What CBN CSAT is
The Cybersecurity Self-Assessment Tool (CSAT) is a mandatory assessment framework issued by the Central Bank of Nigeria (CBN) requiring all regulated financial institutions to evaluate their cybersecurity posture across defined domains.
CSAT is not a penetration test. It is a structured self-assessment that measures an institution's cybersecurity maturity against CBN's expectations — covering governance, risk management, technical controls, incident response, and third-party risk. The results are submitted directly to CBN for review.
The timing is not coincidental. CSAT was mandated in the wake of the March 2026 breaches that compromised Sterling Bank, Remita, and the Corporate Affairs Commission. CBN is signaling that the era of voluntary cybersecurity investment is over.
Timeline: who must comply, and when
| Institution Type | Deadline | Status |
|---|---|---|
| Deposit Money Banks (DMBs) | April 20, 2026 | Passed |
| Other Financial Institutions (OFIs) | May 4, 2026 | Imminent |
| Microfinance banks, PMIs, finance companies | May 4, 2026 | Imminent |
OFIs include payment service providers, mobile money operators, microfinance banks, primary mortgage institutions, and finance companies. If you hold a CBN license, you are in scope.
Institutions that miss the deadline face regulatory scrutiny and potential sanctions. More importantly, organizations that submit a weak assessment are creating a documented record of known gaps — which CBN can reference in future enforcement actions.
Assessment scope
CSAT evaluates five domains:
1. Cyber governance
Does the institution have a board-approved cybersecurity strategy? Is there a designated Chief Information Security Officer (CISO) or equivalent? Are cybersecurity risks reported to the board at defined intervals?
Common gap: Many institutions assign security responsibility to the IT department head without formal CISO designation or board reporting lines. CSAT expects a governance structure where cyber risk is treated as enterprise risk, not an IT problem.
2. Cyber risk management
Does the institution maintain a risk register that includes cyber threats? Are risk assessments conducted regularly? Are residual risks formally accepted by management?
Common gap: Risk registers exist but are static — created during an audit cycle and never updated. CSAT expects a living risk management process with defined risk appetite statements and quantified cyber risk scenarios.
3. Cyber resilience
Can the institution continue critical operations during and after a cyber incident? Are backup and recovery procedures tested? Is there a business continuity plan that accounts for cyber-specific scenarios?
Common gap: Business continuity plans exist for physical disasters but do not address ransomware, data destruction, or extended system compromise. Recovery time objectives (RTOs) are defined on paper but never tested against realistic attack scenarios.
4. Cyber threat intelligence and situational awareness
Does the institution consume threat intelligence relevant to the Nigerian financial sector? Are indicators of compromise (IOCs) integrated into detection systems? Is there a process for sharing threat information with sector peers?
Common gap: Threat intelligence is either absent or limited to vendor-provided feeds with no local context. Few institutions participate in sector-specific information sharing. The ByteToBreach campaign — which moved laterally between Sterling and Remita — demonstrated that threat intelligence sharing could have provided early warning.
5. Incident response and management
Does the institution have a documented incident response plan? Has it been tested through tabletop exercises? Are notification procedures defined for regulators, customers, and law enforcement?
Common gap: Incident response plans exist but have never been exercised. Notification procedures do not reflect the 72-hour GAID requirement. Post-incident review processes are informal or absent.
How the breaches triggered this
CSAT existed in draft form before March 2026. The breaches accelerated its enforcement. Consider the failures that CSAT directly addresses:
- Sterling Bank — A nine-day dwell time suggests inadequate monitoring (Domain 4) and delayed incident detection (Domain 5). The exploitation of a known CVE indicates gaps in vulnerability management (Domain 2).
- Remita — Plaintext credentials in Git and misconfigured S3 point to weak technical controls and third-party risk management (Domain 2). The lateral movement from Sterling reveals inadequate network segmentation.
- Fast Credit Finance — 870 GB of customer data exfiltrated from a licensed financial institution. This is a Domain 3 failure — the organization could not detect or contain the data loss.
CBN is using CSAT to force the sector to confront these gaps systematically rather than waiting for the next breach to expose them.
Common gaps and remediation
Based on our experience assessing financial institutions against similar frameworks, these are the most frequent gaps:
| Gap | Prevalence | Remediation Priority |
|---|---|---|
| No formal CISO or board reporting | High | Immediate — governance is foundational |
| Static risk register, no cyber scenarios | High | 30 days — requires risk workshop |
| No tested incident response plan | Very high | 30 days — tabletop exercises |
| No threat intelligence consumption | High | 60 days — requires vendor/feed selection |
| BCP without cyber scenarios | High | 60 days — scenario design + testing |
| No 72-hour notification workflow | Very high | Immediate — GAID is already in effect |
| Weak privileged access management | High | 30 days — access review + PAM tooling |
| No third-party security assessments | Medium | 90 days — vendor risk framework |
NDPA and GAID intersection
CSAT does not exist in isolation. The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID), effective September 19, 2025, create parallel obligations:
- 72-hour breach notification to NDPC for any personal data breach
- Data protection impact assessments for high-risk processing activities
- Data controller registration with NDPC
- Fines up to 2% of annual gross revenue or N10 million, whichever is higher
Financial institutions that fail CSAT domains related to incident response and data protection are simultaneously non-compliant with GAID notification requirements. A single breach can trigger enforcement from both CBN and NDPC.
The practical implication: Your incident response plan must include parallel notification workflows — one for CBN (sector regulator) and one for NDPC (data protection authority) — with different reporting requirements and timelines.
Post-CSAT: what comes next
Submitting a CSAT assessment is the beginning, not the end. Here is what the procurement and compliance landscape looks like after May 2026:
Immediate (May–July 2026)
- Gap remediation — Institutions that identified weaknesses must now fund and execute remediation. This is where security budgets get real.
- Vulnerability assessments and penetration testing — CBN will expect evidence that self-identified gaps have been tested by independent parties.
- Incident response readiness — Expect CBN to mandate tabletop exercises for institutions with weak Domain 5 scores.
Medium-term (Q3–Q4 2026)
- Continuous monitoring — CSAT is a point-in-time assessment. CBN has signaled that continuous compliance monitoring will follow, likely through periodic re-assessment cycles.
- Third-party risk management — Institutions relying on outsourced infrastructure (cloud, payments, KYC providers) will need to demonstrate that vendors meet comparable security standards.
- Sector-wide threat sharing — CBN may formalize threat intelligence sharing mechanisms, similar to the FS-ISAC model in the United States.
Long-term
- CBN cybersecurity examination — CSAT self-assessment is likely a precursor to examiner-led cybersecurity assessments, similar to the FFIEC CAT model. Institutions should prepare for on-site reviews.
- Integration with Basel and risk-weighted capital — Operational risk from cyber events may eventually factor into capital adequacy calculations.
Building a program, not checking a box
The institutions that treat CSAT as a compliance exercise will find themselves repeating this cycle every assessment period — scrambling to fill gaps, submitting aspirational responses, and hoping regulators do not look too closely.
The alternative is to use CSAT as the catalyst for a continuous security program:
- Designate a CISO with board access — Not an IT manager with an additional title. A security leader who reports on cyber risk at the enterprise level.
- Build a living risk register — Update quarterly, include quantified cyber scenarios, present to the board.
- Test your incident response — Conduct tabletop exercises at least twice annually. Include GAID notification workflows.
- Invest in detection — Deploy or tune SIEM, integrate threat intelligence feeds relevant to the Nigerian financial sector, establish baseline behavior monitoring.
- Assess your vendors — Map critical third-party dependencies. Require evidence of security controls. The Remita breach demonstrated that your security is only as strong as your partners'.
The CBN CSAT is the Nigerian financial sector's reckoning with a threat environment that has outpaced its defenses. The breaches of 2026 made that gap impossible to ignore. The question is whether institutions respond with structural investment or performative compliance.
Sources: CBN circulars, NDPA 2023 text, GAID 2025 directive, NDPC enforcement guidance, Nairametrics, Businessday.