On CBN Risk-Based Cybersecurity Framework and Guidelines – Businessamlive
BY MICHAEL IRENE, PhD
The Central Bank of Nigeria’s risk-based cybersecurity framework and guidelines for other financial institutions is a welcome strategy, especially considering this historic period of data exchange and the surrounding implications of poor governance. of these sets of information assets. The guidelines cover cybersecurity oversight, risk management systems, and monitoring and reporting.
In the letter from the Director of the Department of Supervision of Other Financial Institutions, Nkiru Asiegbu, she points out or expects that the provisions of the guidelines will be fully complied with by January 2023. This implies that these institutions must design strong frameworks to meet, if not all, requirements. , but have measures in place to enforce compliance. In this article, I focus on the foundations these organizations need to establish in order for them to achieve seamless implementation.
The first step and the most critical place to start is with board involvement. Without it, any built framework will fail. There are good reasons why the board of directors should be involved in implementing this risk-based cybersecurity framework, and they are: enterprise-wide risk and the decision to Mitigate these threats must be taken at the highest level of the organization, the board knowing the organization’s maturity posture and understanding how to best guide risk management decisions and avoid headlines. Executive level buy-in remains essential and the CBN guideline makes this clear: “The board, directly or through its appropriate committee(s), shall have overall oversight and responsibility of the OFI cybersecurity program.
The next step would be to create a steering committee that would map out the scope of what the council intends to accomplish. This committee is created for the sole purpose of understanding the framework, sorting out the expectations, and determining the various departments and individuals who can carry out the project. These would involve people like a project manager, an information security officer, a data protection officer and any other staff that the chair of the steering committee feels can manage the different workflows required by the project.
One of the most critical steps to achieve this would be to understand the posture of the business. This is done by creating an inventory of all assets, entities, data, and vendors that process data on behalf of the business. In previous articles I have evaluated how this can be done and I won’t repeat it here. This is the fundamental element that would help companies meet the requirements of the Central Bank of Nigeria.
The guideline is clear in its expectations and the CBN is to be applauded for making the documentation clear for digestion and assimilation. It is now up to stakeholders to ensure that they play their part in creating a secure Nigerian digital economy and to help build that trust in Nigerians and in the world. Companies don’t need the CBN to sue them to implement this, they should already be thinking and acting in these terms.
Michael Irene is a data and information governance practitioner based in London, UK. He is also a Fellow of the Higher Education Academy, UK, and can be contacted via [email protected]; twitter: @moshoke