The Bank of Ghana has introduced a revised Cyber and Information Security Directive (CISD), extending regulatory coverage beyond banks to include fintechs, microfinance institutions and other financial sector players as it shifts toward a system-wide approach to managing cyber risk.
At the Cyber and Information Security Directive (CISD) launch, Governor Dr Johnson Pandit Asiama said this directive reflects a transition from traditional financial supervision to safeguarding the integrity of data and digital infrastructure underpinning the economy.
He described cyber threats as no longer isolated IT incidents but “national security concerns”, citing risks such as ransomware attacks and systemic data breaches that can disrupt operations and erode public confidence.
The updated framework replaces the 2018 directive, which the central bank said is no longer adequate for current risks. It introduces a model of “active and collective cyber resilience”, supported by the Financial Industry Command Security Operations Centre (FICSOC) – designated under the Cybersecurity Act, 2020 (Act 1038) as the sector’s Computer Emergency Response Team.
Key provisions include new governance standards for artificial intelligence and machine learning systems used in fraud detection and credit scoring, aimed at ensuring transparency and security in automated decision-making.
The directive also sets stricter conditions for cloud adoption, limiting the hosting of sensitive financial data outside Ghana in line with data sovereignty requirements under existing legislation.
“Only non-sensitive, front-end services may be hosted in the cloud; and even then, only through a risk-based, approved and tightly controlled framework,” Dr Asiama said.
He noted that core systems and critical data must remain within national borders.
The central bank has also introduced a proportionality framework that scales compliance requirements based on the size and risk profile of institutions, alongside a new mandate requiring at least one board member to have verifiable expertise in cyber risk management. This is intended to elevate cybersecurity from a technical function to a strategic governance issue.
In a further shift, the directive expands participation in sector-wide monitoring and response systems to include savings and loans companies, fintech firms and other non-bank institutions, with the aim of reducing vulnerabilities across the financial ecosystem.
“A financial ecosystem is only as strong as its weakest link,” the Governor said.
To support implementation, the Bank of Ghana is developing a shared services model to fund and sustain FICSOC operations, signalling potential cost-sharing obligations for regulated entities.
Chief of Staff Julius Debrah said the directive positions cybersecurity as integral to economic stability, noting that “innovation without protection creates vulnerability”.
He added that building resilience requires coordinated action across regulators and industry participants.
This revised policy underscores the increasing linkage between financial stability and digital infrastructure as the country deepens its shift toward a technology-driven financial system.
Copyright © 1994 - 2026 GhanaWeb. All rights reserved.
