Before a Nigerian bank board approves a core system migration, four questions can predict whether the programme will deliver zero downtime or trigger a regulatory event. Most boards approve migrations without asking any of them.
That is the gap the CBN’s Risk-Based Cybersecurity Framework has made visible. Since the framework came into force on 1 July 2024, unplanned IT outages in regulated institutions are reportable to the CBN within 24 hours, surface in the quarterly board cyber risk return, and feed the annual self-assessment due 28 February. The framework did not invent the operational risk. It changed who answers for it.
The cost of approving migrations without those four questions is documented. In Q4 2024, three Nigerian banks attempted core migrations in the same fortnight. Zenith Bank lost service for more than 48 hours during its Phoenix-to-Oracle Flexcube cutover. GTBank’s move to Finacle disrupted 32.8 million customers for close to
This post was originally published on this site.
