Effective August 1, 2018, all deposit money banks and payment service providers in Nigeria shall report all cyber incidents, whether the attempt was successful or not and immediately.
A draft document on the Risk-Based Cybersecurity Framework and Guidelines for input from stakeholders by the Central Bank of Nigeria (CBN) has mandated banks to incorporate cyber risk management with their institution-wide risk management framework and governance requirements, to ensure consistent management of risks across the institution.
The mandate to report the incidents is coming on the heels of observed under-disclosure and outright non-disclosure of some fraudulent incidents by industry operators.
The development is also an indication that the sector is inching closer to ending the era of unnecessary excuses for withholding important information about system failures, insider-related hacking and frauds that have caused customers and banks billions of naira.
The document also noted that effective risk management reduces adverse impact on an organisation by addressing threats, mitigating exposure, and reducing vulnerability.
As usual, the apex bank has said that once the rule takes off, non-compliance with the provisions shall attract appropriate sanctions to be determined by CBN, in accordance with the provisions of its enabling Act and that of the Banks and Other Financial Institutions Act. It shall also monitor and enforce compliance with the provisions.
By the draft framework, banks are to begin the search for a qualified appointee, who will serve as “Chief Information Security Officer (CISO)” responsible for overseeing and implementing cyber security programmes.
Read more at: http://guardian.ng/news/banks-get-order-to-officially-report-cyber-incidents/
