Regulatory Alerts2026-03-30 | CMD/DIR/PUB/ESSD/001/2026Deployment Of Cybersecurity Self-Assessment Tool (CSAT)
The Central Bank of Nigeria has mandated all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions to complete and submit a new Cybersecurity Self-Assessment Tool (CSAT). This tool aims to gather comprehensive cybersecurity posture information to enhance risk-based supervision and regulatory oversight across the financial system. Institutions must submit the CSAT within three weeks for DMBs and five weeks for all other regulated entities, providing accurate data up to December 31, 2025, with any false information leading to regulatory sanctions.
Central Bank of Nigeria
Compliance Department Plot 33, Abubakar Tafawa Balewa Way, Central Business District, P.M.B. 0187, Garki, Abuja Telephone: Email:cmd@cbn.gov.ng Website: www.cbn.gov.ng
Ref No: CMD/DIR/PUB/ESSD/001/2026 March 30, 2026
LETTER TO BANKS, SELECTED OTHER FINANCIAL INSTITUTIONS AND PAYMENT SERVICE PROVIDERS
DEPLOYMENT OF CYBERSECURITY SELF-ASSESSMENT TOOL (CSAT)
The Central Bank of Nigeria (CBN), in furtherance of its statutory mandate under the Banks and Other Financial Institutions Act (BOFIA) 2020 and consistent with its commitment to strengthening cybersecurity resilience across the financial sector, hereby notifies all Deposit Money Banks, Payment Service Banks, Microfinance Banks, Payment Service Providers, Finance Companies, and Development Finance Institutions of the deployment of its Cybersecurity Self-Assessment Tool (CSAT).
The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions. It covers key areas including cybersecurity governance, risk management practices, technology and third-party risk controls, incident response capabilities, and overall operational resilience. Insights derived from the CSAT will support risk-based supervision and enhance regulatory oversight of cybersecurity risks across the financial system.
Accordingly, all the referenced institutions are required to complete and submit the CSAT through a dedicated submission portal. Access credentials to the portal and detailed guidance on completion of the tool will be communicated to your Chief Information Security Officers and other relevant officials.
Institutions are required to submit their completed CSAT within the following timelines:
i. Three (3) weeks – Deposit Money Banks (DMBs) ii. Five (5) weeks – All other regulated institutions
All submissions must be fully completed and accompanied by relevant supporting documentation, where applicable. Please note that the cut-off date for the data to be provided is December 31, 2025.
Institutions requiring clarification on any aspect of the submission process may contact the Enterprise Security Supervision Division of the Compliance Department via cmd.enterprisesecurity@cbn.gov.ng.
Supervised institutions are reminded that all information submitted to the CBN must be accurate, complete, and verifiable. Submission of false, misleading, or inaccurate information constitutes a regulatory breach and will attract appropriate sanctions in accordance with the provisions of BOFIA 2020.
The CBN will undertake validation exercises, including off-site reviews and supervisory engagements, to verify the accuracy and reliability of submitted information.
This letter takes immediate effect.
Yours faithfully,
[Signature]
OLUBUNMI AYODELE-ONI
FOR: DIRECTOR, COMPLIANCE DEPARTMENT