In June 2018 – in view of the increasing focus on cybersecurity worldwide and the rise in cyber threats both in and outside Nigeria – the Central Bank of Nigeria (CBN) issued a draft risk-based framework and guidelines on cybersecurity for deposit money banks (DMBs) and payment service providers (PSPs), which will come into force on 1 January 2019.(1) The draft guidelines aim to complement and build on the Cybercrimes (Prohibition, Prevention) Act 2015 (the Cybercrimes Act), which the National Assembly passed into law in May 2015, by promoting cybersecurity and protecting computer systems and networks and electronic communications.
One of the key motivations behind cyberattacks is money; as such, the financial sector is particularly susceptible to cybercrime. Financial activity is largely dematerialised and reliant on technology, and crucial market infrastructures (eg, payment and settlement systems) are potential single points of attack which could have wide-ranging and damaging consequences for not only the global economy, but also individual organisations that fall victim to these attacks. Further, technology is increasingly being used in Nigeria for payments and remittances following the African fintech boom. The interconnectivity between financial institutions and their infrastructures also means that there is a significant risk of contagion from any successful cyberattack. As such, there is a need for a robust cybersecurity regime within the Nigerian financial sector. Essentially, the strength of any financial system or institution is the confidence and trust that customers and the general public place therein; thus, it is critical that systems and institutions protect this confidence and trust by appropriately managing the risks and challenges that they face.
Section 37 of the Cybercrimes Act provides that financial institutions' duties include:
- verifying the identity of their customers which carry out electronic financial transactions; and
- applying the know-your-customer principle to customer documentation before executing electronic transfer, payment, debit or issuance orders.
In addition, the Cybercrimes Act provides that financial institutions have a duty to their customers to implement effective counter-fraud measures to safeguard their sensitive information. As such, any person or institution that operates a computer system or network is required to immediately inform the National Computer Emergency Response Team Co-ordination Centre of any attack, intrusion or other disruption liable to hinder the functioning of another computer system or network so that the centre can take the necessary measures to tackle the issues.
With the draft guidelines, the CBN has gone further by providing the minimum cybersecurity framework to be put in place by DMBs and PSPs in Nigeria. The draft guidelines address a number of issues, including:
- cybersecurity governance;
- risk management; and
- the effectiveness of and compliance with the cybersecurity strategy.
The CBN notes that for a cybersecurity programme to be successful, it must be fully integrated into a financial institution's business, goals and objectives and be an integral part of their risk management process. Similar to other compliance risks that businesses and organisations face, the CBN regards cybersecurity as the responsibility of a DMB or PSP's board of directors. As such, all DMBs and PSPs must have a board-approved cybersecurity strategy to provide direction on how the DMB or PSP will achieve its cybersecurity goals. This strategy is to be supported by a cybersecurity framework that aligns policies, business and technological approaches to address cyber risks and clearly defines all cybersecurity roles and responsibilities within the organisation. In effect, the board must ensure that cybersecurity is completely integrated with all business functions and well managed across the DMB or PSP.
To further enhance cybersecurity in financial institutions, the board must be supported by the DMB or PSP's:
- senior management, which will be responsible for implementing the cybersecurity strategy and the board-approved cybersecurity policies;
- chief information security officer, who will be responsible for day-to-day cybersecurity activities and the mitigating cybersecurity risks; and
- information security steering committee, which will comprise senior representatives of the DMB or PSP and be responsible for the governance of the cybersecurity strategy.
The draft guidelines implore DMBs and PSPs to achieve 'cybersecurity resilience', which is described as an organisation's ability to maintain normal operations despite all cyber threats and potential risks. To this end, DMBs and PSPs must incorporate cyber risk management within their institution-wide risk management framework and governance requirements to ensure consistent management of risk across the institution. The risk management system will cover the following basic activities:
- risk assessment;
- risk measurement;
- risk mitigation and treatment; and
- risk monitoring and reporting.
An effective risk management system will reduce the incidence of significant adverse impact on an organisation by addressing threats, mitigating exposure and reducing vulnerability.
DMBs and PSPs must report all information obtained from risk management activities to their senior management and board for decision making.
All DMBs and PSPs must implement metrics and monitoring processes to:
- ensure compliance;
- produce feedback on the effectiveness of control; and
- provide the basis for appropriate management decisions.
The metrics will assess the effectiveness of the DMB or PSP's overall cybersecurity strategy and measure its performance and efficacy. DMBs and PSPs must establish effective and reliable reporting and communication channels to provide their senior management and board with quarterly reports on their cyber/information security strategy. Further, the compliance department of a DMB or PSP must review its cybersecurity strategies and processes to ensure adherence to internal cybersecurity policies, relevant CBN directives and other extant regulations.
Finally, all DMBs and PSPs must report all cyber-related incidents to the CBN director of banking supervision. This is in addition to the CBN's general monitoring powers to ensure compliance with the draft guidelines.
Notably, the draft guidelines largely address most of the issues that cybersecurity regulations in other jurisdictions address, including those which were raised in the Financial Stability Board's (FSB's) October 2017 report following its stock-take of existing regulations and supervisory practices in G20 jurisdictions with respect to cybersecurity in the financial sector.(2) However, the guidelines are limited, as they address only DMBs and PSPs and have yet to come into legal effect. In addition, the CBN has yet to publish any supervisory practice with respect to cybercrimes for the financial sector.
Although not in force yet, the guidelines are a step in the right direction. That said, the devil is in the details and the guidelines' effectiveness will depend primarily on the level of compliance by the DMBs and PSPs and the CBN's supervisory framework and implementation thereof. It is clear from the FSB's report that cybersecurity is dynamic and that a large number of jurisdictions plan to issue new regulations, guidance or supervisory practices in 2018 that address cybersecurity with regard to the financial sector. The CBN will need to stay responsive and agile so that it can work with other national and international regulators in a concerted effort to address any threats ahead of time. It is critical that the guidelines be implemented fully when they come into law in January 2019; otherwise, Nigeria's financial sector may be playing catch-up in the years to come or suffer irreparable harm with regard to the confidence and trust that people place therein.
For further information on this topic please contact Oludare Senbore, Dolapo Roberts or Saheed Abudu at Aluko & Oyebode by telephone (+234 1 462 8360 71) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Aluko & Oyebode website can be accessed at www.aluko-oyebode.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.