Inside CBN's Risk-Based Cybersecurity Framework for OFIs
The CBN issued an exposure draft of the Risk-Based Cybersecurity Framework for Other Financial Institutions. This article provides a bird's eye view of the framework and offers a prognosis of its impact on OFI operations in Nigeria.
As the world and Nigeria increasingly shift towards automation and adoption of technology in the financial ecosystem, the risks of attacks will perceivably continue to increase. The economic threats, coupled with the need to harmonize security practices to prevent weak links, has prompted regulatory action by the Central Bank of Nigeria.
The PSP-OFI Classification Problem
One issue that stands out is the question of whether the framework applies to PSPs. PSPs are by virtue of BOFIA OFIs, and are already governed by the subsisting Risk-based Cybersecurity Framework for DMBs and PSPs. The new Framework has specific provisions relating to the interface between OFIs and PSPs, suggesting the CBN may not consider PSPs as OFI for the purpose of this Framework.
The Intersection of Cybersecurity and Corporate Governance
The framework mandates the creation of the office of the Chief Information Security Officer and places responsibilities on the board to install a cybersecurity conscious culture within the OFI. Financial regulators around the world are turning their attention towards cybersecurity in a bid to install and maintain a safe and sound financial ecosystem.
New Reporting Obligations
OFIs must now file three types of reports: a Cybersecurity Self-Assessment Report (annually by March 31), Cyber-Threat Intelligence Reports (promptly as they arise), and Cyber-Incidents Reports (within 24 hours of detection).
The new Framework mostly adapts the provisions of the previous CBN's Risk Based Cybersecurity Framework to the operations of OFIs. It is a step in the right direction as it plugs a gap that was previously largely unregulated.
Originally published as a Regcompass Newsletter