services and created panic among its customers about the potential compromise of sensitive data.

The Central Bank of Nigeria (CBN), which has as part of its mandate the responsibility of overseeing the development and operation of payment systems in Nigeria and administering the Banks and Other Financial Institutions Act (BOFIA), has been coming up with a series of policy guidelines for banks and other financial institutions. On May 31, 2024, the apex bank issued a Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks (DMBs) and Payment Service Banks (PSBs), mandating minimum cybersecurity standard requirements for financial institutions, effective July 1, 2024.

The framework, which applies to all DMBs, entails, among others, putting in place minimum controls, including: (a) know-your-environment measures, which include familiarizing with its business environment and identifying critical assets; (b) implementing preventive controls; (c) establish the capacity for monitoring and detecting cyber anomalies or incidents; (d) ensure that capacity for responding to cyber incidents are available in-house or can be outsourced at short notice; and (e) participate in industry-specific cyber exercises and programmes to evaluate its level of preparedness to recover from cyber incidents.

All supervised financial institutions (SFIs) were required to obtain the CBN’s approval before deploying emerging technologies and products and ensure that the products are not offered by countries that are not approved by the apex bank. They are also to comply with applicable statutes and regulations

to avoid breaching legal, statutory, and regulatory requirements on cybersecurity; while cyber incidents should be reported to the CBN within 24 hours of occurring. Not complying with the framework will attract appropriate sanctions. The CBN would monitor and enforce compliance with the provisions of the Framework and carry out monitoring and enforcement through annual cybersecurity supervisory review and evaluation exercises, risk-based examinations, annual industry compliance audits, and periodic spot checks.

But in spite of these guidelines, new tech-enabled security threats are emerging daily and in different ways, requiring constant vigilance. According to its 2024 African Perspectives on Cyber Security Report, Check Point Software Technologies, a cyber security platform provider, said Nigerian banks were recording 18,872 attacks monthly. It specifically noted that the threat of cyberattacks has grown in Nigeria, which is ranked 19th in the global rankings for attacks in July 2024, adding that the country is one of the most vulnerable to attacks on the African continent. In a recent incident, a banking trojan attack compromised 100,000 customer accounts and resulted in $3 million in losses.

According to the Nigeria Inter-Bank Settlement System, fraudsters successfully scammed over 80,658 bank customers in 2023, and bank customers lost N59.33 billion between 2019 and 2023.

It is however commendable that even as fraud and scams are increasingly becoming more sophisticated, the CBN, under the leadership of its Governor Olayemi Cardoso, is not resting on its oars to ensure sanity and safety in the Nigerian digital banking and payment ecosystem. The apex bank keeps issuing advisories for the use of both individuals and organisations for a secure online presence, from identifying phishing scams, shopping, and investment scams to reporting same to the relevant authorities. The tempo must be sustained as there is no room for lethargy. 

Nasir writes from Abuja