BoG Rolls Out New Cybersecurity Directive to Strengthen Banking Sector Defences

The Bank of Ghana (BoG) has launched a revised Cyber and Information Security Directive (CISD) 2026, introducing tougher cybersecurity standards aimed at strengthening the resilience of the country’s banking and financial sector amid rising digital threats.

Unveiled in Accra, the directive places cybersecurity at the core of financial stability, as Ghana’s banking industry continues to expand digital services such as mobile money, cloud computing, and artificial intelligence-driven platforms.

Governor of the Bank of Ghana, Dr Johnson Asiama, described the directive as a major shift in regulatory thinking, stressing that financial stability now extends beyond traditional indicators such as capital adequacy and liquidity.

“The theme ‘A Safer and More Resilient Digital Financial Industry’ is not just a slogan; it is a commitment to every Ghanaian who trusts this financial system,” he said.

He noted that the central bank’s mandate has evolved to include safeguarding the confidentiality, integrity, and availability of financial data in an increasingly digital economy.

Rising cyber risks in a digital financial era

Dr Asiama warned that while digital innovation has expanded financial inclusion and improved efficiency, it has also exposed the sector to more complex cyber threats, including ransomware attacks and large-scale data breaches.

He cautioned that such threats are no longer mere IT concerns but have become issues of national security with the potential to disrupt financial stability and erode public confidence.

Shift from compliance to resilience

The Governor explained that the 2018 version of the directive is no longer sufficient to address today’s evolving cyber landscape, necessitating a stronger, resilience-driven framework.

“A framework designed for 2018 cannot adequately address the realities of 2026,” he said, adding that the new approach prioritises proactive defence and collective responsibility across the financial ecosystem.

The directive is backed by the Cybersecurity Act, 2020 (Act 1038), which empowers the Bank of Ghana’s Financial Industry Command Security Operations Centre (FICSOC) to function as the sector’s Computer Emergency Response Team (CERT).

New rules for AI, cloud, and governance

The CISD 2026 introduces a comprehensive governance framework for artificial intelligence and machine learning systems, ensuring transparency, security, and fairness in their use for services such as fraud detection and credit scoring.

It also establishes stricter rules for cloud computing, requiring that sensitive financial data remain within Ghana’s jurisdiction in line with the Data Protection Act, 2012 (Act 843), while allowing limited non-sensitive services under controlled conditions.

In addition, a proportionality framework has been introduced to tailor cybersecurity requirements based on the size and risk profile of institutions, ensuring smaller banks and microfinance firms are not overburdened.

Board-level accountability introduced

A key reform in the directive requires that at least one board member of every regulated financial institution must have proven expertise in cybersecurity and cyber risk management.

Dr Asiama said this measure elevates cybersecurity from a technical function to a strategic governance issue at the highest level of decision-making. “Security is no longer just an IT issue; it is a strategic business risk,” he stressed.

Expanding oversight across the financial ecosystem

The directive extends cybersecurity oversight to include banks, fintech companies, savings and loans institutions, and microfinance operators, aimed at closing vulnerabilities across the financial value chain.

BoG also plans to strengthen the FICSOC as a central coordination hub for cyber defence, supported by shared funding from industry players to ensure 24/7 monitoring and rapid incident response.

Cybersecurity as national priority

First Deputy Governor, Dr Zakari Mumuni, emphasised that cyber threats are now constant and evolving, requiring collective vigilance across the financial sector.

He said the directive responds to rapid digital transformation, growing reliance on third-party systems, and emerging risks linked to artificial intelligence and interconnected data systems.

“Cybersecurity is not just a technical issue; it is a matter of national and economic security,” he stated.

Building trust in a digital future

The Bank of Ghana says the success of Ghana’s digital financial ecosystem will depend on three pillars: talent, technology, and trust.

As the country advances toward innovations such as open banking and emerging digital systems, the central bank is positioning cybersecurity as the foundation for sustainable growth.

READ ALSO: MTN Unveils Landmark 500-Cell Site Expansion to Boost Nationwide Connectivity

Dr Asiama urged stakeholders to view the directive not merely as a compliance requirement, but as a strategic necessity for protecting the future of Ghana’s financial system.

The launch of CISD 2026 marks a significant step in reinforcing confidence, strengthening resilience, and safeguarding Ghana’s rapidly evolving digital financial landscape.