On June 29, 2022, the Central Bank of Nigeria (CBN) announced the release of a new framework called the Risk-Based Cyber-security Framework and Guidelines For Other Financial Institutions (or “The Guidelines”) for the purpose of regulating and tackling the issue of Cyber-security for Other Financial Institutions (OFIs) due to a recent rise in Cyber-attacks and threats to their Information Technology assets and digital operations.
This article will be focused on providing an overview the most relevant provisions of these guidelines, including the topics of :-
– What actually constitutes an OFI.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
– The Regulatory agencies charged with enforcing the guidelines.
– The other relevant pieces of legislation (statutory, concurrent & subsidiary) governing the topic of Cyber-security for OFIs in Nigeria.
Are the Guidelines to have immediate effect?
No, the guidelines are to come into effect on the 1st of January, 2023, although it is advisable to commence compliace measures now if your business falls under the definition of an OFI.
What is an OFI under Nigerian law?
The Banks and Other Financial Institutions Act (BOFIA) classifies Other Financial Institutions (OFIs) as including the following:-
– Bureaux De Change
– Credit Bureaux
– Discount Houses
– Financial Holding Companies
– Mortgage Guarantee Companies
This definition or classification doesn’t apply to Payment Processing Service Providers.
What is the main Regulatory agency charged with ensuring compliance with these guidelines?
The Central Bank of Nigeria (CBN) has Regulatory powers to ensure compliance with these guidelines by virtue of the guidelines themselves and the Central Bank of Nigeria Act.
What are the exact aims of these OFI Guidelines?
The aims of the guidelines are :-
– The promotion and maintenance of public trust & confidence in the OFI subsector.
– The promotion and implementation of best practices and appropriate Cyber-security standards by OFIs.
– Contribution of the CBN to the prevention and combating of cybercrimes in the OFI subsector.
– The creation of a safer and more secure cyber environment that supports information system security and the promotion of stability of the OFI subsector.
What are the notable provisions of the guidelines?
The notable provisions of the guidelines are as follows :
– The provision for the appointment of a Chief Information Security Officer (CISO) :- Every OFI is required to engage a CISO who shall report to the Managing Director/Chief Executive Officer of an OFI and who shall be responsible for day-to-day Cyber-security operations of the OFI. For small-scale OFIs a part-time consultant or the head of the Information Technology department can be appointed as a CISO.
In hiring a CISO, a selected candidate must meet all educational requirements of a CISO stated in the OFI “approved persons” framework.
– The provision for Cyber-security Governance and Oversight :- This involves the following :
a). ensuring the priority of Cyber-security as a major agenda in the board meetings of all OFIs;
b). ensuring the preparation of a Cyber-security framework to the OFI supervision department of the CBN;
c). ensuring the preparation of a quarterly report on the cyber security status of OFIs to be reviewed by their boards of directors.
– The implementation of a Cyber-security Risk Management system – which requires that each OFI implements a Cyber-security system mainly covering the areas of:
a). risk assessment;
b). risk measurement;
c). risk mitigation/risk treatment;
d). risk monitoring and reporting.
– The provision for the establishment of an Information Security Steering Committee (ISSC):- The guidelines require that all OFIs with over 30 employees required to establish an ISSC for executing the Cyber-security policy of the OFIs and where an OFI has less than 30 employees, a management committee can operate as an ISSC as long as the CISO of OFI is also a member of the committee.
– The provision on Cyber-security Operational Resilience :- An OFI shall be endeavour to be acquainted with its business environment and critical assets.
All unauthorized software and hardware devices on its network shall be identified, documented, removed and reported appropriately.
– The provision for compliance with Statutory & Regulatory requirements :- OFIs are to ensure compliance with all the provisions of the guidelines as well as other guidelines of the CBN and the CBN Act, The BOFIA (Banks and Other Financial Institutions Act) , and The Cybercrime (Prohibition & Prevention Act)
– The provision on metrics, monitoring and reporting – an OFI shall put in place metrics and monitoring processes to ensure compliance, provide feedback on the effectiveness of controls and provide the basis for appropriate management decisions.
Conclusion :- The OFI Cyber-security guidelines are a step in the right direction considering the rather alarming rate of Cyber-attacks on Information systems and databases of Finance sector operators in Nigeria, inadvertently made worse by the introduction of Open Banking.