Whether successful or not, Nigerian banks must report any cyber incident, according to a new directive by the Central Bank of Nigeria (CBN).
Reluctance to make public cases of cyber attacks has been seen as a major drawback for the banking industry as banks had been conscious about the potential impacts of letting the general public know they have been attacked on their brand and operations. This has led to the creation of privacy for cyber frauds in the Nigerian banking industry.
This new regulation becomes effective August 1, 2018 and it affects all deposit money banks and payment service providers. The reports are required to be made immediately according to a draft document on the Risk-Based Cybersecurity Framework and Guidelines for input from stakeholders by the CBN.
The apex bank has also mandated banks to incorporate cyber risk management with their institution-wide risk management framework and governance requirements, to ensure consistent management of risks across the institution.
The mandate to report the incidents is coming on the heels of observed under-disclosure and outright non-disclosure of some fraudulent incidents by industry operators in Nigeria.
Nigerian banks are required to appoint Chief Information Security Officer (CISO) that will be responsible for overseeing and implementing cyber security programmes.