Apex bank deploys new ‘CSAT’ tool to probe financial system vulnerabilities
•Other financial institutions get 5-week deadline; false declarations to attract sanctions
• Move targets risks from Dec 2025 data as digital transactions surge
The Central Bank of Nigeria (CBN) has issued a three-week ultimatum to Deposit Money Banks (DMBs) to complete a mandatory cybersecurity self-assessment, signaling a major move to fortify the nation’s financial infrastructure against evolving digital threats.
In a circular dated March 30, 2026, and released via its official website on Tuesday, the apex bank introduced the **Cybersecurity Self-Assessment Tool (CSAT)**. The directive aims to evaluate the cyber-risk exposure of all regulated entities and ensure the resilience of the country’s financial ecosystem.
The CBN has set a tiered deadline for compliance:
Deposit Money Banks (DMBs): Three (3) weeks.
Other Regulated Institutions (OFIs & PSPs):Five (5) weeks.
The directive, rooted in the mandate of the Banks and Other Financial Institutions Act (BOFIA) 2020, requires institutions to submit comprehensive data reflecting their security posture as of **December 31, 2025**.
Probing Systemic Weaknesses
According to the CBN, the CSAT is a “structured supervisory instrument” designed to provide a granular view of the industry’s digital defenses. The assessment will scrutinize critical pillars including governance structures, risk management frameworks, technology systems, third-party exposures, and incident response capacities.
“The insights generated from this exercise will support risk-based supervision and enhance regulatory oversight of cybersecurity threats within Nigeria’s financial ecosystem,” the bank stated.
Zero Tolerance for Falsehood
The apex bank accompanied the directive with a stern warning against non-compliance or transparency gaps. To ensure the integrity of the data, the CBN announced it would conduct off-site reviews and physical supervisory engagements to validate all submissions.
“Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable,” the circular read. “Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions.”
Context of the Crackdown
Industry analysts suggest this move is a proactive response to the skyrocketing volume of digital transactions in Nigeria, which has made the banking sector a prime target for local and international threat actors.
By demanding data as of the end of 2025, the CBN aims to establish a clear baseline of the industry’s health before implementing further regulatory tightening in the 2026 fiscal year. The directive takes immediate effect.
