Ajibola Asolo Oluwaseun Ayansola August 23 2022 Update: CBN issues risk-based cybersecurity framework and guidelines for OFIs Aluko & Oyebode | Banking & Financial Services - Nigeria Ajibola Asolo, Oluwaseun Ayansola Banking & Financial Services IntroductionScopeGovernance and oversightRisk management systemResilience assessmentOperational resilienceCyber-threat intelligenceMetrics, monitoring and reportingCompliance and enforcementEffective dateCommentIntroductionOn 29 June 2022, the Central Bank of Nigeria (CBN) approved and issued the risk-based cybersecurity framework guidelines for other financial institutions (OFIs) in Nigeria. The guidelines have been issued further to the CBN's effort to strengthen the cyber resilience of OFIs especially following the increase in the number and sophistication of cybersecurity threats and attacks against OFIs.The guidelines outline the minimum requirements that OFIs are required to observe in developing and implementing strategies, policies, procedures and related activities aimed at mitigating the risks of cyberthreats and attacks.All OFIs are expected to fully comply with the provisions of the guidelines from the 1 January 2023 effective date.ScopeThe guidelines were addressed to all OFIs. According to the Banks and Other Financial Institution Act 2020 (BOFIA 2020), an OFI now includes:international money transfers services;financial holding company; andpayment service providers.The implication of the expanded definition of an OFI under the BOFIA 2020 is therefore that the guidelines will also apply to financial technology (fintech) companies, especially:switching and processing companies;mobile money operations; andpayment solution services).It should be noted that the CBN had previously issued the Risk-based Cybersecurity Framework and Guidelines for Deposit Framework and Payment Service Providers, dated 10 October 2018 (the 2018 framework), which applies to all banks and payment service providers (PSPs). Despite the expansion of the definition of OFIs to now include PSPs by virtue of the BOFIA 2020, it appears that the intention is to have the 2018 framework apply to PSPs, whereas the guidelines will apply to all other OFIs from the effective date. The reason for this inference is that Appendix II (Know Your Environment) to the guidelines contemplates a situation where an OFI engages a PSP (as such, treating OFIs as separate from PSPs). It will therefore be useful to achieve clarity as to whether this is the intention.The guidelines are divided into six parts:cybersecurity governance and oversight;cybersecurity risk management system;cyber resilience assessment;cybersecurity operational resilience;cyberthreat intelligence and metrics;monitoring; andreporting.Governance and oversightEvery OFI is required to put in place a cybersecurity governance structure that sets the agenda and boundaries for cybersecurity management and controls. The governance structure will spell out the responsibilities of the board of directors (BOD), the senior management (SM) and the chief information security officer (CISO), as stipulated in the guidelines. According to the guidelines, the BOD will be responsible for the provision of oversight, leadership and resources to ensure that cybersecurity governance becomes an integral part of the corporate governance. The SM will be responsible for the implementation of the BOD-approved cybersecurity strategy, policies and standards, among other things, and the delineation of cybersecurity responsibilities.The BOD of every OFI will appoint or designate a qualified person, such as a CISO. The CISO will have the same seniority as the SM and will be responsible for the day-to-day cybersecurity activities and the mitigation of cybersecurity risks in the OFI, among other things. The CISO will report to the managing director chief executive officer (at least quarterly) on the cybersecurity status of the OFI. However, for small OFIs, such as rural-based unit tier II microfinance banks (MFBs), the head of information technology (IT) may double as the CISO or engage the services of a qualified third-party consultant to serve as the CISO on a part-time basis. Other than unit tier II MFBs, the guidelines do not identify other financial service providers that potentially qualify as small OFIs.Risk management system OFIs shall ensure that an effective risk management system is put in place. The risk management system shall comprise four basic activities:risk assessment;risk measurement;risk mitigation or risk treatment; andrisk monitoring and reporting.OFIs are required to regularly conduct risk assessments and threat analysis to detect and evaluate risks to their information assets. They are also required to determine the appropriateness of security controls in managing risk.Resilience assessment OFIs are required to regularly conduct cybersecurity resilience assessment to evaluate their defence posture and readiness to tackle cybersecurity risks. Such cybersecurity risk resilience assessments will be to determine both its present state and its target or desired cybersecurity profile or state. This is important considering the rapid advancement in IT, interconnection between networks and multiple threats in the cyberspace.Under the guidelines, OFIs are also required to submit to the CBN director, the OFI supervision department of the CBN, a report of their cybersecurity self-assessment signed by the CISO after its approval by the SM no later than 31 March of every year. The report shall provide the procedure, tools and framework used to:conduct the cybersecurity self-assessment;identify gaps, threats and risks;identify the potential impact;prioritise action plans to mitigate the risks identified;provide a timeline for remediation; andprovide a remediation status with possible residual vulnerabilities and risks.Operational resilienceThe guidelines require OFIs to build, enhance and maintain their cybersecurity operation resilience by putting in place minimum controls, such as know-your-environment and other operational resilience measures or controls to the confidentiality, integrity and availability of information assets, among other things.Cyber-threat intelligenceOFIs are required to possess a fact-based objective knowledge of all emerging threats, cyberattacks, attack vectors, mechanisms and indicators of attachment or compromise to its information assets that will be used to make informed decisions. To achieve this, OFIs are required, among other things, to put in place a cyberthreat intelligence programme to proactively identify, detect and mitigate potential cyberthreats and risks.Metrics, monitoring and reporting To ensure compliance and provide feedback on the effectiveness of management controls and the basis for appropriate management decisions, the BOD and the SM of OFIs are required to put in place metrics and monitoring processes and establish effective and reliable reporting and communication channels for dissemination of cybersecurity-related information.Compliance and enforcementThe BOD and the SM of OFIs are required to ensure compliance with all relevant statutes and regulations, such as the Nigerian Cybercrimes (Prohibition, Prevention etc) Act 2015 and all CBN directives, to avoid breaches of legal, statutory and regulatory obligations related to cybersecurity, and breaches of any security requirements.The CBN will be responsible for establishing appropriate procedures for monitoring compliance with the guidelines and other laws and regulations and will enforce compliance with the provisions of the guidelines. It should therefore be noted that according to the guidelines, any non-compliance with the framework will attract appropriate sanctions as may be determined by the CBN in accordance with the CBN Act and BOFIA.Effective dateThe guidelines are to take effect from 1 January 2023, by which day all OFIs are expected to be in full compliance with its provisions.Other points for OFIs to note include the following considerations.Cybersecurity self-assessment toolsThe guidelines contain links to cybersecurity self-assessment tools, including:the Federal Financial Institutions Examination Council cybersecurity assessment tool;the US Computer Emergency Readiness Team cyber-resilience review;the Control Systems Cyber Emergency Response Team's cybersecurity evaluation tool;the payment card industry data security standard and self-assessment questionnaire:the International Organization for Standardization 27001;the CBN circulars relating to cybersecurity; andthe Nigerian Cybercrimes (Prohibition, Preventions etc) Act 2015.Reporting templatesThe guidelines also contain links to reporting templates including:cybersecurity self-assessment;cyberthreat reporting; andcyber-incidents reporting.Review of existing SLAsThe guidelines require OFIs to maintain an up-to-date inventory of services rendered by vendors, contractors or third parties with valid service level agreements (SLAs) and ensure that each SLA contains at least the following:the details of service rendered;a non-disclosure agreement;the roles and responsibilities of each party;the duration of the agreement;the details of the vendor's service level manager;a service quality metric or evaluation criteria; andthe right-to-audit clause.Comment The guidelines provide for the cybersecurity measures that OFIs must now mandatorily be put in place to prevent and/or mitigate the risks of cyberthreats and attacks that have become increasingly frequent. Given the impact that the guidelines will have on businesses and OFIs, including additional compliance and regulatory requirements, all OFIs are encouraged to review the guidelines against their activities to determine the steps required in order to be in full compliance with the guideline provisions before the effective date of 1 January 2023.For further information on this topic please contact Ajibola Asolo or Oluwaseun Ayansola at Aluko & Oyebode by telephone (+234 1 462 8360 71) or email ([email protected] or [email protected]). The Aluko & Oyebode website can be accessed at www.aluko-oyebode.com.