Effective August 1, 2018, all deposit money banks and payment service providers shall report all cyber incidents, whether the attempt was successful or not and immediately.
A draft document on the Risk-Based Cybersecurity Framework and Guidelines for input from stakeholders by the Central Bank of Nigeria (CBN) has mandated banks to incorporate cyber risk management with their institution-wide risk management framework and governance requirements, to ensure consistent management of risks across the institution.
The mandate to report the incidents is coming on the heels of observed under-disclosure and outright non-disclosure of some fraudulent incidents by industry operators.
The development is also an indication that the sector is inching closer to ending the era of unnecessary excuses for withholding important information about system failures, insider-related hacking and frauds that have caused customers and banks billions of naira.
The document also noted that effective risk management reduces adverse impact on an organisation by addressing threats, mitigating exposure, and reducing vulnerability.
As usual, the apex bank has said that once the rule takes off, non-compliance with the provisions shall attract appropriate sanctions to be determined by CBN, in accordance with the provisions of its enabling Act and that of the Banks and Other Financial Institutions Act. It shall also monitor and enforce compliance with the provisions.
By the draft framework, banks are to begin the search for a qualified appointee, who will serve as “Chief Information Security Officer (CISO)” responsible for overseeing and implementing cyber security programmes.
The CISO shall possess adequate authority, experience, independence and status to enable him/her to function properly and shall have a combination of Masters in Cyber/Information Security, Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications with in-depth experience in information technology.
Banks shall fully take responsibility of cyber incidents as board and senior management are required to support and be involved in the cyber risk management process by ensuring that resources and capabilities are available and the roles of staff properly defined in management of risks.
They “shall endeavour to be acquainted with business environment and critical assets, devise mechanisms to maintain an up-to-date inventory of authorised software, hardware workstation, servers, network devices, other network devices, and internal and external network connections.
“All unauthorised software and hardware device on its network shall also be identified, documented, removed and reported appropriately,” the document notes.
President Muhammadu Buhari, meanwhile, has called on nations where looted assets have been stashed to release them without the usually long technicalities involved in the process of repatriation.
He said this in Nouakchott, Mauritania, during the 31st session of the African Union.
“We must all collectively work to place high on the agenda the need for open and participatory government, as well as the repatriation of stolen assets without procedural technicalities and legal obstacles,” he said.
A statement by his Special Adviser on Media and Publicity, Femi Adesina, said Buhari stressed that, “the scourge of illicit financial flows continues to bite, eating back the gains and militating against the attainment of our aspirations under Agenda 2063 and the Sustainable Development Goals of the United Nations 2030 Agenda.”
He reiterated Nigeria’s abiding commitment to the fight against corruption.