BSD/DIR/PUB/LAB/017/008 May 31, 2024 LETTER TO ALL BANKS AND PAYMENT SERVICE BANKS ISSUANCE OF RISK-BASED CYBERSECURITY FRAMEWORK AND GUIDELINES FOR DEPOSIT MONEY BANKS AND PAYMENT SERVICE BANKS The CBN hereby issues the attached Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks (DMBs) and Payment Service Banks (PSBs), 2024 which represents the minimum requirements to be put in place by all DMBs and PSBs in their respective cybersecurity programmes. The effective date for full compliance with the provisions of the guidelines is July 1, 2024 and all DMBs and PSBs are expected to do so, on or before that date. Please, be guided accordingly. Yours faithfully, Dr. ADETONA S. ADEDEJI Ag. DIRECTOR, BANKING SUPERVISION CENTRAL BANK OF NIGERIA RISK-BASED CYBERSECURITY FRAMEWORK AND GUIDELINES FOR DEPOSIT MONEY BANKS AND PAYMENT SERVICE BANKS May 2024

Table of Contents

Introduction 1 1.0 Cybersecurity Governance and Oversight 2 1.1. Responsibilities of the Board of Directors 2 1.1.1. Cybersecurity Strategy and Framework 4 1.1.2. Cybersecurity Programme 4 1.2. Responsibilities of Senior Management 5 1.3. Responsibilities of the Chief Information Security Officer 5 1.4. Requirements for appointment as a Chief Information Security Officer 6 1.5. The Information Security Steering Committee 7 1.6. Other Risk Management Control Functions 8 2.0 Cybersecurity Risk Management System 10 2.1. The Risk Management System 10 2.2. Vulnerability Identification 11 2.3. Third party risk management 12 2.4. Cybersecurity Maturity Assessment 12 2.5. Reporting Cybersecurity Self-Assessment 13 3.0 Enhancing Cybersecurity Resilience 14 3.1 Know Your Environment 14 3.2 Implement Preventive Controls 14 3.3 Monitor and Detect 14 3.4 Respond and Remediate 15 3.5 Restore Service Operations 15 3.6 Cyber-Threat Intelligence 15 3.7 Sector-specific Cyber Resilience 15 4.0 Emerging Technologies 16 4.1 Payment Methods 16 4.2 Open Banking 17 4.3 Distributed Ledger Technology 18 4.4 Artificial Intelligence and Machine Learning 18 4.5 Cloud Computing 18 4.6 Internet of Things 19 4.7 FinTech Connections to Banks 19 4.8 Adoption of Emerging Technology 19 5.0 Metrics, Monitoring and Reporting 21 6.0 Compliance with Statutory and Regulatory Requirements 22 7.0 Enforcement 23 APPENDIX I: Critical Systems and Cyber-Incidents …...…… 24 APPENDIX II: Know Your Environment 25 APPENDIX III: Cybersecurity Controls 30 APPENDIX IV: Emerging Technologies 39 APPENDIX V: Informative References 42 APPENDIX VI: Cybersecurity Self-Assessment Tools 43 APPENDIX VII: Reporting Templates 44 Glossary 55

ACRONYMS ACM Access Control Matrix AI Artificial Intelligence API Application Programming Interface ATM Automated Teller Machine BOFIA Banks and Other Financial Institutions Act BYOD Bring-Your-Own-Device CCISO Certified Chief Information Security Officer CISM Certified Information Security Manager CISO Chief Information Security Officer CISSP Certified Information Systems Security Professional CSAT Cybersecurity Self-Assessment tool CSP Cloud Service Providers CTI Cyber-Threat Intelligence DDoS Distributed Denial-of-Service DLT Distributed Ledger Technology DMBs Deposit Money Banks ERM Enterprise-wide Risk Management FS-ISAC Financial Services Information Sharing and Analysis Centre IaaS Infrastructure as a Service ICAAP Internal Capital Adequacy Assessment Process IDS Intrusion Detection System IoT Internet of Things IPS Intrusion Prevention System IR Incident Response ISSC Information Security Steering Committee IT Information Technology KYC Know Your Customer MFA Multifactor Authentication ML Machine Learning NDPA Nigerian Data Protection Act NeFF Nigeria Electronic Fraud Forum NFC Near Field Communication NFIC Nigeria Financial Industry CERT NgCERT Nigeria Computer Emergency Response Team NigFinCERT Nigeria Financial Computer Emergency Response Team OSINT Open-Source Intelligence PaaS Platform as a Service PAM Privileged Access Management PoS Point of Sale PSBs Payment Service Banks PenTest Penetration Test QR Quick Response RBAC Role Based Access Control SaaS Software as a Service SDLC Software Development Life Cycle SFI Supervised Financial Institution SLA Service Level Agreement SOC Security Operation Centre USSD Unstructured Supplementary Service Data VPN Virtual Private Network

Introduction

The Nigerian financial system witnessed remarkable growth in recent years, which has led to an increase in number of products, services, institutions and stakeholders. To increase public confidence in the financial system, it is imperative that institutions operate in a safe and secure environment.

Financial Institutions leverage information technology to expedite the flow of funds among entities and for the provision of services to their customers. The technology infrastructure and platforms that support their operations should be managed to safeguard the confidentiality, integrity and availability of information assets, as well as prevent financial loss and mitigate reputational risk.

Cybersecurity threats have continued to evolve and become more complex, with increased frequency of threats such as phishing, ransomware, Distributed Denial-of-Service (DDoS) attacks, amongst others. Consequently, financial institutions are required to proactively secure their critical information assets to ensure that they remain resilient in the face of these persistent threats. The prevalence of the use of emerging technology by financial institutions to deliver services to customers has also increased their attack surface. It is in this regard that the CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks (DMBs) and Payment Service Banks (PSBs) is issued. The framework, which outlines the minimum cybersecurity controls to be put in place, is designed to provide guidance in the implementation of cybersecurity programmes towards enhancing resilience in the financial sector. The framework, which provides a risk-based approach to managing cybersecurity risk, comprises seven parts: Cybersecurity Governance and Oversight; Cybersecurity Risk Management System; Enhancing Cybersecurity Resilience; Emerging Technologies; Metrics, Monitoring and Reporting; Compliance with Statutory and Regulatory Requirements; and Enforcement.

This framework replaces the Risk-based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers issued in October 2018 to address emerging gaps in the cybersecurity landscape. It equally considers requirements of recent laws and regulations such as the Banks and Other Financial Institutions Act (BOFIA 2020) and Nigerian Data Protection Act (NDPA) 2023. The framework should be read in conjunction with the provisions of all directives, notices, circulars and guidelines that the CBN may issue from time to time.

The CBN Risk-based Cybersecurity Framework and Guidelines for DMBs and PSBs, 2024, shall apply to the following financial institutions under the purview of Banking Supervision Department - Commercial banks, Merchant banks, Non-Interest banks and Payment Service banks, which are hereinafter jointly referred to as Supervised Financial Institutions (SFIs).

1.0 Cybersecurity Governance And Oversight

Cybersecurity governance and oversight sets the agenda and boundaries for cybersecurity management and controls by defining, directing and supporting the security efforts of SFIs. It outlines the responsibilities of the Board of Directors, Senior Management, Chief Information Security Officer (CISO) and other relevant Risk Management Control functions. Governance and oversight entails the development and enforcement of policies, procedures and other forms of guidance that SFIs and their stakeholders are required to comply with.

1.1. Responsibilities Of The Board Of Directors

The Board, through the Board Risk or Information Technology committee, shall have oversight and responsibility for the SFI's cybersecurity programme. It shall provide leadership, direction and resources for the effective conduct of required processes and ensure that cybersecurity governance is integrated into the organisational structure. To this end, the Board shall be responsible for ensuring that: i. at least two Non-Executive Directors (NEDs), one of whom shall be an Independent NED, shall have requisite knowledge and experience in innovative financial technology, Information Communication Technology (ICT) and/or cybersecurity.

ii. cybersecurity is integrated with business functions and well managed across the SFI.

iii. cybersecurity governance not only aligns with Corporate and Information Technology (IT) governance but is driven by business objectives.

iv. cybersecurity management processes are conducted in line with business requirements, applicable laws and regulations while ensuring security targets are defined and met across the SFI.

v. Senior Management provides central oversight for the cybersecurity programme, assigns responsibilities and ensures the effectiveness of the cybersecurity management processes.

vi. the audit function is independent and staffed with skilled professionals who possess relevant qualifications and experience.

vii. cybersecurity governance documents such as cybersecurity strategy, framework and policies are established and aligned with the SFI's business goals and objectives.

viii. quarterly reports detailing the overall status of the cybersecurity programme are presented by Senior Management. The reports shall, at a minimum, include the following: a. cyber risk assessment report or updates from the last assessment. b. status of security initiatives to address cyber risks. c. incidents recorded, status of losses and recoveries. d. vulnerability management/ penetration test reports, remediation efforts and challenges encountered therein and compensating controls implemented.

e. status of compliance with Board-approved cyber risk thresholds. f. status of compliance with Examiners' recommendations in the report of the CBN Cybersecurity Supervisory Review and Evaluation exercise.

ix. a qualified individual is appointed as the CISO on the recommendation of Senior Management. The CISO shall be responsible for overseeing and implementing the bank's cybersecurity programme.

x. in the case of banking Groups, while SFIs may collaborate with the group CISO to ensure an effective enterprise-wide cybersecurity programme, a CISO shall be appointed in conformity with the requirements in Section 1.4 of this Framework.

xi. a stand-alone cybersecurity budget that is distinct from the budget of other functions (e.g., Information Technology or Risk Management) is approved.

xii. the cybersecurity risk appetite is defined in the SFIs Enterprise-wide Risk Management (ERM) framework.

1.1.1. Cybersecurity Strategy And Framework

The Board is responsible for the SFI's cybersecurity strategy and shall ensure that: i. the strategy provides direction on how to achieve the cybersecurity goals, mitigate cyber-risk and comply with all legal, contractual, statutory and regulatory requirements.

ii. the approved cybersecurity framework aligns with business objectives and technological approaches to mitigate cyber risks and clearly defines key cybersecurity roles and responsibilities.

iii. the cybersecurity policy clearly conveys its intent and the SFI's approach to achieving the cybersecurity objectives.

iv. the cybersecurity policy is reviewed annually at a minimum, or when there are significant changes to the SFI's cyber-risk exposure.

1.1.2. Cybersecurity Programme

SFIs are required to implement a cybersecurity programme which should, at a minimum, include:

• Risk assessment - Security policy development
• Incident response planning - Vulnerability management - Log monitoring - Data backup and recovery plan - Security awareness and training - Initiatives to attain target maturity level
• Metrics to assess the effectiveness of the programme

1.2. Responsibilities Of Senior Management

Senior Management shall be responsible for implementing Board-approved cybersecurity policies, programmes, standards and the delineation of cybersecurity responsibilities. It shall be required to: i. recommend to the Board the appointment of a CISO that meets the regulatory requirements.

ii. obtain CBN approval for the appointment of the CISO.

iii. provide periodic reports (at a minimum quarterly); to the Board on the overall status of the cybersecurity programme as stipulated in Section 1.1 (viii).

iv. ensure that staff of the Information Security function attend relevant training programmes regularly.

v. incorporate cyber-risk management in the ERM framework and governance requirements to ensure consistent management of risk across the SFI.

vi. drive cyber risk management processes to ensure adherence to cybersecurity risk appetite.

1.3. Responsibilities Of The Chief Information Security Officer

The CISO shall be responsible for the day-to-day cybersecurity activities and the mitigation of cyber risks in the SFI. Consequently, the CISO shall: i. be responsible for overseeing and implementing the cybersecurity programme and strategy approved by the Board.

ii. develop secure business and communication practices, identify security objectives and metrics, recommend the acquisition of security products/tools to keep information assets safe and resilient.

iii. maintain the SFI's data privacy and ensure all employees undertake security awareness training periodically.

1.4. Requirements For Appointment As A Chief Information Security Officer

The SFI shall appoint a CISO who meets the under-listed requirements subject to CBN approval: i. The CISO shall possess adequate authority, experience, independence and shall be of appropriate grade to function effectively. The minimum grade of staff to be appointed as CISO shall be as specified below or as may be approved by the CBN from time to time: a. Commercial Bank with International Authorisation - Senior Manager b. Commercial Bank with National Authorisation - Senior Manager c. Non-Interest Bank with National Authorisation - Manager d. Commercial Bank with Regional Authorisation - Manager e. Merchant Bank - Manager f. Non-Interest Bank with Regional Authorisation - Manager g. Payment Service Bank - Manager ii. The CISO shall report directly/functionally to the Managing Director/Chief Executive Officer.

iii. To avoid conflict of interest, the CISO shall not report directly or indirectly to the Head of Information Technology (IT) operations or Chief Risk Officer.

iv. The Appointment of a CISO shall be in line with the provisions of the Revised Assessment Criteria for Approved Persons' Regime for Financial Institutions, 2015 or any subsequent regulation.

v. Where the SFI is part of a Group that has a Group CISO charged with establishing and maintaining an enterprise vision, strategy and programme, the SFI's CISO is required to replicate the responsibilities as required in Section 1.3 of this Framework.

vi. The CISO shall possess relevant qualifications with Information Security Certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Chief Information Security Officer (CCISO) among others and a minimum of ten year's in-depth experience in any of the following roles: Cybersecurity, Information Technology, IT Risk Management, Information Security Risk Management or IT Audit.

1.5.The Information Security Steering Committee

Every SFI shall establish an Information Security Steering Committee (ISSC) that shall be responsible for the governance of the cybersecurity programme. The committee shall meet the following requirements: i. It shall comprise senior representatives of relevant departments within the SFI and be chaired by the MD/CEO, while the Executive Director in charge of Technology/Operations may serve as the alternate chairman.

ii. The roles, responsibilities, scope and activities of the ISSC shall be as defined in the Terms of Reference.

iii. The ISSC shall meet at least once in a quarter.

iv. The agenda for the meeting shall include a presentation on the "State of cybersecurity" and address recent cyber events, vulnerabilities and proposals for controls to reduce cyber risks. The summary of the report shall be included in the reports to the Board referenced in Section 1.1(viii).

1.5.1. Terms Of Reference Of The Issc

The ISSC shall be responsible for: i. ensuring that the SFI's security policies and processes align with its business objectives.

ii. evaluating, approving and sponsoring institution-wide security investment.

iii. enforcing implementation of policies for investment prioritisation and security risk management.

iv. providing strategic direction and cybersecurity governance for the SFI.

v. recommend cybersecurity risk acceptance level to the Board for approval.

1.6. Other Risk Management Control Functions

All SFIs shall ensure the effectiveness of their cybersecurity governance by reviewing their processes and controls annually. In this regard, these risk management control functions shall have the following responsibilities:

1.6.1. Risk Management

i. The Risk Management function, internal or outsourced, shall independently and proactively evaluate all cybersecurity risks. This should be executed using appropriate tools and methodologies for risk identification, analysis and control. The assessment report shall be presented to Senior Management monthly and the Board Risk Management Committee quarterly.

ii. Senior Management shall ensure that staff or external risk management professionals engaged to evaluate the institution's cybersecurity posture possess the requisite qualifications and experience.

1.6.2. Audit

i. The Audit function shall be independent and the scope of cybersecurity audits shall be clearly defined.

ii. The SFI's cybersecurity programme shall be reviewed by the Audit function, internal or external, to determine the effectiveness of the controls put in place and ascertain if they are adequate for the institution's risk exposure.

iii. Senior Management shall ensure that internal or outsourced audit staff engaged to review the institution's cybersecurity posture, possess requisite qualifications and experience.

1.6.3. Compliance

The Compliance function of SFIs shall periodically review the cybersecurity programmes and processes to ensure adherence to relevant CBN directives and extant regulations.

2.0 Cybersecurity Risk Management System

The Risk Management programme shall be based on an understanding of threats, vulnerabilities, risk profile and level of risk tolerance of SFIs. The risk management process shall also be dynamic given the evolving risk landscape.

2.1. The Risk Management System

The Risk Management System shall cover the five activities below:

2.1.1. Risk Identification

SFIs shall identify associated threats and vulnerabilities to the confidentiality, integrity and availability of their information assets to determine their cyber risk exposure.

2.1.2. Risk Assessment

SFIs are required to evaluate risks to their operations, probability of occurrence, impact of risk crystallisation, and security controls to mitigate identified risks. This process should be carried out annually and whenever major changes occur within the institution such as an acquisition, merger or when new technology is deployed to handle key business processes. The outcome of this process should be documented in a Cybersecurity Risk Control Self-Assessment. An independent Audit function shall be responsible for ensuring that the methodology used in risk assessment is reviewed periodically.

2.1.3. Risk Measurement

The Risk Measurement process should quantify the financial impact of Cybersecurity risks to the SFI. The potential impact of such risks should be accounted for as part of Pillar II risks in its Internal Capital Adequacy Assessment Process (ICAAP).

2.1.4. Risk Mitigation/Risk Treatment

SFIs should implement risk mitigation and control measures consistent with the criticality of information assets. Risk treatment options such as risk reduction, acceptance, avoidance, transfer and management of residual risk should be selected based on the outcome of the risk assessment. Risk acceptance criteria should be as defined and approved by the Board. In cases where the SFI chooses to transfer risk, a detailed risk assessment for outsourcing or cyber risk insurance should be documented.

2.1.5. Risk Monitoring And Reporting

An independent risk management function shall be responsible for assessment, measurement, monitoring and reporting of risks associated with critical IT infrastructure and services while cybersecurity function shall be responsible for risk mitigation/treatment. A Risk Register should be maintained to facilitate monitoring and reporting. Risk should be closely monitored and reported to the Board and Senior Management in line with defined risk appetite and acceptance criteria.

2.2.Vulnerability Identification

i. The information security function shall ensure adequate risk assessment and sign-off before deployment of new technology-based products.

ii. SFIs shall ensure the conduct of yearly vulnerability assessments and threat analysis to detect and evaluate risk to its information assets and determine the appropriateness of security controls to mitigate identified risk.

iii. A third-party shall conduct a penetration test annually, at a minimum. iv. SFIs shall ensure that internal vulnerability scans are carried out quarterly.

2.3.Third Party Risk Management

i. SFIs shall implement a third-party risk management framework to assess and mitigate the risks associated with such relationships. The third-party risk management framework should include processes for vendor selection, due diligence, contract negotiations, ongoing monitoring and incident response.

ii. Third-party cybersecurity awareness programme shall be conducted at least annually to inform stakeholders about their roles and responsibilities around cybersecurity.

iii. Contracts with third parties shall be used to implement appropriate measures designed to meet the objectives of the SFI's cybersecurity programme.

iv. Third parties shall be routinely assessed using audits, test results, or other forms of evaluations to confirm that contractual obligations are fulfilled.

v. Service Level Agreements (SLAs) shall specify SFIs' right to audit third parties or receive audit reports.

vi. Third-party service providers shall comply with relevant regulatory standards depending on the services offered (e.g., PCIDSS, NDPR, ISO27001, ISO 8385).

vii. Business continuity response and recovery planning and testing shall be conducted with third-party providers.

viii.SFIs shall implement Insurance cover for various insurable technology risks to mitigate financial losses.

2.4. Cybersecurity Maturity Assessment

An SFI shall conduct annual evaluation using the CBN Cybersecurity Self-Assessment tool (CSAT) to determine its maturity level.

2.4.1. Determining the Current Cybersecurity Profile (current state) To determine its current state, an SFI shall carry out the following: i. Identify its Inherent Cyber risks.

ii. Assess existing Cybersecurity mitigants.

2.4.2. Establishing A Target Cybersecurity Profile (Desired State)

An SFI shall determine its desired state of cybersecurity maturity. The information security function shall ensure that a roadmap towards achieving the target cybersecurity profile is included in the SFI's corporate strategy.

2.5. Reporting Cybersecurity Self-Assessment

Self-assessment for coverage period (January to December of the previous year) shall be submitted to the Director, Banking Supervision Department of the Central Bank of Nigeria annually, not later than February 28. The report shall be signed and submitted by the CISO after its endorsement by the Executive Management in the format prescribed from time to time.

3.0 Enhancing Cybersecurity Resilience

Cyber resilience is the SFI's ability to prevent, withstand and recover from cyber incidents. SFIs are required to establish procedures to enhance their cyber resilience. This will ultimately strengthen the financial industry's cybersecurity posture. The following are the minimum controls that an SFI shall put in place to ensure the confidentiality, integrity and availability of critical information assets among others.

3.1 Know Your Environment

An SFI shall proactively familiarise itself with its business environment and identify its critical assets. To ensure effective security measures, an SFI shall establish mechanisms for maintaining up-to-date inventory of authorised software, hardware as well as internal and external network connections. Additionally, an SFI shall identify and document its data, assets and capabilities. Also, potential threats and vulnerabilities associated with its assets shall be monitored. Employees and contractors providing information technology and cybersecurity services shall also be identified and documented. Details on specific controls are contained in Appendix II.

3.2 Implement Preventive Controls

An SFI shall implement appropriate measures/controls/safeguards for IT systems, processes and people to mitigate cyber risks. These can be administrative, logical or physical controls. Details on specific controls are contained in Appendix III.

3.3 Monitor And Detect

An SFI shall establish capability for ongoing (24/7) monitoring of its IT systems, infrastructure, applications, services, and other relevant components to promptly detect anomalies or cyber incidents. This capability may be managed internally or outsourced to a third-party provider. Notwithstanding the approach chosen, monitoring should be adequate to detect cyber threats.

3.4 Respond And Remediate

An SFI shall ensure that the capability for responding to cyber incidents is available in-house or, if outsourced, can be accessed at short notice. Details on specific controls are contained in Appendix III.

3.5 Restore Service Operations

An SFI shall aim at recovering its operations timeously to reduce the overall impact of cyber incidents. Details on specific controls are contained in Appendix III.

3.6 Cyber-Threat Intelligence

An SFI is expected to possess knowledge of emerging threats, cyber-attacks, attack vectors, mechanisms and indicators of attack/compromise that may impact its information assets. Details on specific controls are contained in Appendix III.

3.7 Sector-Specific Cyber Resilience

An SFI is required to participate in industry cyber exercises and programmes to evaluate its level of preparedness to recover from cyber incidents. These exercises may include cyber drills, war games or as defined by the CBN from time to time. SFIs shall avoid creating single points of failure in the industry and proactively define plans to mitigate such risks.

4.0 Emerging Technologies

Emerging technologies refer to innovative advancements that are in the early stages of development or adoption and have the potential to significantly influence various industries. SFIs are adopting new technologies and global trends that are transforming various aspects of banking operations and customer experiences. Some emerging technologies and trends are highlighted below:

1. Payment Methods a. Contactless Payments using Card, Quick Response (QR) codes, Smart Phones and Wearables.

b. Voice-initiated services c. Unstructured Supplementary Service Data (USSD) Codes.

2. Open Banking 3. Distributed Ledger Technology (DLT) 4. Artificial Intelligence (AI) and Machine Learning (ML) 5. Cloud Computing 6. Internet of Things (IoT) 7. Fintech Connections to Banks 4.1 Payment Methods 4.1.1 Contactless Payments using Card, Quick Response (QR) codes, Smart Phones and Wearables Contactless payments rely on near field communication (NFC) technology, which allow the transfer of payment information wirelessly between a payment device and a terminal. Cyberrisks associated with the use of contactless payments include data Interception, NFC Spoofing, malicious mobile Apps, Point-of-Sale device tampering.

4.1.2 Voice-Initiated Services

The adoption of Voice-initiated services by SFIs for customer authentication, information request, transactional commands etc., as a banking channel is expected to be more widespread. Cyber-risks associated with this technology include voice spoofing, unauthorised access, data breach.

4.1.3 Unstructured Supplementary Service Data (Ussd) Codes

USSD is a communication system used by mobile network operators to provide quick access to services and information through Short Message System (SMS). SFIs have expanded the functionality of USSD codes to provide financial services. Cyber-risks associated with the use of USSD include smishing, social engineering, Distributed Denial of Service (DDoS) and SIM Swap.

4.2 Open Banking

Open Banking refers to the practice of sharing financial data, such as account and transaction information, products and services with other financial institutions and third parties through API connections. The Regulatory Framework for Open Banking in Nigeria establishes principles for data sharing across the banking and payments system to promote innovation and broaden the range of financial products and services available to bank customers. Cyber-risks associated with open banking include data privacy, fraud, identity theft and API compromise. SFIs shall ensure compliance with the provisions of the Regulatory Framework for Open Banking in Nigeria and Operational Guidelines for Open Banking in Nigeria.

4.3 Distributed Ledger Technology

Distributed Ledger Technology (DLT) is a platform that uses ledgers stored on separate, connected devices in a network to ensure data accuracy and security. Blockchain, is a widely recognised DLT that uses cryptographic techniques to facilitate the process of recording transactions and tracking assets. Applications of DLT include digital identities for Know Your Customer (KYC) and cross-border payments solutions that enable real-time peer-to-peer transfers. Cyber-risks involved with DLT include API compromise, data privacy, data loss, Smart Contract vulnerabilities, Money Laundering, Terrorism Financing and Proliferation Financing.

4.4 Artificial Intelligence And Machine Learning

Artificial Intelligence (AI) and Machine Learning (ML) technologies are smart machines capable of performing tasks that typically require human reasoning. These include natural language processing, computer vision and robotics. Some SFIs have adopted AI and ML solutions for the analysis of economic activities, fraud detection, prevention of money laundering, detection of operational issues, improved customer services and online real-time risk management. These emerging technologies may also be used to improve cybersecurity defences by automating threat detection, anomaly detection and response. AI and ML exposes SFIs to cyber-risks such as data breach, data leak, limited data, poor data quality, breach of privacy laws and opaque algorithms.

4.5 Cloud Computing

Cloud computing provides access through the web to resources and products, including development tools, business applications, services, data storage and networking solutions. SFIs have embraced the use of cloud services in their operations for the benefit of scalability, cost-efficiency, accessibility, security and reliability. However, such engagements introduce risks including data breach, API compromise, Insider threats, account hijacking, data loss, lack of visibility, compliance and legal issues.

4.6 Internet Of Things

Internet of Things (IoT) refers to the network of physical devices, objects embedded with sensors, software and connectivity. SFIs use IoT to facilitate efficient data collection, processing and automation of key processes.

IoT exposes SFIs to cyber-risks such as insecurely configured or poorly protected IoT devices, poor firmware configurations, connectivity and power dependencies, insecure communication and data breach.

4.7 Fintech Connections To Banks

FinTechs may integrate with SFIs systems through API. The use of APIs for the exchange of customers' data has driven innovation and improved financial service delivery. FinTech connections expose SFIs to cyber risks such as fraud, API compromise, unauthorised access, data privacy, data breach, compliance and legal issues.

4.8 Adoption Of Emerging Technology

SFIs are required to comply with the following regulations in the use of emerging technologies:

1. obtain CBN approval before deploying emerging technologies or products. 2. ensure products and services are not provided by parties or countries on sanction lists. 3. refrain from establishing API connections or granting access to organisations not licensed by the CBN without prior regulatory approvals.

2. maintain professional due diligence and care in the adoption of emerging/evolving technologies.

The minimum security controls that SFIs shall put in place in the adoption or implementation of new technologies are detailed in Appendix IV.

5.0 Metrics, Monitoring And Reporting

SFIs are required to measure the effectiveness of their cybersecurity programme and provide assurance to relevant authorities by defining and implementing performance metrics. Defined metrics should be aligned with strategic objectives and provide the information needed for effective decision-making at the strategic, management and operational levels.

i. To assess the effectiveness of the SFIs' cybersecurity programme and measure its performance and efficiency, metrics that may be employed include key performance indicators, key risk indicators, key goal indicators etc. Defined metrics should be reviewed at least annually.

ii. The metrics should help to identify deficiencies, failed security controls as well as highlight the progress made in resolving issues.

iii. SFIs shall establish effective communication channels to disseminate relevant security requirements to employees for effective implementation of the cybersecurity programme.

iv. The Board shall be provided with quarterly reports to inform them of the status of the Cybersecurity programme. The contents of the reports shall be as defined in Section 1.1(viii) of this framework.

v. SFIs are required to report all cyber incidents (as defined in Appendix I) not later than 24 hours after such incident is detected to the Director of Banking Supervision, Central Bank of Nigeria using the report format in Appendix VII or any other format that may be advised from time to time. Where necessary and applicable, additional information should be provided afterwards.

6.0 Compliance With Statutory And Regulatory Requirements

i. The Board and Senior Management of SFIs shall ensure compliance with all relevant statutes and regulations to avoid breaches of legal, statutory and regulatory requirements on Cybersecurity. These include the Nigerian Cybercrimes Prohibition, Prevention Act, 2015, NDPA, 2023, National Cybersecurity Policy and Strategy, 2021 and all CBN directives.

ii. An SFI is required to participate in industry cyber exercises and programmes to evaluate its level of preparedness to recover from cyber incidents. These exercises may include cyber drills, war games or as defined by the CBN from time to time. Such exercises may be conducted by the Nigeria Financial Nigeria Computer Emergency Response Team (NigFinCERT) or any other body as may be advised periodically.

iii. Non-compliance with the provisions of this framework shall attract appropriate sanctions as defined in Section 68 of BOFIA, 2020 or subsequent regulations.

7.0 Enforcement

i. The CBN shall monitor and enforce compliance with the provisions of this framework.

ii. This shall be carried out through the annual Cybersecurity Supervisory Review and Evaluation exercise, Risk Based Examination, Annual Industry Standard Compliance audit and periodic spot check.

Appendices

Appendix I: Critical Systems And Cyber-Incidents

Critical systems as defined in this framework shall mean any IT infrastructure (servers, applications, databases, network, ATM, POS, etc.) that its unavailability (such as failure, unplanned downtime), corruption, unauthorised access and/or interception of the information it stores, processes or transmit will result in a significant financial loss and negatively impact business operations and service to customers.

Cyber-Incident is defined as any event which may result in: i. financial loss that exceeds 0.01% of shareholders' funds unimpaired by losses.

ii. data breach and data destruction.

iii. unplanned outage in Core Banking Application.

iv. website defacement.

v. any glitch that results in financial losses.

vi. others as determined from time to time.

Appendix Ii: Know Your Environment

A sound knowledge of the SFI's business and IT environment is crucial to managing its cybersecurity posture to ensure resilience.

1.1. Know Your It Assets

SFIs shall: a. Maintain an up-to-date inventory of all authorised IT assets on-premises and in cloud infrastructure used to process, store or transmit data/information such as workstations, laptops, ATMs, POS, network switches, routers, firewall, printers, scanners, photocopiers, IP Phones, Mobile devices, surveillance cameras, Applications, Databases, Services, Protocols etc.

b. Establish asset ownership and assign responsibility for managing each asset to a specific individual or team.

c. Ensure that all identified devices are categorised by the criticality and sensitivity of the data/information they store, process or transmit.

d. Identify and document account profiles (systems administrators and privileged users), third-party vendors accounts, etc.

e. Regularly review the account profile of staff (systems administrators and privileged users) and third parties who have access to devices identified in "1.1" above.

f. Maintain an inventory of all data assets, including locations, owners and access controls.

g. Implement a data classification framework that categorises data based on its sensitivity and criticality.

h. Document data handling procedures, retention policies and secure data disposal processes.

i. Maintain an approved up-to-date network topology diagram of wired and wireless networks irrespective of location.

j. Maintain a catalogue of all network connections to regulatory authorities, switches, third parties and wholesale customers with details of the objectives of such connections.

k. Regularly review the catalogue and remove any connection that is no longer required.

1.2. Know Your Vulnerabilities SFIs shall: a. implement a vulnerability management policy approved by the Board. b. conduct a vulnerability assessment of all IT assets and present the report of the assessment to ISSC and Senior Management at least once every quarter.

c. conduct vulnerability assessment when there is a significant change to the SFI's information processing infrastructure (such as installation of new systems, devices, applications) or when there is knowledge of new vulnerabilities.

d. where possible, implement automated vulnerability scanning tools for continuous identification of vulnerabilities.

e. conduct external Penetration Test on IT Assets at least annually. Penetration Tests may be conducted more-frequently on internet-facing financial systems/applications.

f. conduct regular audits of IT assets and associated services, on premises and in cloud infrastructure to identify potential weaknesses. This may include third-party audits, security reviews or compliance assessments.

g. continually identify inherent risks and vulnerabilities associated with IT platform/protocols used for business services e.g., USSD, Mobile Banking among others.

h. establish efficient mechanisms and processes to identify patch compliance status of IT assets.

1.3. Know Your Threats

SFIs shall: a. establish a Cyber-Threat Intelligence (CTI) programme approved by the Board which shall include policies to aid proactive identification of emerging cyber threats, trends, patterns, risks, and possible impacts.

b. identify and document various internal and external Cyber Threat Intelligence sources. Internal sources are the IT infrastructures that generate logs. External sources are reputable commercial threat intelligence sources. These feeds should be integrated with security controls to enhance threat detection and response capabilities.

c. leverage Open-Source Intelligence (OSINT) by monitoring publicly available sources, such as search engines, online forums, social media platforms, and security blogs.

d. where possible, monitor the dark web for mentions of the institution, critical assets, or sensitive information such as customers' data or staff's access credentials.

e. take informed decisions based on the CTI programme as it provides valuable information on areas susceptible to cyber-attacks, latest threats, attack vectors, etc. Decisions may include reviewing the Bring-Your-Own-Device (BYOD) policy, conducting emergency staff or customers awareness/training, vulnerability assessment, penetration testing, review of vendor source codes, cyber-incident response plan, BCP/DR plans, vendor SLA, among others.

f. engage in information sharing and collaboration with trusted industry peers, sectorspecific information sharing establishments e.g., Nigeria Computer Emergency Response Team (NigFinCERT), Nigeria Financial Industry CERT (NFIC), Financial Services Information Sharing and Analysis Centre (FS-ISAC), Nigeria Computer Emergency Response Team (NgCERT), Nigeria Electronic Fraud Forum (NeFF), Law Enforcement Agencies (LEAs) and other Cybersecurity information sharing communities. Sharing threat intelligence will enable the financial industry stay ahead of emerging threats.

g. promptly submit all cyber-threats to Banking Supervision Department of the Central Bank of Nigeria through the designated BSD cybersecurity mailbox using the Cyber-threat Intelligence Reporting template in Appendix VII. SFIs' are required to render the report on or before the 5th day of the following month.

1.4. Know Your Third-Party Service Providers and Connections SFIs shall: a. maintain a record of all third-party service providers (including Cloud Service Providers-CSP).

b. periodically review their records to ensure discontinued third parties' access credentials have been revoked and network connections terminated.

c. identify and document all connections to third parties - wholesale customers, vendors and switches that provide Value-Added-Service (VAS). The objective of each connection shall be documented and reviewed regularly.

d. evaluate the security controls and processes of the CSP before adopting a cloud service. Where applicable, the data centre and network infrastructure facilities of third parties shall be visited and their cybersecurity policies reviewed to ensure that identified concerns are addressed.

1.5. Know Your Privileged Users:

SFIs shall: a. identify and document all employees and service accounts with privileged access on systems, applications and databases in an Access Control Matrix (ACM).

b. regularly review the ACM to ensure privileges are withdrawn when staff role changes.

c. ensure that risks associated with this category of persons are regularly assessed as part of the enterprise risk assessment framework.

Appendix Iii: Cybersecurity Controls

Implementing cybersecurity controls is a strategic and proactive approach to protecting critical assets, ensuring uninterrupted operations and safeguarding reputation. SFIs are expected to implement measures and procedures to protect their systems, networks and data from unauthorized access, use, disclosure, disruption, modification or destruction. Minimum expectations are provided below:

1. Implement Preventive Controls

1.1. Access Controls SFIs shall: Establish an access control policy to ensure that: a. mechanisms, standards and procedures that govern users, systems and service accounts.

b. a review of user access is conducted periodically to confirm that only least privilege rights are granted to authorised systems/applications.

c. access modification or revocation is carried out immediately there is a change or discontinuation of role.

d. multifactor authentication, Role Based Access Control (RBAC) and layered controls are implemented to secure employees, customers and third-party access to the institution's network, systems and applications.

e. authentication mechanisms used for systems and applications are based on their criticality and sensitivity. Critical systems must use multi-factor authentication.

f. access is continuously validated using mechanisms such as Zero-Trust to prevent the use of compromised credentials.

g. channels to report access credential breaches exist and are communicated to relevant stakeholders.

h. mechanisms for automated recovery/blocking of compromised accounts are implemented.

1.2. Privileged Access Management (Pam)

SFIs shall: a. at a minimum, biennially conduct background checks on employees such as System administrators, Database Administrators, Application Administrators, Information Security professionals, who implement policies and procedures to protect sensitive information. These checks should include CRMS search, address verification, social media activity review and lifestyle analysis among others.

b. establish controls such as just-in-time access, session monitoring, password vaulting, least privilege principles and segregation of duties for privileged accounts.

c. ensure logon credentials to critical systems, applications, and network are created and separately documented by at least two employees.

d. ensure that all logs and audit trails of privileged users' activities are preserved and regularly reviewed in accordance with the SFI's security policy.

e. prohibit the use of shared password on default or anonymous privileged account by multiple users.

f. ensure that logon credentials of default system accounts including test and development servers are changed prior to commissioning.

1.3. Third Party Service Providers or Vendors Access Control: SFIs shall: a. ensure that vendors do not have unfettered access to systems, databases, network and applications.

b. ensure that access requests by a vendor to information assets are approved by Senior Management. Access shall be limited to the segment of the system required for a defined duration and monitored and revoked on completion of the task.

1.4. Physical Access Controls

SFIs shall: a. establish physical security measures including, but not be limited, to access controls such as video surveillance, biometrics, etc.

b. ensure that vendors are accompanied when physically accessing critical information systems such as a Data Centre.

c. maintain and review logs of physical entry into sensitive areas.

1.5. Secure System Configuration Management SFIs shall: a. develop minimum security baseline configuration such as anti-malware, data loss prevention and systems security settings for IT assets, which should be governed by vendor recommendations, best practice and security standards. Additional informative references that can be adopted to develop security baseline configuration are contained in Appendix V.

b. ensure that policies for security solutions are managed centrally and cannot be turned off locally by users.

c. ensure hardening of new computer systems, Applications, or Databases prior to deployment.

d. hardening standards and configuration baselines should be updated across servers, ATMs, workstations, databases, network devices.

e. ensure that configuration information of hardware and software are reviewed and verified regularly.

f. Ensure that wireless network use strong encryption and the frequency of encryption key change has been defined.

1.6. Application And Data Security

SFIs shall: a. ensure cybersecurity controls are considered and incorporated in all stages of the system/application lifecycle. The business requirement for the acquisition/development of systems/applications shall identify and document the security requirements.

b. ensure secure coding practices and conduct regular security testing throughout the Software Development Life Cycle (SDLC) to identify and address vulnerabilities in applications and systems.

c. ensure that Open-Source codes or libraries are properly tested before use. d. implement data discovery and classification, appropriate data access controls, encryption, and data handling procedures based on the sensitivity of the data.

e. provide regular training and awareness programmes to employees to educate them on data handling best practices, security measures and their responsibilities in protecting data assets.

f. deploy data loss prevention technologies and policies to prevent unauthorized data disclosure or leakage.

g. ensure regular data backup, implement secure backup storage and regularly test the restoration process as well as the security of stored data.

h. implement secure data disposal procedures, such as secure deletion or destruction methods (e.g., degaussing/demagnetizing), when data is no longer needed.

i. define application decommissioning process/policy when application is no longer in use.

j. implement remote device erasure for stolen/lost device. k. ensure compliance with relevant data protection and privacy regulations such as NDPA, 2023 and any subsequent legislation, among others.

1.7. Remote Work Security SFIs shall: a. ensure that remote access to the network is through secure Virtual Private Network (VPN) connections or other encrypted remote access solutions. The use of unencrypted Remote Desktop Protocol for connection to corporate systems over the internet shall not be allowed.

b. require employees to use Multifactor Authentications (MFA) for authentication to the corporate network when accessing its systems remotely and enforce proper session management.

c. ensure the use of secure collaboration and communication tools that offer end-to-end encryption, secure file sharing, and protected video conferencing capabilities.

d. provide security awareness for staff working remotely to ensure they observe security best practices.

1.8. Cloud Information Asset Management

SFIs shall: a. understand the model of cloud service procured and the security requirements/responsibilities of the organisation versus those of the CSP for each cloud service model and ensure that the security responsibilities of both parties are met. These should apply to Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and any other cloud service utilised.

b. ensure uniform security policies are adopted on infrastructure in the cloud and onpremise.

1.9. Vulnerability Remediation and Patch Management SFIs shall: a. ensure that responsibilities and timelines for remediation of identified vulnerabilities are specified for different categories.

b. scan patches for malware prior to application. c. deploy security updates promptly after thorough testing and in accordance with its Patch Management Policy.

d. confirm that patches and security configurations have been applied successfully after a vulnerability remediation and patch deployment.

e. ensure that vulnerability remediation and patch application processes are audited regularly and reports presented to Senior Management.

2. Monitor And Detect 2.1. Continuous Security Monitoring

SFIs shall: a. establish a non-intrusive continuous (24x7) monitoring mechanism to collect, correlate and detect anomalous activities on critical systems, databases and networks in a timely manner.

b. implement monitoring and auditing mechanisms to detect and investigate suspicious activities that could indicate unauthorised access or data breach.

c. specify and document log retention period based on the criticality of data. The retention period should be approved by the Board.

d. monitor the physical environment of assets - server room, network devices, data centre, disaster recovery site and off-site storage location.

e. ensure that security monitoring is done through a Security Operation Centre (SOC).

The SOC, which can be in-house or outsourced, shall be resourced with skilled people, adequate processes and appropriate tools such as Security Information and Event Management (SIEM) solution for cyber monitoring.

f. periodically provide cyber-incident reports through the SOC to the Board and Senior Management.

g. enable logging capabilities on all systems and applications on-premises and in thirdparty locations including cloud platforms to monitor and analyse activities within the systems to detect anomalies or indicators of compromise.

h. deploy automated detection tools such as network and system (endpoint) scanners, Firewalls, Intrusion Detection/Intrusion Prevention systems (ID/IPS), etc. for effective early detection of cyber-incidents.

i. set up alerts and notifications for suspicious or unauthorized access attempts. j. ensure logging and monitoring of remote access activities.

3. Respond And Remediate

SFIs shall: a. develop an incident response plan and playbooks to establish clear procedures for detecting, analysing and responding to security incidents on-premise or in cloud environments.

b. conduct tests such as Cyber Drills, Red-Team vs Blue-Team and Table-Top exercises regularly to ensure the effectiveness of the incident response plan. Outcome of tests should be communicated to Senior Management and used to update the incident response plan and playbook.

c. ensure that Senior Management participate in tests to enhance their awareness and preparedness for making crucial decisions in the event of a cyber-attack.

d. establish a dedicated Incident Response (IR) team focused on detection, analysis and response to cyber incidents.

e. ensure adequate and continuous training of the IR team on response to cyberincidents.

f. ensure that generally accepted and appropriate forensic procedures, including chain of custody, are used to gather, analyse and report evidence in a manner that is legally admissible.

g. define how information should be communicated and shared with relevant stakeholders.

h. establish a Memorandum of Understanding or contractual agreement with incident response providers to assist rapidly with mitigation efforts.

i. implement robust backup and recovery mechanisms for critical data and perform backup restoration tests periodically.

4. Restore Service Operations

SFIs shall: a. ensure implementation of recovery plan, processes and procedures to restore systems and assets affected by cybersecurity incidents.

b. ensure that incident response plan have clear specifications for moving to the recovery stage including verifying that all threats have been effectively addressed prior to restoring affected systems, data or access.

c. implement improvements based on lessons learned and review of existing strategies.

Appendix Iv: Emerging Technologies

The minimum controls required in adopting emerging technologies shall include the identification of risks and opportunities, establishment of security controls, monitoring and reporting.

1. Risks And Opportunities Identification

Emerging technologies may have unknown vulnerabilities that can be exploited by malicious actors. It is crucial to identify and mitigate potential risks through robust security measures such as: a. development of a strategy and policy on the adoption and use of emerging technologies.

b. development of a business case for the proposed adoption. c. assessment of potential risks and controls considering their operating environment.

2. Security Controls Implementation

SFIs shall at a minimum establish the following controls: a. conduct regular assessments (vulnerability assessments, penetration tests, etc) to identify and remediate any security flaws in the adopted emerging technology.

b. review and continually update security controls based on identified risks.

c. establish robust access controls including strong authentication systems (MFA, biometrics, etc.) and privileged account management.

d. encrypt sensitive data both in-transit and at rest and implement cryptographic controls using the appropriate industry-standard protocols.

e. establish data minimization practices to reduce the amount of sensitive data stored on edge devices.

f. establish data protection measures and comply with data privacy laws and regulations. g. adhere to regulatory requirements and adopt industry best practices and cloud provider recommendations for secure configuration of cloud resources.

h. implement timely update and patches.

i. ensure that the adopted technology does not increase the risk exposure of existing technology.

j. implement secure coding practices when developing and using APIs. Employ strong authentication and authorisation methods for API access, enforce usage limits, and regularly audit and monitor API activities.

k. establish appropriate security architecture design to ensure secure integration and prevent misconfigurations and weak points. Implement a layered security approach to create a more secure environment.

l. implement a comprehensive data backup strategy including regular backups and encryption of critical data stored in the cloud, ensuring backups are stored in a separate location from the primary cloud environment and testing of data restoration processes.

m. conduct due diligence when selecting third-party service providers. n. evaluate the security practices, certifications and records of accomplishment of thirdparty in maintaining the security of their services.

o. establish adequate SLAs with providers (cloud, Edge, API. etc.) that defines the service level expectations, resolution of identified issues and penalties for breach of agreement.

p. develop employees' capacity and awareness of the adopted emerging technologies. q. develop a business continuity plan that integrates disruptions from emerging technology and third-party dependencies.

r. conduct regular security audits to ensure control measures are effective and up to date.

3. Monitor And Report

SFIs shall: a. continually monitor and periodically report the impact of the adoption of emerging technologies on the cybersecurity posture to Management.

b. develop an incident response plan/mechanism that integrates emerging technologies and outlines steps to be taken in the event of a security incident or breach.

c. periodically review vendor security assessment to ensure that identified risks are promptly remediated.

d. establish a process for continuous monitoring and audit of new adoptions to detect and address security vulnerabilities and misconfigurations.

e. monitor and secure AI-enabled systems to prevent misuse or manipulation. f. periodically monitor and report on regulatory and statutory compliance requirements on use of emerging technology.

g. ensure that the CSPs comply with relevant regulations and have appropriate security controls.

APPENDIX V: Informative References

ISO	Information Security	https://www.iso.org/isoiec-27001-informationsecurity.html
Management Systems Cybersecurity		https://www.iso.org/standard/44375.html
guideline Document Library		https://www.pcisecuritystandards.org/document_library
NIST	Special Publications	https://www.nist.gov/publications/
Resource Centre		https://beta.csrc.nist.gov/
PCI Security Standard Council COBIT 5	COBIT 5 for	https://isaca.org
Information Security

Appendix Vi: Cybersecurity Self-Assessment Tools

Below are a few risk assessment tools that can guide SFIs in achieving cyber resilience.

1. The FFIEC Cybersecurity Assessment Tool https://www.ffiec.gov/cyberassessmenttool.htm 2. US-CERT Cyber Resilience Review (CRR) https://www.us-cert.gov/ccubedvp/assessments 3. ICS-CERT"s Cybersecurity Evaluation Tool (CSET) https://ics-cert.uscert.gov/sites/default/files/FactSheets/ICSCERT_FactSheet_CSET_S508C.pdf 4. Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire https://www.pcisecuritystandards.org/
2. ISO 27001 - https://www.iso.org 6. The CBN circulars relating to cybersecurity https://www.cbn.gov.ng/documents/
3. Nigerian Cybercrimes (Prohibition, Prevention etc.) Act, 2015 8. NgCERT website https://www.cert.gov.ng Other suitable resources may also be adopted but caution should be exercised on open-source cyber-threat intelligence feeds due to high rate of false positive and/or false negative alerts.

Central Bank of Nigeria Security Incident Reporting Template For Nigeria Deposit Money Banks and Payment Service Banks (PSBs) Security incidents must be reported by DMBs and PSBs to the Director, Banking Supervision, Central Bank of Nigeria within 24 hours of the incident happening. Additional updates must be provided if the earlier reporting was incomplete, (i.e., new information due to investigation). Also, where required, additional documents should be provided and appended to this form.

New Incident Update to Incident Incident reference no:

CONTACT INFORMATION OF BUSINESS PROCESS OWNER
DMB/PSB Name: Staff Name: Designation:	Department:
Phone No:	Email:
Additional Contact:

Additional Contact:

__________________________________________________________________________- __________________

INCIDENT DETAILS Date and Time Incident was Discovered/Detected: Date: Incident Type: Unauthorized Access Advanced Persistent Threat Phishing Denial of Service Unplanned Downtime System Failure Ransomware Website Defacement Malicious Code Access or Credential Abuse Sustained Probe/Scan Others…Not a Cyber incidence (Tick all that apply) Incident Category State Sponsored Non-State N/A Hackers Cyber criminals Insider / Collusion Activist Others. Fire Incident Incident Impact Description (Please include details of how the incident was detected.) Incident Impact Type (Tick all that apply) Outage of Critical IT System Theft or Loss of Customer Information Loss of sensitive Information Outage of Infrastructure D-DOS, Regulatory and Legal Others.

If other, please state:

Financial Loss Financial Loss: Recoveries: Estimated Cost of Repair: Incident Impact (Severity): Impact Impact Definition

High	Critical system(s), customer facing applications/systems, internal network or a combination is impacted. System downtime is experienced.
Moderate	Systems or network that can put the DMB/PSB's network, critical system(s) or a combination at risk is impacted. May lead to system downtime.
Low	Non-critical system(s) was impacted.

High Moderate Low

Impact Category	Low	Medium	High
Financial
Reputation
Functional/Operational
Legal and Regulatory

Incident Impact (By Risk): Does the affected critical system(s)/ network(s) have potential impact on another critical system/critical asset(s) of the DMB/PSB? If "Yes", please provide more details: Incident Notification Internal Management Affected Customer CBN Law enforcement (Police, EFCC, etc.) Others: Fire Service INCIDENT ACTIONS Incident Detection: (Date, Time and Details): Affected System or Network: (Date, Time and Details): PROVIDE THE ATTACKER'S IP ADDRESS: (If Applicable) Containment Measures: Evidence Collected (Systems Logs, etc.): Eradication Measures: Recovery Measures: Other Mitigation Actions:

Lessons Learned: Key Point of Vulnerability:

Central Bank of Nigeria Cyber-Threat Intelligence Report Template For Deposit Money Banks (DMBs) and Payment Service Banks (PSBs)

Purpose

The purpose of the cyber-threat intelligence reporting is to provide a risk-based approach to promptly identify emerging cyber threat, trends, patterns, risks, and their potential impact. It is not the aftermath of an incident but a proactive measure to mitigate against emerging cyber-risk.

Definition of Terms:

Likelihood of occurrence		Impact Definition
High	The identified threat is active and prevalent; the DMB/PSB has little/ineffective/no controls in place to prevent the vulnerability from being exploited by the threat.
Moderate	The identified threat is active and prevalent; but the DMB/PSB has some controls in place which may be capable of preventing the vulnerability from being exploited by the threat.
Low	Identified threat does not apply to the DMB/PSB or it has sophisticated and efficient controls in place which provides assurance that the risk may not crystalize.

Likelihood of occurrence: This is the probability that an event will take place. Adopt the legend below to specify the likelihood of occurrence.

Impact: This is the potential damage caused by a cyber-attack (threat agent). Adopt the legend below to specify the magnitude of potential impact.

Magnitude of	Impact Definition
Impact High	Reputational damage; System down time > 6 hours for mission critical systems, loss of major tangible assets or resources; high monetary loss or violation of the CBN regulations on cybersecurity.
Moderate	Reputational damage; System down time > 1 hour but < 6 hours for mission critical systems, moderate monetary loss, loss of tangible assets or resources.
Low	System down time < 1 hour for mission critical systems, insignificant monetary loss, loss of tangible assets or resources.

Risk level: To determine the risk level, DMB/PSB should consider the likelihood of a threat exploiting a vulnerability; the impact of a successful attack and the existence of security controls to mitigate the risk. Adopt the legend below to state the residual risk

Risk Level	Risk Level Definition
High	Corrective action(s) must be put in place immediately.
Moderate	Corrective action(s) must be put in place within a stipulated time
Low	The board shall accept the risk / determine if corrective actions are needed.

level.

Name Of Institution

Month, Year CYBER-THREAT INTELLIGENCE REPORT

Approved By: _____________________________________________ Approval Date: __________

Approved By: _____________________________________________ Approval Date: __________

Cyber-Threat Intelligence Report Of ………….. Name Of Institution

Identified Cyber-Threats Security Controls In Place Level of Residual Risk S/No Threat(s) Name and DescriptionDate detected How was the threat identified (Internal/External Source) Potential Victim(s)/ Targeted Asset Likelihood Impact Risk level with the controls in place.

Level of impact if successful Likelihood of successful attack.

Select Date Comments Potential Victim(s)/ Targeted Asset Likelihood Impact Security Controls in Place Risk level S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) Likelihood of successful attack.

Level of impact if successful Risk level with the controls in place.

Select Date Comments Potential Victim(s)/ Targeted Asset Likelihood Impact Security Controls in Place Level of Residual Risk S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) 51

Cyber-Threat Intelligence Report Of ………….. Name Of Institution

Likelihood of successful attack.

Level of impact if successful Select Date

the controls in place.

Comments

Potential Victim(s)/ Targeted Asset Likelihood Impact Security Controls in Place Level of Residual Risk S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) Likelihood of successful attack.

Level of impact if successful Risk level with the controls in place.

Select Date Comments Potential Victim(s)/ Targeted Asset Likelihood Impact Security Controls in Place Level of Residual Risk S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) Likelihood of successful attack.

Level of impact if successful Risk level with the controls in place.

Select Date Comments

Cyber-Threat Intelligence Report Of ………….. Name Of Institution

S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) Likelihood of successful attack.

Level of impact if successful Select Date Comments S/No Threat(s) Name and Description Date detected How was the threat identified (Internal/External Source) Potential Victim(s)/ Likelihood Impact Security Controls in Place Level of Residual Risk Targeted Asset Likelihood of successful attack.

Level of impact if successful Select Date Comments

Description	Date detected	How was the threat identified (Internal/External Source)	Potential	Likelihood	Impact	Security Controls	Level of
	Victim(s)/		in Place	Residual Risk
	Targeted Asset		Risk level with the controls in place.
	Likelihood of successful		Level of impact if
	attack.		successful
Select Date	Potential		Security Controls	Level of
Description	Date detected	How was the threat identified (Internal/External Source)	Victim(s)/	Likelihood	Impact	in Place	Residual Risk
	Targeted Asset	Likelihood of successful	Level of impact if successful
	attack.		Risk level with the controls in place.
Select Date

53

Cyber-Threat Intelligence Report Of ………….. Name Of Institution

---

Prepared by Name & Signature Title Date

Glossary

2-Factor Authentication	This is a process in which a user provides two different authentication factors to verify his identity.
Acceptable Interruption	This is the maximum allowable time of interrupting mission critical
Window	systems or applications before restoration.
Access Control Matrix	Access Control Matrix is a security model in computing that defines the access rights or authorization of each subject with respect to objects in the system.
Advanced Persistent Threat	APT is a targeted network attack in which an unauthorized malicious entity gains access to a network and remains undetected for a long period of time.
Anti-Skimming Device	This is a device that prevents fraudulent capture of personal data from the magnetic stripes cards when they are used on devices such as an ATM.
Application Programming	Set	of	rules	and	protocols	that	allows	different	software
Interface (API)	applications to communicate and interact with each other.
Automated Teller Machine	This is an intelligent electronic banking channel, which allows bank customers have access to basic banking services without the aid of any bank representative.
Bring Your Own Device	BYOD is a privilege given to employees to use their personally
(BYOD)	owned devices (laptops, smart phones, etc.) to access information and resources of their workplace.
Business Continuity/ Disaster	These are planned processes that help institutions prepare for
Recovery Plan	disruptive events and recover within a short period.
Cloud Security Alliance	A non-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing"
Cloud Service Providers	Third parties that offer cloud computing services, providing institutions with access to computing resources, storage, databases, and applications over the internet.
Cyber Drill	This is a simulated cyberattack exercise conducted by institutions to test and assess their cybersecurity incident response capabilities.
Cyber risk insurance	A specialized insurance policy that provides financial protection to institutions against losses resulting from cyber incidents.
Cyberspace	This is an imaginary environment where communication over computer networks occurs
Degaussing	A process of permanently erasing data stored on magnetic media, such as hard drives and magnetic tapes, by exposing them to a strong magnetic field.
Demilitarized Zone	A demilitarized zone or DMZ in computing is a physical or logical sub-network that separates the trusted (internal local area network) from other untrusted networks (Internet). It houses external-facing servers, resources and services meant to be accessed from the internet.
False Negative	False negative occurs when a security device omits a vulnerability
False Positive	A false positive is a false alarm generated by a device, process or entity; usually based on preconfigured rules or logic.
Financial Services Information	This	is	a	global	financial	industry's	information	sharing
Sharing and Analysis Centre	organization that provides timely authoritative information on

	physical and cyber security threats to help protect the critical systems and assets of its members.
Financial Services Information Sharing and Analysis Centre (FS-ISAC)	This is a global nonprofit organization dedicated to enhancing cybersecurity and resiliency in the financial sector.
Firewall	This is a network security system or software that has the capability to monitor and control incoming and outgoing network traffic based on preconfigured rules.
Internal Capital Adequacy	This is a comprehensive risk assessment framework used to
Assessment Process (ICAAP).	evaluate capital adequacy based on internal risk profiles and potential losses.
International Organization for	ISO is a non-governmental organization with a mission to "promote
Standardization	the development of standardization and related activities in the world with a view to facilitating the international exchange of goods and services, and developing cooperation in the spheres of intellectual, scientific, technological and economic activity."
Internet	An internet is an interconnected computer networks linked by the internet protocol suite.
Internet Protocol Phone	A phone built on Voice over IP technologies (VoIP) for transmitting telephone calls over an IP network, such as the Internet.
Intrusion Detection System	A device or software/application that monitors an institution's network or systems for policy violations and/or malicious activities.
Local Area Network	A computer networking technology that links devices within a specific range.
Log Management	This is an automatic way of dealing with large volumes of systemgenerated logs. It usually comprises of Log collection, correlation, analysis, search, reporting and retention.
Malicious code	Any code or script developed with an intention to cause undesired effects, security breaches or damage to a system.
Mobile code	Any malicious programme, application, or script capable of moving when implanted in an email, document or website.
Multifactor authentication	A	security	measure	that	requires	more	than	one	distinct
	authentication factor to confirm the identity of a user, process, or device in order to gain access to a system.
Nested Payment Service	Any entity that is contracted for its services by another payment
Provider	service provider for the purposes of providing a service.
Nigeria Computer Emergency	A team of experts in the Office of the Nigerian National Security
Response Team	Adviser with a mission to "manage the risks of cyber threats in the Nigeria's cyberspace and effectively coordinate incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria".
Nigeria Electronic Fraud	This is a collaborative platform within the Nigerian financial
Forum (NeFF)	industry focused on combating electronic fraud and cybercrime.
Non-Disclosure Agreement	A legal contract or agreement between two or more parties that outlines a degree of confidentiality.
Open Web Application	This	is	a	non-profit	organization	that	provides	journals,
Security Project	methodologies, documentation, and development of best practices, in the field of web application security at no cost.

Open-source cyber-threat	A platform, blog, database that collects, stores and share
intelligence	information on emerging cyber threats, indicators and trends to its subscribers.
Open-Source Intelligence	Open-Source Intelligence (OSINT) refers to information collected
(OSINT)	from publicly available sources, such as websites, social media platforms, and public records.
Payment Card Industry Data	This is an information security standard for DMB/PSBs that collect,
Security Standard	process, store and transmit cardholder data.
Point of Sale terminal	This is a device that accepts payment cards for electronic funds transfers.
Point of Sale terminal	This is a device that accepts payment cards for electronic funds transfers.
Privileged user	Any user who by virtue of function has super system-rights in any computer, application, database, device, etc.
Secure Coding	A principle of writing software code that adheres to code security best practices. It involves using coding techniques and best practices to minimize vulnerabilities and prevent potential cyberattacks.
Service Level Agreement	This is a contract between a service provider and a subscriber; who defines the level of service expected from such service provider.
Shareholders' Fund	Shareholders' Funds represent the equity held by shareholders in a company, including common and preferred stock
Single points of failure	These are components or elements within a system or network that, if they fail, can cause the entire system to fail.
Standard Operating Procedure	This is a step-by-step instruction on carrying out routine operations/tasks. Its purpose it to achieve uniformity of performance, efficiency and quality output at all time.
Threat	Anything that has the potential to cause damage or loss to an information asset.
Unstructured Supplementary	This is a communication technology used to send message between
Service Data	a mobile phone and an application on a network.
Value Added Service	A term used to describe non-core services of a service provider but offered to its customers.
Vendors	Provider of goods or services to DMB/PSB
Vulnerability	This is a weakness or gap in a system, application, process, device, etc.
Zero-Trust	Security model that requires all users and devices to be continuously authenticated, authorized, and verified before accessing resources or data.