With cybersecurity threats rising in number and sophistication as Deposit Money Banks (DMBs) and Payment Service Providers (PSPs), use information technology to expedite the flow of funds among entities, threats such as; ransomware, targeted phishing attacks and Advanced Persistent Threats (APT), have become prevalent.
Commercial banks in Nigeria have, over the years, been the target of cybercrime, putting customers funds at risk, thus, the need for DMBs and PSPs to remain resilient and take proactive steps to secure their critical information assets including customer information that are accessible from the cyberspace.
The safety and soundness of DMBs and PSPs require that they operate in a safe and secure environment. Hence, the platform on which information is processed and transmitted should be managed in a way that ensures the confidentiality, integrity and availability of information as well as the avoidance of financial loss and reputation risk, amongst others.
To mitigate the risk, the Central Bank of Nigeria had in October 2018 issued a Risk Based Cybersecurity Framework and Guidelines for deposit money banks and payment service providers in the country.
The framework which became effective on January 1, 2019, provided the minimum requirements to be put in place by all DMBs in their respective cybersecurity programmes.
According to the framework, DMBs and PSPs were required to consistently conduct risk assessments, vulnerability assessments and threat analysis to detect and evaluate risk to the information assets and determine the appropriateness of security controls in managing risk.
The 2018 framework however, did not include other financial institutions such as development banks, mortgage banks payment service banks as well as microfinance banks.
With the open banking initiative which will allow players in the financial industry to share customer data, it has become imperative to ensure that the OFIs do not become a loophole that cybercriminals take advantage of to penetrate the financial system.
The exposure draft of the operational guideline for Open Banking in the country which was released earlier this year will allow financial institutions in the country to share data of customers.
The exposure draft also stipulates that financial institutions share cyber security breaches, a move that has been called for so many times in the industry to combat fraud and activities of cyber criminals.
According to the draft, financial institutions are to implement appropriate security measures, establish incident management procedures as well as report major security incidents without undue delay to the competent authorities.
“The security incidents reporting obligations should be without prejudice to other incident reporting obligations laid down in other regulations including the CBN Risk-Based Cybersecurity Framework. In the case of a major operational or security incident, participants shall without undue delay, notify the CBN and other relevant stakeholders, of the incident and remediating measures, and upon receipt of the notification, the CBN and other stakeholders shall assess the incident with respect to the ecosystem and where appropriate, take necessary measures to protect safety and stability of the financial system.”
Thus, last week, the apex bank released the Risk Based Cybersecurity Framework and Guidelines for Other Financial Institutions(OFIs) in the country with a stipulated effective date of January 1, 2023. This gives the institutions a six month period of ensuring compliance with the framework.
The release of the framework had become imperative as a result of the increase in number and sophistication of Cybersecurity threats against financial institutions, particularly OFIs.
It is also in consideration of the reliance of OFIs on information and communications technology (ICT) to operate their business and the rising incidences of cyber threats and attacks targeted at financial institutions, it has become necessary to implement cybersecurity measures to mitigate against those risks.
Cybersecurity resiliencies considered as an organization’s ability to maintain normal operations despite all cyber threats and potential risks in its environment. Resilience provides an assurance of sustainability for the organisation using its governance, interconnected networks and culture.
The OFI guidelines on cybersecurity outline the minimum requirements that OFIs are required to observe in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk.
According to the CBN, the purpose of the Guidelines is to create a safer and more secure cyber environment that supports information system security and promote stability of the OFI sub-sector.
It is also to contribute towards the prevention and combating of cybercrime in the OFI sub-sector, promote the adoption and implementation of best practices and appropriate cybersecurity standards by OFIs and promote and maintain public trust and confidence in the OFI sub-sector Classified as Confidential
It is also to promote a cybersecurity culture and awareness through continuous capacity building and skills development.
The framework stipulates that OFIs note that for a cybersecurity programme to be successful, it must be fully integrated into their business goals and objectives, and must be an integral part of the overall risk management processes.
The framework provides a risk-based approach to managing cybersecurity risk. The document comprises six parts: Cybersecurity Governance and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring & Reporting.