The Central Bank of Nigeria (CBN) is done waiting. In a circular dated March 30, 2026, the apex bank ordered deposit money banks, fintechs, payment service providers, and other regulated financial institutions to complete a mandatory Cybersecurity Self-Assessment Tool, and the clock is already running.
Deposit money banks have three weeks to comply. Microfinance banks, payment service providers, payment service banks, finance companies, and development finance institutions get five weeks.
What the CSAT Actually Measures
The tool is not a checkbox exercise. The CSAT asks institutions to report on five areas: cybersecurity governance, risk management, technology and third-party risk controls, incident response, and operational resilience. Each dimension probes how seriously institutions treat digital security; not just whether they have policies on paper, but whether those policies hold up under pressure.
Submissions must be made through a dedicated portal, with login details shared with Chief Information Security Officers and relevant officials. All data provided must reflect each institution’s position as of December 31, 2025.
The CBN is not taking institutions at their word either. The regulator plans to validate submissions through off-site reviews and supervisory engagements to confirm data reliability, and warned that false, misleading, or inaccurate disclosures constitute a regulatory breach that will attract appropriate sanctions.
A Shift in How the CBN Supervises
This directive marks something of a strategic pivot. Rather than waiting for incidents to surface through reporting or audits, the CBN is moving toward structured, forward-looking surveillance. The move signals a shift toward deeper, risk-based supervision as regulators respond to the rapid growth of digital banking and electronic payments, which has expanded the potential attack surface for cybercriminals and heightened systemic vulnerabilities.
The initiative aligns with the CBN’s statutory oversight responsibilities under the Banks and Other Financial Institutions Act (BOFIA) 2020. It also builds on a cybersecurity framework the bank issued in May 2024, which mandated minimum security controls for deposit money banks and payment service banks.
The Compliance Burden Falls Unevenly
For large commercial banks with dedicated security teams and mature IT infrastructure, the CSAT is a manageable burden. It is essentially a structured audit of existing processes. Smaller institutions, including microfinance banks and fintech firms, may face steeper adjustment costs as they work to align with the new requirements. For many of these players, the five-week window may prove uncomfortably tight if their cybersecurity posture is not already well-documented.
The CBN’s directive ultimately tests whether Nigeria’s financial sector has grown its defences at the same pace as its digital ambitions. For institutions that have invested in security, the assessment is a formality. For those who have not, it is a reckoning, and regulators have made clear they will be checking the receipts.
