BoG outlines 6-point strategies to combat cybersecurity threats on banks

Cyber attacks on financial institutions can no longer be treated as routine technical problems, according to Bank of Ghana Governor Dr Johnson Asiama, who says the scale and sophistication of the threat now place it firmly in the realm of national security.

He made the remarks as the central bank unveiled a revised Cyber and Information Security Directive for 2026, a new framework intended to strengthen the country’s digital financial system against emerging risks.

Presenting the directive, Dr Asiama said the central bank’s objective goes beyond regulatory enforcement. In his words, the updated regime is meant to protect every individual and business that places its trust, money and data in the financial sector.

The Bank of Ghana says the revised framework is anchored on six strategic pillars and marks a shift from a compliance-driven model to one focused on active resilience and sector-wide preparedness.

At the heart of the directive is a push for stronger governance, clearer lines of responsibility and more forward-looking defence mechanisms as banks, fintechs and other financial institutions become more digitally interconnected.

Dr Asiama said the previous directive, introduced in 2018, had laid an important foundation but could no longer adequately respond to present-day threats. He pointed to dangers such as ransomware attacks capable of crippling a bank’s operations for days and major data breaches that can instantly destroy public confidence.

Under the new framework, one pillar focuses on the governance of artificial intelligence and machine learning, with the central bank seeking safeguards around transparency, fairness and security as those tools become more common in fraud detection, lending decisions and customer support.

Another pillar addresses cloud computing, encouraging financial institutions to adopt cloud technologies in a controlled and risk-sensitive way while preserving sovereignty over sensitive financial data.

The directive also introduces a proportional approach to regulation, meaning cyber obligations will be adjusted according to the size and risk exposure of each institution. The idea is to avoid placing disproportionate burdens on smaller banks, microfinance firms and fintech operators.

A further reform places cyber oversight squarely at board level. Financial institutions will now be required to have at least one board member with verified expertise in cyber risk, ensuring that information security becomes a strategic issue rather than a narrow technical function.

The revised framework also widens regulatory coverage. It extends beyond universal banks to include savings and loans companies, microfinance institutions, fintechs and relevant partner regulators, in what the Bank of Ghana describes as a more unified approach to sector defence.

Preparedness is another major theme. The central bank says the directive is designed not only to help institutions react to attacks, but to improve their ability to anticipate and prevent them before damage is done.

Dr Asiama also stressed the cost and complexity of building a credible national cyber defence architecture. He said the Financial Industry Command Security Operations Centre, known as FICSOC, required substantial investment in infrastructure, advanced systems and specialist personnel, with the Bank of Ghana carrying the initial burden of establishing that capability.

Taken together, the directive signals a more assertive regulatory stance, with the central bank positioning cybersecurity as a core part of financial stability and institutional trust.