CBN directs banks’ directors to protect data

Bank directors will henceforth be responsible for the protection and security of customers’ data against e-fradusters, the Central Bank of Nigeria (CBN) has directed. The new rule followed the sophistication and jump in the number of cyber-security threats against Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) which require strengthening their cyber defences to remain safe and sound. Nigeria experienced over 4,000 cyber-attacks with 70 percent success rate and loss of about $500 million in recent years mainly through cross channel fraud, data theft, email spooling, phishing, shoulder surfing and underground websites. In a circular released yesterday titled: Risk-based Cyber-security Framework for Deposit Money Banks, signed by K.O Balogun for CBN Director of Banking Supervision, the regulator said provision of oversight and leadership and resources to ensure that cyber-security governance becomes an integral part of corporate governance, rests with the Board of Directors. “The Board of Directors through its committees will now have overall responsibility for the DMB/PSP’s cyber-security programme. It will provide leadership and direction for effective conduct of the processes. The Board will ensure that cyber-security governance is integrated into the organisational structure and relevant processes,” it said. Also, the board will ensure that cyber-security processes are conducted in line with business requirements, applicable laws and regulations while ensuring security expectations are defined and met across the DMB/PSP. The Board will now hold Senior Management responsible for central oversight, assignment of responsibility, the effectiveness of the cyber-security processes and shall ensure that the audit function is independent, effective and comprehensive. Besides, the board will be responsible for all cyber-security governance documents such as cyber-security strategy, framework and policies and ensure alignment with the overall business goals and objectives. Also, the board will, on a quarterly basis receive and review reports submitted by Senior Management. The report shall detail the overall status of the cyber-security programme to ensure that board- approved risk thresholds relating to cyber-security are being adhered to. The CBN also directed the boards to henceforth ensure that cyber-security is completely integrated with business functions and, well managed across the DMB/PSP. Cyber-security governance should not only aligns with corporate and Information Technology (IT) governance, but is cyber-threat intelligence driven, proactive, resilient and communicated to all internal and external stakeholders. Boards are also mandated to appoint or designate a qualified individual as the Chief Information Security Officer (CISO) who shall be responsible for overseeing and implementing its cyber-security programme. “The responsibilities of senior management include the implementation of the board-approved cyber-security policies, standards and the delineation of cyber-security responsibilities. Senior management will provide periodic reports (at a minimum quarterly); to the board on the overall status of the cyber-security programme of the DMB/PSP. The Chief Information Security Officer (CISO) are responsible for the day-to-day cybersecurity activities and the mitigation of cyber-security risks in the DMB/PSP,” the apex bank said]]>