On CBN’s risk-based cybersecurity framework and guidelines
July 25, 20224.4K views0 comments
BY MICHAEL IRENE, PhD
The Central Bank of Nigeria’s risk-based cybersecurity framework and guidelines for other financial institutions is a welcomed strategy especially if one considers this epochal period of data exchange and the surrounding implications of getting governance of these sets of information assets wrong. The guidelines look at cybersecurity oversight, risk management systems, as well as monitoring and reporting.
In the letter from the director, Other Financial Institutions Supervision Department, Nkiru Asiegbu, she points out or expects full compliance with the provisions of the guidelines by January 2023. This implies that these institutions must design robust frameworks to meet, if not all the requirements, but have things in place to meet compliance. In this piece, I focus on the foundation that these organisations must lay for them to achieve a seamless implementation.
The first step and the most critical place to kick off from is the involvement of the board. Without this, any framework built will fail. There are good reasons why there must be board involvement in the implementation of this risk-based cybersecurity framework, and they are: enterprise-wide risk and the decision to mitigate such threats must be decided at the highest levels of the organisation, the board will know the maturity posture of the organisation and understand how to best guide risk management decisions and prevent brand busting headlines. The buy-in from the c-suite level remains a critical piece and the CBN guideline points this out in clear details: “the board of directors directly or through its appropriate committee(s) shall have oversight and overall responsibility for the OFI’s cybersecurity programme.”
The next step would be to create a steering committee that would map out the scope of what the board intends to achieve. This committee is created with the sole intention of understanding the framework, teasing out the expectations and figuring out the various departments and individuals that can drive the project to a successful completion. These would involve the likes of a project manager, chief information security officer, data protection officer, and any other personnel that the steering committee chairman feels can handle the various work streams the project requires.
One of the most critical steps in achieving this would be to understand the posture of the company. This is done by creating an inventory of all assets, entities, data, and vendors that process data on behalf of the company. In past articles, I have assessed how this can be done and would not be reiterating here. This is the foundational piece that would help the companies achieve the requirement of the Central Bank of Nigeria.
The guideline is clear in its expectation and the CBN must be applauded for making the documentation clear for digestion and assimilation. The onus is now on stakeholders to ensure that they play their part in creating a safe Nigerian Digital economy and help foster that trust in Nigerians and globally. Companies don’t need the CBN chasing them to implement this, they should already be thinking and acting in these terms.
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke