Highlights of Risk-Based Cybersecurity Frameworks for other Financial Institutions in Nigeria

Published by HARLEM on

INTRODUCTION

Considering the reliance of financial institutions on Information and Communications Technology (ICT) to operate their business and the rising incidences of cyber threats and attacks targeted at Financial Institutions, it has become necessary to implement Cyber-security measures to mitigate against those crises. To this end, the platform on which information is processed and transmitted should be managed in such a way that ensures that confidentiality, integrity, and availability of information as well as the avoidance of monetary loss and reputation risk, amongst others, is highly protected.

In view of the above, the Central Bank of Nigeria (CBN) issued a framework and guideline for Other Financial Institutions (OFIs), to be observed in the development and implementation of Strategies, Policies, Procedures, and related activities aimed at mitigating cyber risk.[1]

CYBER SECURITY RISK MANAGEMENT SYSTEM

The risk management system of the OFI serves to reduce the incidence of significant adverse impact on the organization by addressing threats, mitigating exposure, and reducing vulnerability,[2] it also aims to understand the risk profile and level of risk tolerance of the organization.[3]

Considering this, Cyber risk assessment should be updated regularly to address changes or introduction of new technologies, products, etc. before deployment, to ensure accurate risk measurement.[4] The Risk treatment options such as risk reduction, risk retention, risk avoidance, risk transfer, and residual risk, should be selected based on the outcome of the risk assessment[5]. And an OFI should therefore conduct regular risk assessment, vulnerability assessment, and threat analysis to detect and evaluate the risk to the OFIs information assets and to determine the appropriateness of security controls in managing risk.[6]

HOW TO DETERMINE THE CURRENT CYBER-SECURITY PROFILE

OFIs shall determine their current Cybersecurity position at regular intervals by evaluating all identifiable Cyber-security vulnerabilities, threats, the likelihood of successful exploits, potential impact, and the associated risks in order to estimate the amount of resources and efforts required to recover from losses/damages attributable to potential Cyber incidents.[7]

It flows from the above that this assessment should include the adequacy of Cybersecurity Governance, Policies, Procedures, and Standards, inherent risks in business operations, visibility of emerging threats to information assets, capability to swiftly respond to, and recover from cyber-incidents, vendor risk, and efficacy of existing controls to mitigate the identified risks[8].

Upon discovery, an OFI shall develop a detailed roadmap to address the gaps identified promptly. This roadmap shall state the vulnerability/ risk treatment plan within a stipulated period. The plan may include updating the Cyber-security policy, establishing a security operation center, signing up with external Cyber threat intelligence agencies, etc.[9]

REPORTING CYBER-SECURITY SELF ASSESSMENT

A report of the Cyber-Security self-assessment shall be submitted by OFI to the Director, Other Financial Institutions Supervision Department of the Central Bank of Nigeria not later than 31st March of every year. The report shall provide the procedural tools/framework used to conduct the Cybersecurity self-assessment; identified gaps, threats and risks, potential impact, prioritized action plan to mitigate risks identified and the timeline for remediation, and remediation status with possible residual vulnerabilities/risks.[10]

CYBER-SECURITY OPERATIONAL RESILIENCE

OFIs are required to build, enhance, and maintain their Cyber-Security Operational Resilience which will ultimately contribute to reducing Cybercrime in Nigeria and strengthen the Banking Sectors Cyberdefense.[11] OFIs must put out in place, controls on their critical IT Infrastructure to preserve the confidentiality, integrity, and availability of information assets among others.

An OFI shall endeavor to be acquainted with its Business Environment and Critical Assets. It should devise a mechanism to maintain an up-to-date inventory of authorized software, hardware, other network devices, and internal and external network connections[12]. An OFI shall continuously improve on its cyber-security resilience, this is to ensure the confidentiality, integrity, and availability of information assets whilst promoting a safe and sound Banking system in Nigeria.[13]

CYBER-THREAT INTELLIGENCE

An OFI is required to possess an objective knowledge of all emerging threats, Cyber-attacks, attack vectors, mechanisms, and indicators of attack/compromise to its information assets which shall be used to make informed decisions. To this end, OFIs are required to establish a Cyber-Threat Intelligence (CTI) program which shall proactively identify, detect, and mitigate potential Cyber Threats and Risks.[14] And also establish a CTI policy approved by the Board of Directors to aid proactive identification of emerging Cyber threats, trends, patterns, risks, and possible impacts.[15]

METRICS, MONITORING, AND REPORTING

An OFI shall put in place metrics and monitoring processes to ensure compliance, provide feedback on the effectiveness of controls and provide the basis for appropriate management decisions.[16] The metrics should provide the information needed to access the effectiveness of the OFIs overall Cybersecurity program and measure its performance and efficiency as well for effective decisions at the strategic, management, and operational levels.[17] An OFI shall have a reporting process that defines the reporting and communication channels that shall be established for the dissemination of security-related material such as changes in policies, standards, procedures, new or emerging threats, and vulnerabilities. [18]

CONCLUSION

In Conclusion, the Board and Senior Management of OFIs shall ensure compliance with all relevant statutes and regulations such as the Nigerian Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, and all CBN directives to avoid breaches of Legal, Statutory, and Regulatory obligations related to Cybersecurity and any security requirements.[19] Also, the CBN shall ensure the establishment of appropriate processes and procedures for monitoring compliance with this framework and other extant laws and regulations.

FOOTNOTES:

[1] Guideline 1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[2] Guideline 3.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[3] Guideline 3.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[4] Guideline 3.4 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[5] Guideline 3.5 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[6] Guideline3.7 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[7] Guideline 4.1.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[8] Guideline 4.1.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[9] Guideline 4.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[10] Guideline 4.3 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[11] Guideline 5 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[12] Guideline 5.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[13] Guideline 5.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[14] Guideline 6.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[15] Guideline 6.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[16] Guideline 7.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[17] Guideline 7.2 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[18] Guideline 7.4 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

[19] Guideline 8.1 of the Risk-based Cyber-Security Framework and Guidelines for Other Financial Institutions (OFIs)

Categories: OUR TABLOIDS

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

OUR TABLOIDS

Why Change of Ownership Structure In A Company Matters

A company, as derived from the provisions of the Companies and Allied Matters Act (CAMA) 2020, is a legal artificial entity formed by law with legal rights and liabilities of a natural person, owned and Read more…

OUR TABLOIDS

The Input and Output Considerations of Generative Artificial Intelligence and Copyright Infringement

1.0 Introduction Generative Artificial Intelligence (GenAI) represents a revolutionary power that generates text alongside images as well as music and videos by requiring minimum human involvement. AI systems have reached considerable development levels in autonomous Read more…

OUR TABLOIDS

A Cursory Look at Procedures for Child Adoption in Nigeria

 INTRODUCTION Adoption is the process by which a person or a couple become legally approved to take on the parenting – including the full responsibilities and duties of the natural parents – of another, i.e. Read more…

error: Content is protected !!