An Analysis Of The CBN’S Cybersecurity Guidelines To Other Financial Institutions

By Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

INTRODUCTION

Set to take effect from January 1, 2023, this regulatory guideline is aimed at the Other Financial Institutions (OFIs) (such as microfinance, development banks, etc.), to enhance cybersecurity and strengthen the defense against cyberattacks, targeted at the information and communications system of the financial industry, which is heavily relied upon to operate. It was triggered by the recent spike and sophisticated nature of the cyberattacks, and threats posed by hackers targeted at the finance industry.[1]

Cyberattack refers to an attempt to compromise and steal confidential data, or destroy a computer system/network. They include malware, phishing, and DoS/DDoS (denial-of-service/distributed denial-of-service) attacks. These attacks, when launched on the host system, barrage it with illegitimate requests which make it unable to ‘provide service’ to those who need it.[2] They drain the resources of a system by making it impossible to grant users’ requests, and leaving it vulnerable to other forms of attack to the point that it could crash down.[3]

Cybersecurity is the protection of internet-connected systems and data from cyber threats, to protect against unauthorized access to confidential information.[4]

The regulations comprise 6 major parts:[5]

1. Cybersecurity governance and oversight: This sets the agenda and boundaries for cybersecurity management and controls through directing and supporting the security efforts of the OFIs. The provision of oversight and leadership ensures that cybersecurity enforcement becomes an integral part of the organization in question, and this responsibility rests on the Board of Directors in each of the OFIs, also responsible for allocating adequate resources to enhance cybersecurity. Additionally, it is required that the OFIs appoint a Chief Information Security Officer (CISO), responsible for (among others) developing and implementing the cybersecurity program as approved by the Board, and ensuring that the institution maintains an updated inventory of its users, devices, and relationships.
2. Cybersecurity risk management system: This is to ensure the effectiveness of an OFIs security governance by independently evaluating all the risks relating to cybersecurity in a proactive way. It makes use of methodologies for risk identification, analysis, and control. Reports shall be provided to the senior management/relevant committee on a quarterly basis. Internal audits shall be carried out to mitigate the risk of cyberattacks. It shall be risk-based and provide assurance to the senior management on the effectiveness of the cybersecurity program. Cyber risk assessments should be updated regularly to address changes or the introduction of new technologies and products to ensure accurate risk measurement.
3. Cyber resilience assessment: Resilience provides an assurance of sustainability for the organization, and is useful in evaluating an organization’s defense and readiness to tackle cybersecurity risks. OFIs are required to build, enhance and maintain their cybersecurity, especially in view of the rapid advancement in IT. This assessment shall be submitted to the Director of the OFIs Supervision Department of CBN yearly, containing identified gaps, threats and risks.
4. Cybersecurity operational resilience: Two controls stem from this, including ‘Know Your Environment’ and ‘Enhancing Cybersecurity Resilience’. The first deals with the business environment, and the OFI shall devise mechanisms to maintain an updated inventory of authorized software, hardware and network devices, so that all unauthorized shall be reported appropriately. The latter is concerned with improving cybersecurity resilience to ensure the availability of information assets and promote a safe banking system.

5. Cyber-threat intelligence and metrics: This demands an objective, factual knowledge of all emerging threats and cyberattacks, to make informed decisions. OFIs must establish a Cyber-Threat Programme to identify and mitigate potential cyber threats and risks. These potential threats are to be reported to the Director of the OFIs Supervision Department (CBN) as well. Uniquely, it is set to review the commonly adopted ‘Bring Your Own System (BYOS)’ policy.

6. Monitoring and reporting: OFIs are mandated to put metrics in place to ensure compliance, provide feedback on the effectiveness of controls and provide the basis for decision-making. A reporting process shall also be adopted for the dissemination of security-related material such as changes in policies, standards and new emerging threats. All OFIs are to report all cyber-incidents to the Director of the OFIs Supervision Department as well.

Compliance with Statutory and Regulatory Requirements: Non-compliance with the guidelines shall attract appropriate sanctions to be determined by the CBN, in accordance with the CBN Act and Banks and Other Financial Institutions Act (BOFIA).[6] The BOFIA 2020, set in place to repeal that of 1991 as it was out of touch with technological advancement, lends the following powers for sanctions to the CBN, some of which include:[7]

1. Suspension of payment pertaining to any contract to which a defaulting bank is party.
2. Procurement of shares up to a level that guarantees control of the bank, which should encourage closer supervision.
3. Provision for penalties of up to N50 million, or imprisonment for up to 5 years for non-compliance[8].
4. Revocation of licenses to operate, or complete liquidation of the bank.

Incident Response and Disaster Recovery:[9] The guidelines also make provision for addressing the aftermath of a security breach, with the objective of reducing damage, recovery time and costs. The ‘disaster recovery’ allows for immediate response to reduce damage and resume business functions quickly. OFIs are mandated to review their Disaster Recovery/Business Continuity documents to ensure adequacy in supporting breaches. This must be tested, so that any necessary improvements can be made. A response plan shall also be shared with stakeholders, stipulating the establishment of a dedicated team focused on detecting and responding to cyber incidents.

As seen with Kenya’s Cyber Security Guidelines for Payment Service Providers, CBN also makes provision for the establishment of a PSP Security Assurance Programme, to ensure due diligence and thorough vetting of the PSPs before establishing relationships with them.

What Gave Rise to Its Enactment?

As stated earlier, threats such as ransomware, phishing and Advance Persistent Attacks (APT) have become prevalent, thus creating a need to strengthen cyber resilience and security to secure critical information in the financial sector.[10] Key pieces of information stored by these industries need to be protected, to prevent data from being misused by third parties for fraud, such as phishing scams and identity theft,[11] or even a country’s general economic/financial data being used against it. Its key function is to protect the OFIs from cyberattacks, and then the whole financial sector by extension.

Advantages of the Guidelines[12]

1. It creates a safer cyber environment that strengthens information system security, thereby promoting the stability of the OFIs
2. It contributes toward the prevention and combating of cybercrime in the financial industry
3. It promotes the adoption/implementation of the best practices and standards relating to cybersecurity
4. A regain of trust and confidence in the OFI sub-sector by the public
5. It promotes a cybersecurity culture and awareness through skills development

Comparative Analysis: Ghana and Kenya as Case Studies

As of 2019, an increasing number of businesses had migrated online, and cybersecurity became rampant, referred to as a national security issue by President Nana Akufo-Addo. According to the Cybercrime Unit of Ghana’s Criminal Investigations Department, Ghana lost approximately $97m to cybercrime in 2018, higher than $69m in 2017 and $26m in 2016.[13]

The Bank of Ghana implemented a Cyber and Information Security Directive, providing a framework for security measures for IT data centers and control rooms to assure data and network security. There is also the Cyber Security Directive for Financial Institutions, which was launched in October, 2018, to establish guidelines for cybersecurity and information security in the financial sector, and to strengthen bank and customer confidence in the security of banking technology. Banks will be obliged to implement cybersecurity controls and follow a timeline to ensure that they are meeting requirements. All banks will also be required to appoint a cyber and information security officer to advise senior management and shape policies regarding cybersecurity issues. This applies to all entities regulated by the Bank of Ghana and must comply with the standards as stipulated.[14]

Kenya’s Central Bank, on the other hand, has developed Cyber Security Guidelines for Payment Service Providers, with an objective to create safer cyberspace that underpins information system security priorities, to promote stability of the Kenyan payment system sub-sector.[15] Also, reporting requirements (backed up by the National Payment System Act, Banking Act, and CBK’s Guidance Note on Cybersecurity) have also been put in place for licensed banks and payment system providers, to disclose major security breaches and incidents of fraud, especially those that could have an adverse effect on the ability to provide adequate services to customers to the Central Bank of Kenya.[16]

It can be deduced that these two countries have been proactive in the measures taken to ensure that cyberattacks are minimized and have little impact on their financial industries. This has established a more coordinated approach to the prevention and combating of cybercrime.

CONCLUSION 

Based on the foregoing, it is clear that there are similarities in the three countries observed in this article. The CBN’s cybersecurity risk management system and resilience assessment pursue the same as that of the CBK’s (Central Bank of Kenya) Cybersecurity Guidelines, which mandate periodical reports on new technologies and potential threats to the central bank. There is also the appointment of a cyber and information security officer, to advise senior management and shape policies (adopted by both the CBN and Bank of Ghana).

It is known that the technology industry continues to grow in waves, and there is nothing to put it to a halt. Therefore, financial institutions must take initiative to implement policies capable of combating excesses presented by technological advancement so that crucial information is kept private and safe, and long-term financial health is ensured. Failure to do this puts not just the industry but the whole society in turmoil.

AUTHOR: Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr. Atoyebi has expertise in and a vast knowledge of Cyber Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions.  He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: John Oladipo.

John is a Team Lead in the Dispute Resolution Team at OMAPLEX Law Firm. He also holds commendable legal expertise in Cybersecurity and Data Privacy.

He can be reached at john.oladipo@omaplex.com.ng.

[1] Justice Okamgba, ‘CBN Sends a 41-Paged Cybersecurity Guidelines to OFIs’ (Tech Economy, 4 July 2022) <https://techeconomy.ng/2022/07/cbn-sends-a-41-paged-cybersecurity-guidelines-to-ofis/> Accessed 18 July 2022. See also fn.5

[2] Top 20 Most Common Types of Cyber Attacks (Fortinet, No Date) <Top 20 Most Common Types Of Cyber Attacks | Fortinet> Accessed 21 July 2022

[3] Ibid 2

[4] Sharon Shea, ‘What is Cybersecurity’ (Tech Target, 2021) <https://www.techtarget.com/searchsecurity/definition/cybersecurity#:~:text=Cybersecurity%20is%20the%20protection%20of,centers%20and%20other%20computerized%20systems> Accessed 18 July 2022

[5] Nkiru Asiegbu, Letter to All Other Financial Institutions (June 2022) https://www.cbn.gov.ng/Out/2022/OFISD/Letter%20to%20all%20OFIs%20Issuance%20of%20Risk-Based%20Cybersecurity%20Framework%20and%20Guidelines%20for%20Other%20Financial%20Institutions.pdf Accessed 18 July 2022. Applicable to numbers 1 – 6 respectively.

[6] Ibid 5

[7] Olayinka Alao, ‘Nigeria: BOFIA 2020: What’s New?’ (Mondaq, 15 October 2021) < BOFIA 2020: What’s New? – Financial Services – Nigeria (mondaq.com)> Accessed 21 July 2022. Applicable to numbers 1 – 4.

[8] Christina Ngene, ‘BOFIA 2020 – Updated Act for the Bnaking and Financial Sector in Nigeria’ (Africa Reinvented, 20 November 2020) <BOFIA 2020 – Updated Act For The Banking and Financial Sector in Nigeria (africareinvented.com)> Accessed 21 July 2022

[9] Nkiru Asiegbu, Letter to All Other Financial Institutions (June 2022) https://www.cbn.gov.ng/Out/2022/OFISD/Letter%20to%20all%20OFIs%20Issuance%20of%20Risk-Based%20Cybersecurity%20Framework%20and%20Guidelines%20for%20Other%20Financial%20Institutions.pdf Accessed 18 July 2022

[10] Ibid 1

[11] John Kyriazoglou, Reasons for Protecting Personal Data: A guide for managers (November 2021) (PDF) Reasons for Protecting Personal Data: A guide for managers (researchgate.net) Accessed 19 July 2022. See also Access denied (fsb.org.uk)

[12] Ibid 5

[13] ‘Cybersecurity of top priority for Ghanaian banks’ (Oxford Business Group, 2019) <https://oxfordbusinessgroup.com/analysis/safe-and-secure-use-online-services-continues-grow-strengthening-cybersecurity-remains-top-area> Accessed 18 July 2022

[14] Acquiles Almansi et al, Financial Sector’s Cybersecurity: A Regulatory Digest (May 2019) <https://thedocs.worldbank.org/en/doc/208271558450284768-0130022019/original/CybersecDigest3rdEditionMay2019.pdf > Accessed 18 July 2022

[15] Ibid 14

[16] Nzilani Mweu, ‘Cybersecurity Laws and Regulations Kenya’ (ICLG 11 March 2021) <Cybersecurity Laws and Regulations Report 2022 Kenya (iclg.com)> Accessed 19 July 2022