Introduction to Mitigating Cyberattacks on Banking and Payment Systems
Recently, bank customers have been plagued by sophisticated cyber-attacks, especially among users of digital banking systems. These attacks target customer savings and sensitive data. In response to the surge of cyberattacks, the CBN in June 2022 issued the Risk-based Cyber-Security Framework and Guidelines for other Financial Institutions (the “Guideline”) through which it outlined Six Risk-Based Mandatory Approaches for strengthening the cyber defenses of financial institutions against cybersecurity risks.
The effective date for full compliance by other financial institutions (OFIs) with this Guideline is January 1, 2023.
Overview the Guideline
The Guideline seeks to curtail the prevalence of cybercrimes in OFIs, especially in relation to its threats to their information technology assets and digital operations. It ensures that OFIs maintain best practices and appropriate cyber-security standards in preventing and mitigating cybercrimes in the financial sector. OFIs covered by the Guideline include Bureau De Change, Credit Bureaus, Discount Houses, Financial Holding Companies, and Mortgage Guarantee Companies. The OFIs do not include payment processing service providers regulated under the Risk-Based Cyber-security Framework and Guidelines for Deposit Money Banks and Payment Service Providers (2018).
The Guideline outlined six risk-based approaches as minimum requirements to be put in place by all OFIs to ensure confidentiality, integrity, and the avoidance of financial loss and reputation risk.
The six risk-based approaches are:
Cybersecurity Operational Resilience: OFIs are mandated to adopt minimum baseline controls/mechanisms as part of their IT structure to build, enhance, and maintain their operational resilience.
Cybersecurity Resilience Assessment: OFIs are mandated to conduct a cyber security risk resilience assessment to identify potential vulnerabilities which may be exploited and to observe potential financial risks which may occur.
Cybersecurity Governance and Oversight: OFIs are to ensure the priority of cyber-security as a primary agenda in the board meetings, the preparation of a cyber-security framework for the OFI supervision department of the CBN, and the preparation of a quarterly report on the cyber security status of OFIs are to be reviewed by their boards of directors.
Cybersecurity Risk Management System: OFIs are mandated to regularly detect and evaluate risk against information assets by conducting accurate risk assessments, vulnerability assessments, etc.
OFIs are mandated to have cyber-threat intelligence measures in place.
Metrics, Monitoring & Reporting: OFI is to place metrics and monitoring processes to ensure compliance, provide feedback on control effectiveness, and provide the basis for appropriate management decisions.
Compliance Requirements and Procedures
In accordance with the Guidelines, OFIs shall provide a yearly report known as cyber-security self-assessment signed by the Chief Information Security Officer (CISO) to be submitted on 31 March.
OFIs are required to engage a CISO who will be responsible for day-to-day cyber-security operations of the OFIs and will be expected to give reports to the Managing Director/Chief Executive Officer of the OFI. For small-scale OFIs, a part-time consultant or the head of the Information Technology department can be appointed as a CISO. In hiring a CISO, a selected candidate must meet all requirements stated in the OFI “approved persons” framework.
Due compliance by OFIs with the cyber-security Guidelines ensure that their customers are protected against the risk of losing sensitive data in cyber-attacks and the manipulation of technology assets during digital and financial transactions.