THE NEW CYBER SECURITY LAW IN NIGERIA: THE FUTURE OF OTHER FINANCIAL INSTITUTIONS (OFIs) AND THEIR CLIENTS

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked”, says Richard Clarke – the United States general.

The prevalence of cyber-attacks on Information Technology assets and databases of financial institutions in Nigeria has become a nightmare to the sector and their clients whose data and wealth deserve to be protected. Does it surprise you to know that data protection and cyber security have been left at the mercy of the men of the underworld – the hackers? It is no longer a disputable fact that despite the evidence of cyber-attacks on two prominent banks as released by different hacker platforms, the management of the named banks never admitted nor denied the breach.

What really is the future of cyber security and data protection in Nigeria?  Thanks to the new Central Bank of Nigeria (CBN) framework known as the Risk-based Cyber-security Framework and Guidelines for other Financial Institutions (the “Guidelines”) which took effect from January 1, 2023.  The Guidelines aims to ensure best practices and appropriate cyber-security standards are maintained by other financial institutions in the prevention and mitigation of cybercrimes in the financial sector. In light of the passage of the Act, it is expected that financial institutions would keep up with the yearly report known as a Cyber-security Self- assessment signed by the Chief Information Security Officer to be submitted on or before the 31st of March of every year, in line with the provisions of the Guidelines.[1] Furthermore, under the Act these institutions are liable for an incidence of breach in their cyber-security protocols especially where it goes unreported for the period specified under the Act[2].

In this article, we would intimate you of the compliance requirement for Other Financial Institutions (OFIs), the objectives of the CBN Guidelines and their importance in ensuring an effective cyber-security system. First, let us consider the definition of OFIs under the Nigerian Law.

Definition and Scope of OFIs

According to a report from Tekedia[3], the Banks and Other Financial Institutions Act (BOFIA) classifies OFIs as including the following with the exception of  Payment Processing Service Providers[4]:

  • Bureaux De Change
  • Credit Bureaux
  • Discount Houses
  • Financial Holding Companies
  • Mortgage Guarantee Companies

What is the Purpose of the OFI Guidelines and the Compliance Requirement?

The Guidelines outline the minimum requirements that OFIs are required to observe in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk.

The purpose of the Guidelines is:

  • The creation of a safer and more secure cyber environment that supports information system security and the promotion of stability of the OFI subsector.
  • The promotion and maintenance of public trust & confidence in the OFI subsector.
  • Contribution towards the prevention and combating of cybercrimes in the OFI sub-sector.
  • Promote the adaptation and implementation of best practices and appropriate cybersecurity standards by OFIs.
  • Promote a cybersecurity culture and awareness through continuous capacity building and skills development.

The OFIs Guidelines Compliance Requirement and Procedure:

The Guidelines provide six risk-based approaches to managing cybersecurity risks which are:

  1. Cyber-security Governance and Oversight: This risk-based approach is to ensure that cybersecurity management is integrated at the core of every OFI business strategy and is driven by the highest level of governance. It requires an appointment of a Chief Information Security Officer (CISO) who shall report to the Managing Director/Chief Executive Officer and be bestowed with the responsibility of cyber-security of the OFI.
  • Cybersecurity Risk Management System: This approach is intended to foster a system that can effectively identify and analyze the prospective of cyber risk exposure of OFIs and proffer an approach to control and possibly minimize incidence where a breach has occurred. The Board of Directors shall then approve the proposed strategy as the best approach to maintain a standard information security structure.  
  • Cyber Resilience Assessment: This policy is geared towards ensuring an effective response strategy where there has been a cyber-risk exposure. There is a cyber security risk resilience assessment to identify potential vulnerabilities which can be exploited and the impact it would have in terms of financial implication, statutory requirement and reputational damage. The essence of performing this assessment at regular intervals is to determine the quantum of resources to recover in such a hypothetical cyber incident. A report of self-assessment is to be submitted by the CISO no later than 31st March of every year.  
  • Cybersecurity Operational Resilience: This is a system engineered to maintain a high level of operational resilience imputing critical IT infrastructure to preserve the sensitive information processed by the OFI. To do this, the Guidelines proffers measures that can be adopted to achieve a minimum standard of security within the relevant ecosystem.
  • Cyber-Threat Intelligence: The OFI is required to collate, process and analyse requisite information on current threats and cyber-attacks within the sector which would in turn guide their decision-making process of mitigating potential cyber-threats and risks.
  • Metrics, Monitoring and Reporting: The essence of this aspect of assessment is primarily to ensure that OFI’s are compliant with the various mechanisms set up within the organization by monitoring the processes which are aimed at ensuring effectiveness. A metrics procedure will be employed to gauge the overall cyber-security programme and ensure there is an effective management process in place to make informed decisions when the need arises. The Board of Directors and Senior Management of the OFI shall establish and oversee this programme.

Conclusion

By the inception of this Guidelines, OFIs are directed to adopt an effective cybersecurity structure which is aptly integrated into their system of operations as far as cyber-risk and cyber-security is concerned. Apart from this move to adopt a fail-proof system, there is a need for sector awareness on the various attack mechanisms and the corresponding channels to report incidence of breach as an immediate response rather than an afterthought.[5]

Furthermore, the obligation on OFIs to issue yearly reports to the CBN casts a spotlight on the IT-infrastructure of these institutions highlighting the importance of tightening cyber security surveillance protocols and response strategy to attain a water-tight cybersecurity system.

Taxaide Technologies Limited (TaxTech)

TaxTech is a technology development company which provides among other services, regulatory compliance services in Cybersecurity Governance and Regulatory Compliance services to OFIs, Discount Houses and other Payment Service Providers. As an ISO 27001 certified organisation in Information Security Management Systems, we are available to aid you in compliance with the CBN’s Cybersecurity Self-Assessment requirements under the Guidelines. Please reach out to elizabeth.mbahon@taxtech.com.ng for further enquiries.


[1] Reg. 4.3 of the Guidelines.

[2] Reg. 7.6 of the Guidelines.

[3] https://www.tekedia.com/an-overview-of-the-cbn-guidelines-on-cyber-security-for-other-financial-  institutions-ofis-in-nigeria/

[4] Payment service providers are regulated under the Risk-based Cyber-security Framework and Guidelines for Deposit Money Banks and Payment Service providers enacted in 2018.

[5] https://guardian.ng/news/police-nabs-hackers-who-allegedly-defraud-bank-of-n523m-in-one-day/

Leave a Reply

Your email address will not be published. Required fields are marked *