The CBN’s Cyber Security Assessment Tool isn’t new. What is new is the consequence of getting it wrong.
Nigerian banks have been sitting on CSAT readiness gaps for months — some for years — assuming that submission buys them time. It doesn’t anymore. The CBN has made clear that CSAT results are not filed and forgotten. They are a baseline the regulator intends to hold institutions against.
If your institution is still treating CSAT as an annual form-filling exercise, this post is for you.
What the CBN CSAT Actually Measures
The CSAT is the CBN’s primary tool for benchmarking cybersecurity maturity across Nigerian financial institutions. It maps to the CBN Risk-Based Cybersecurity Framework (2021) and evaluates institutions across five domains:
- Governance and Risk Management
- Asset Management
- Access Control and Identity Management
- Incident Response and Recovery
- Third-Party Risk Management
Most institutions score acceptably on governance — and fail operationally. Policies exist. Procedures are documented. But when the assessor asks for evidence of control effectiveness — logs, test results, incident records — the folders are empty.
The Six Controls That Consistently Fail
Across the CSAT domains, the same control gaps appear repeatedly in Nigerian institutions. If your team cannot produce documented evidence for all six of these right now, your CSAT submission is at risk:
1. Privileged Access Management (PAM)
Can you evidence who has administrative access to your core banking system, when that access was last reviewed, and what the outcome of that review was? For most banks, the answer involves a spreadsheet last updated 14 months ago.
2. Incident Response Testing
The CBN expects documented evidence of tabletop exercises or live simulations. A written incident response plan alone does not satisfy this requirement. When did your institution last test its IR plan?
3. Third-Party Cyber Risk Assessments
The framework requires institutions to maintain a current inventory of critical third parties and evidence of periodic security assessments. Fintech partnerships, core banking vendors, and cloud providers all fall within scope. Most vendor registers are incomplete.
4. Security Awareness Training Records
Completion rates and training content documentation — not just a confirmation that training happened — are required. If your LMS cannot export staff completion evidence by role, this becomes an immediate gap.
5. Vulnerability Management Evidence
Scan results, remediation timelines, and exception handling records. If your last authenticated vulnerability scan was more than 90 days ago, document it now and schedule the next one before submission.
6. Business Continuity Testing
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) must be documented and tested. The test results must be evidenced, not just the objectives themselves.
Why Evidence Management Is the Real Problem
The controls are not the hard part. The evidence is.
Most CISOs at Nigerian banks know what best practice looks like. The operational challenge is that evidence lives across six different systems, owned by four different teams, with no centralised view of what exists, what is current, and what is missing.
CSAT readiness is not a security problem — it is a coordination and documentation problem. The institution that passes CSAT well is not necessarily the most secure institution in the room. It is the institution with the best-organised evidence.
This is precisely why the CBN’s continued emphasis on CSAT as a supervisory tool is logical: it tests institutional discipline, not just security capability.
What Your CISO Must Do in the Next 30 Days
Whether your submission deadline is imminent or your next cycle is later in the year, these steps should be in progress now:
- Run a gap assessment against the six controls above. Assign an accountable owner to each gap — not a team, a named individual.
- Locate and centralise your evidence. Identify where each piece of required evidence lives and ensure it is accessible in a single review-ready location.
- Test your incident response plan. Even a one-hour tabletop exercise generates a report you can evidence. Do it this month.
- Audit your third-party register. Cross-reference it against your active vendor contracts. If a vendor is not on the register, it is a finding waiting to happen.
- Brief your board or audit committee. CSAT is now a board-level supervisory matter. Your leadership should understand your current rating and your remediation plan.
The Stakes Have Changed
The CBN is not a passive regulator. It has demonstrated a willingness to sanction institutions — including large commercial banks — for compliance failures. CSAT is one of the clearest signals it has about the cyber maturity of the sector it oversees.
Getting this wrong is no longer a missed checkbox. It is a reputational and regulatory event.
Your institution has the framework. It has the controls, at least on paper. The question now is whether the evidence is there when the examiner asks for it.
If you are not certain, find out this week — not next month.
RiskCanvasIQ maps your CSAT readiness in real time, tracks evidence against each control domain, and generates a submission-ready compliance view for your team. Book a demo at RiskCanvasIQ.
Leave a Reply