The Central Bank of Nigeria (CBN) has ordered all deposit money banks to complete a mandatory cybersecurity self-assessment within three weeks as part of efforts to strengthen the resilience of the nation’s financial system.

In a letter dated March 30, 2026, made public on Tuesday, the apex bank stated that all other regulated financial institutions have five weeks to submit their assessments. The directive introduces the Cybersecurity Self-Assessment Tool (CSAT), designed to evaluate the cyber risk exposure of banks, selected financial institutions, and payment service providers.

The CBN explained that the move is in line with its statutory powers under the Banks and Other Financial Institutions Act, 2020, and is aimed at improving cybersecurity standards across the sector.

“The CSAT is a structured supervisory instrument designed to obtain comprehensive information on the cybersecurity posture of regulated institutions,” the letter read. “It will assess governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capacity, and overall operational resilience.”

The apex bank emphasized that all submissions must be complete, accurate, and accompanied by supporting documentation, reflecting the institutions’ positions as of December 31, 2025. False or misleading disclosures, it warned, will attract sanctions.

CBN also disclosed plans to validate the submissions through off-site reviews and supervisory engagements to ensure reliability. The directive takes immediate effect and underscores the regulator’s heightened scrutiny of cyber threats in the financial sector amid growing digital transactions.