The Central Bank of Nigeria has directed banks to complete a mandatory cybersecurity self-assessment within three weeks as part of a new push to strengthen resilience across the financial system.
The directive was issued in a circular dated March 30, 2026. It introduced the Cybersecurity Self-Assessment Tool, known as CSAT, for regulated institutions under the CBN’s supervision.
Under the new timeline, Deposit Money Banks are required to complete and submit the assessment within three weeks. Other regulated institutions, including selected financial institutions and payment service providers, have five weeks to comply.
The regulator said the tool is designed to help it obtain structured information on the cybersecurity posture of supervised institutions. The move is intended to support risk-based supervision and improve oversight of cyber risks in Nigeria’s financial system.
The latest directive signals tighter regulatory attention on cyber resilience at a time when financial institutions face increasing technology and fraud-related threats. For banks and other operators, the immediate priority is to complete the assessment within the set compliance window.
