New Cybersecurity Rules For Banks


Saturday, September 21, 2019 / 10:49AM / Contributed by Hogan Lovells BSTL SC to ILO  / Header Image Credit:




On 27 November 2018 the Ministry of Finance and Public Credit published a resolution modifying the general regulations that apply to banks in the Official Gazette. The resolution responds to the need to strengthen the regulatory framework applicable to banks, particularly with regard to cybersecurity and technological infrastructure. The changes aim to ensure that banks possess the tools necessary to respond to cyberattacks and other risks that could affect their operations. The resolution also aims to guarantee the confidentiality, integrity and availability of customer information.




Under the original regulations, a 'cybersecurity incident' was broadly defined as an event in which:

  • an institution's technological infrastructure was breached or put at risk; or
  • a bank's cybersecurity policies were violated.


The resolution has amended the definition of 'users' sensitive information'. This is now defined as any information that identifies an individual, including their name, address, phone number and email address. In addition, it includes:

  • an individual's:
    • bank card number;
    • bank account number;
    • credit limit;
    • bank balance; and
    • bank username and other authentication information; and
  • other data of a financial nature.


Technological infrastructure


The resolution has strengthened the regulations with regard to banks' technological infrastructure. For example, the amended regulations establish that any mechanism that allows for the creation of a fingerprint or other biometric database must first be approved by the bank's board of directors.


Further, new requirements regarding banks' technological infrastructure have been established. As regards non-discretionary quantifiable risks, a bank's risk committee must approve a system that classifies the bank's vulnerability to cybersecurity risks in terms of:

  • criticality;
  • probability of occurrence; and
  • impact.


Likewise, risk committees must establish and implement policies and procedures for classifying and treating information based on the implied risk of the information's security being breached for each of the bank's specific business units and other operational areas.


The CEO of a bank is now responsible for protecting its integrity and maintaining its technological infrastructure. CEOs must also oversee automated data protection systems and notify the National Banking and Securities Commission of any operational incidents which last more than one hour and:

constitute a failure in the technological infrastructure that supports the bank's branch or electronic banking services;

  • affect the critical components of said infrastructure (where the bank's business continuity plan has been fully or partially activated); and
  • affect 30% of the bank's branches, ATMs, point-of-sale terminals or the technological infrastructure of its commission agents' points of service.


The notification must be made within one hour of discovering the incident.


Information security


A new section entitled "Information Security" has been added to the regulations. It establishes that CEOs are responsible for the implementation of an internal cybersecurity control system and provides a set of obligations in this regard.


CEOs must designate a chief information security officer (CISO) who will directly report to them. CISOs will be responsible for cybersecurity and responding to any requirements set out by the legal authorities or the bank.


Cybersecurity incidents


Where a cybersecurity incident specified in the resolution occurs and the notification requirements are triggered, the CEO must immediately inform the National Banking and Securities Commission of the incident and undertake an investigation into the cause. The CEO must also implement a plan regarding the actions to be taken to eliminate or mitigate the risks and vulnerabilities that led to the incident. Even if there is no requirement for the bank to notify the commission, it must maintain all of the records relating to the incident which are at its disposal.


In the case of a cybersecurity incident involving sensitive information in the possession of a bank or a third party that renders services thereto, the CEO or the person designated thereby must notify the bank's clients of the possible loss, extraction, alteration or unauthorised access of their information. The notification must be made within 48 hours of the incident's occurrence or the bank becoming aware of it.


Banks must maintain a database registry of incidents, failures or detected vulnerabilities in their technological infrastructure. This information must be backed up and kept for at least 10 years.




Although the resolution came into effect on 28 November 2018, different entry into force dates were established for the various obligations established therein.



Proshare Nigeria Pvt. Ltd.

For further information on this topic please contact Federico De Noriega, Ana Rumualdo or David Amado at Hogan Lovells BSTL by email (, mailto:ana.rumualdo@hoganlovells.comor


Proshare Nigeria Pvt. Ltd.




The article New cybersecurity rules for banks first appeared in ILO Banking on Jan, 18, 2019.   


Proshare Nigeria Pvt. Ltd.


Related News

1.      Addressing Business Cybersecurity: The Top Measures That Companies Must Take

2.     World Economic Forum: Investors Must Prioritize Cybersecurity Or Risk Losing Money

3.     Cyber Security and Businesses

4.     Not Quite "Open" Source

5.     Perspectives on Nigeria Cyber Security Outlook 2019

6.     Breed Efficiency; Move Industry Into The Cloud

7.     Two Things You Need to Know Before Using Quickbooks

8.     FINRA Publishes Report On Selected Cybersecurity Practices At Securities Firms - 2018

9.     New S$30m Grant To Enhance Cybersecurity Capabilities In Financial Sector

10.  Security Tips for Your Business: Raising Awareness about Cybersecurity

11.   DHS and Private Sector Partners Establish Info and Comms Technology Supply Chain Risk Mgt Task Force

12.  Everything You Ever Needed To Know About Mobile Security and 3 Other Guides For Digital Security

13.  Cases of Bank Fraud Continue to Rise

14.  Phillips Consulting Transforms Banking in Nigeria with Introduction of Intellect Digital Solution

15.  4 In 5 Financial Services Professionals Using Search Engines Are Exposed To Financial Crime Risk

16.  NSE Of India Signs Post-Trade Technology And Strategic Partnership Pact With Nasdaq

Proshare Nigeria Pvt. Ltd.

Related News