Nigeria: CBN issues exposure draft of risk-based cybersecurity framework and guidelines for OFIs
Governance and oversight
Risk management system
Metrics, monitoring and reporting
Compliance and enforcement
Cybersecurity self-assessment tools and reporting templates
On 13 August 2021, the Central Bank of Nigeria (CBN) issued an exposure draft of the risk-based cybersecurity framework guidelines for other financial institutions (OFls) in Nigeria (the "draft guidelines"). The draft guidelines have been issued further to the CBN's effort to strengthen the cyber resilience of OFls, especially following the increase in the number and sophistication of cybersecurity threats and attacks against them.
The draft guidelines outline the minimum requirements that OFls are required to observe in developing and implementing strategies, policies, procedures and related activities aimed at mitigating the risks of cyber threats and attacks.
The draft guidelines were addressed to all OFls. Pursuant to the Banks and Other Financial Institution Act 2020 (BOFIA), an "OFI" now includes international money transfer services and financial holding company and payment service providers (PSPs), among others. The implication of the expanded definition of an OFI under the BOFIA is that the draft guidelines will also apply to financial technology (fintech) companies (especially switching and processing companies, mobile money operators and payment solution services), among others.
It should be noted that the CBN had earlier issued the Risk-based Cybersecurity Framework and Guidelines for Deposit Framework and Payment Service Providers dated 10 October 2018 (the "2018 framework"), which applies to all banks and PSPs. Given that OFls now include PSPs by virtue of the BOFIA, stakeholders should engage the CBN to clarify whether the draft guidelines, when approved, will supersede the 2018 framework with respect to PSPs or whether the 2018 framework will continue to apply to PSPs (especially as the draft guidelines substantially mirror the 2018 framework).
The draft guidelines are divided into six parts:
- cybersecurity governance and oversight;
- cybersecurity risk management system;
- cyber resilience assessment;
- cybersecurity operational resilience;
- cyberthreat intelligence; and
- metrics, monitoring and reporting.
Every OFI is required to put in place a cybersecurity governance structure which sets the agenda and boundaries for cybersecurity management and controls. The governance structure will spell out the responsibilities of the board of directors (BOD), the senior management (SM) and the chief information security officer (CISO), as stipulated in the draft guidelines. Pursuant to the guidelines, the BOD shall be responsible for the provision of oversight, leadership and resources to ensure that cybersecurity governance becomes an integral part of the corporate governance. The SM shall be responsible for the implementation of the BOD-approved cybersecurity strategy, policies and standards, and the delineation of cybersecurity responsibilities.
The BOD of every OFI shall appoint or designate a qualified person, such as a CISO. The CISO shall be part of the SM and be responsible for the day-to-day cybersecurity activities and the mitigation of cybersecurity risks in the OFI, among other things. The CISO shall report to the managing director chief executive officer (at least quarterly) on the cybersecurity status of the OFI. It should be noted, however, that in the case of small OFls, such as rural-based unit tier II microfinance banks (MFBs), the head of information technology (IT) may double as the CISO or engage the services of a qualified third-party consultant to serve as the CISO on a part-time basis.
It should be noted that it is not clear whether only rural-based unit tier II MFBs will qualify as small OFls, especially as some payment service solutions providers (eg, super agents) also have similar capital requirements as rural-based unit tier II MFBs. Stakeholders should therefore engage the CBN to ensure that this is clarified before the draft guidelines are approved.
OFls shall ensure that an effective risk management system is put in place. The risk management system shall comprise four basic activities:
- risk assessment;
- risk measurement;
- risk mitigation/risk treatment; and
- risk monitoring and reporting.
OFls are required to regularly conduct risk assessments and threat analysis to detect and evaluate risks to their information assets and determine the appropriateness of security controls in managing risk.
OFls are also required to regularly conduct cybersecurity resilience assessments to evaluate their defence posture and readiness to tackle cybersecurity risks. Such cybersecurity risk resilience assessments will be to determine both an OFI's present state and its target cybersecurity profile. This is important in light of rapid advancement in IT, interconnection between networks and multiple threats in cyberspace.
Under the draft guidelines, OFls are also required to submit to the director of the CBN's OFI supervision department a report of their cybersecurity self-assessment signed by the CISO after its approval by the SM no later than 31 March of every year. The report shall provide the procedure, tools and framework used to conduct the cybersecurity self-assessment and identify gaps, threats and risks. It shall also include the potential impact of those risks, the prioritised action plan to mitigate the risks identified, a timeline for remediation and the remediation status with possible residual risks.
The draft guidelines require OFls to build, enhance and maintain their cybersecurity operation resilience by putting in place minimum controls, such as "know your environment" and other operational resilience controls to the confidentiality, integrity and availability of information assets.
OFls are required to possess an objective knowledge, based on fact, of all emerging threats, cyberattacks, attack vectors, mechanisms and indicators of compromise to their information assets, which will be used to make informed decisions. To achieve this, OFls are required, among other things, to put in place a cyberthreat intelligence programme to proactively identify, detect and mitigate potential cyberthreats and risks.
To ensure compliance and provide feedback on the effectiveness of management controls and the basis for appropriate management decisions, the BOD and the SM of OFls are required to put in place metrics and monitoring processes, and establish effective and reliable reporting and communication channels for the dissemination of cybersecurity-related information.
The BOD and the SM of OFls are required to ensure compliance with all relevant statutes and regulations, such as the Nigerian Cybercrimes (Prohibition, Prevention, etc) Act 2015, and all CBN directives to avoid breaches of legal, statutory and regulatory obligations related to cybersecurity and of any security requirements.
The CBN will be responsible for establishing appropriate procedures for monitoring compliance with the draft guidelines and other laws and regulations and will enforce compliance with the provisions of draft guidelines. It should therefore be noted that, pursuant to the draft guidelines, any non-compliance with the framework will attract appropriate penalties as may be determined by the CBN in accordance with the CBN Act and the BOFIA.
Other points for OFls to note include cybersecurity self-assessment tools and reporting templates.
Cybersecurity self-assessment tools
The draft guidelines contain links to cybersecurity self-assessment tools, including:
- the Federal Financial Institutions Examination Council cybersecurity assessment tool;
- the US Computer Emergency Readiness Team (CERT) cyber resilience review method;
- the Industrial Control System CERT's cybersecurity evaluation tool;
- the Payment Card Industry data security standard and self-assessment questionnaire;
- the International Organization for Standardization (ISO) standard ISO 27001;
- CBN circulars relating to cybersecurity; and
- the Nigerian Cybercrimes (Prohibition, Preventions, etc) Act 2015.
The draft guidelines also contain links to reporting templates including:
- cybersecurity self-assessment;
- cyberthreat reporting; and
- cyber incidents reporting.
Given the impact the draft guidelines will have on the business of OFls, including additional compliance and regulatory requirements, all OFls are encouraged to review the draft guidelines and engage the CBN on relevant amendments to be made before they are approved by the CBN. As noted above, stakeholders should engage the CBN to clarify whether the draft guidelines, when approved, will supersede the 2018 framework with respect to PSPs or whether the 2018 framework will continue to apply to PSPs (especially before the draft guidelines substantially mirror the 2018 framework).
For further information on this topic please contact Onyinyechi Iwuoha or Oluwaseun Ayansola at Aluko & Oyebode by telephone (+234 1 462 8360 71) or email ([email protected] or [email protected]). The Aluko & Oyebode website can be accessed at www.aluko-oyebode.com.