Smaller Financial Institutions Struggle to Meet CBN Cybersecurity Deadline
Financial institutions across Nigeria are racing to comply with a new cybersecurity directive introduced by the Central Bank of Nigeria (CBN), but industry insiders say many smaller operators may not meet the June 10, 2026 deadline.
The new regulation, introduced through a CBN circular issued on March 10, 2026, requires all regulated financial institutions to adopt a stronger cybersecurity and compliance framework aimed at improving Anti-Money Laundering (AML), Counter-Terrorism Financing (CFT), and Counter-Proliferation Financing (CPF) systems.
Under the directive, all financial institutions are expected to submit an implementation roadmap to the apex bank before the deadline.
However, Financial Vanguard gathered that while most tier-1 commercial banks are already making significant progress toward compliance, many smaller institutions including microfinance banks, finance houses, and primary mortgage banks are still far behind.
Industry sources blamed the delay largely on the absence of qualified Chief Information Security Officers (CISOs) and inadequate cybersecurity infrastructure within many smaller institutions.
Speaking on the issue, cybersecurity expert, Ms Seun Runsewe, explained that the new framework goes beyond simply purchasing software solutions.
According to her, the circular covers 12 major functional areas that require not just technology upgrades but also strong governance and security structures.
“Most of the leading banks are likely to meet the deadline because they already have CISOs, internal cybersecurity teams, and technology vendors in place,” she said.
She, however, expressed serious concern over the readiness of institutions operating below the commercial banking level.
“The majority of regulated financial institutions in Nigeria are microfinance banks, finance houses, and mortgage banks. Most of them do not even have a CISO, let alone a functioning automated AML solution. Many are starting almost from scratch, and the deadline is already very close,” Runsewe noted.
She warned that the weakness of smaller institutions could expose the entire Nigerian financial ecosystem to major cyber threats because all operators are connected through shared financial infrastructure such as the Nigeria Inter-Bank Settlement System (NIBSS), the Bank Verification Number (BVN) platform, and agency banking networks.
“It is not just their problem alone,” she explained. “One poorly protected microfinance bank can become an entry point into the wider financial system. That is how major ecosystem-wide cyber breaches happen — through the weakest connected institution. Whatever happens at the bottom eventually affects the bigger banks too.”
The development has raised concerns among industry stakeholders over the ability of smaller institutions to quickly build the required cybersecurity systems before the deadline expires.
