The Bank of Ghana (BoG) has launched the revised Cyber and Information Security Directive (2026), a framework to strengthen efforts towards building a more resilient digital financial ecosystem and protecting customers against increasing threats.
Its key pillars include strong governance structures, Artificial Intelligence and machine learning governance, cloud computing security, and a proportionality framework, emphasising board-level oversight and expertise in cyber risk management.
Unlike the previous directive that focused on universal banks, the new one would expand the Financial Industry Command Security Operations Centre’s (FICSOC) work to actively onboard all savings and loans companies, microfinance institutions, fintechs, and partner regulators.
The launch of the directive in Accra on Wednesday, an upgrade of the 2018 framework, was attended by senior government officials, banking executives, financial technology (fintech) operators, and regulators.
Julius Debrah, the Chief of Staff, who launched the directive, said the framework was not merely a technical document, but a cornerstone of economic sovereignty and protecting the country’s financial systems.
“Today is not only about a directive or a new centre (FICSOC) – it is about safeguarding trust, strengthening resilience, and preparing our country for the demands of a digital future,” he stated.
He said the financial sector’s centrality to national life, spanning businesses, investments, public confidence, and everyday economic activity, made its security a non-negotiable priority.
He noted that as financial systems grew increasingly technology-driven, cyber risk must be elevated from a narrow information and technology concern to a core pillar of economic stability and national preparedness.
The Chief of Staff called for shared responsibility across the sector to ensure cyber resilience, saying: “regulators must lead, national institutions must invest, and leadership across the sector must treat cyber risk as a strategic issue.”
Debrah commended the Bank of Ghana for the leadership shown in advancing the directive and commissioning the operations centre, noting that the governance standards and monitoring capabilities those instruments introduced were the kind of institutional commitment needed to build a modern and trusted financial system.
Dr Johnson Pandit Asiama, Governor of the Bank of Ghana, said the new directive had been designed to move Ghana’s financial sector from compliance to active cyber resilience, embedding security into governance, operations, and institutional culture.
He explained that while the 2018 directive provided a foundation, it could no longer adequately solve modern problems in the financial and technology landscape, saying the new directive would ensure fair, transparent, and secure systems.
On cloud computing, the Governor said the directive did not endorse the wholesale migration of core systems or sensitive data to the cloud but invoked Cybersecurity Act 2020 and the Data Protection Act 2012, to ensure that only non-sensitive front-end services may be hosted in the cloud.
Governor Asiama noted the proportionality framework of the directive, making cybersecurity requirements according to an institution’s size and risk profile, ensuring that a small rural bank was not held to the same standard as a large multinational.
On governance and accountability, he said at the board-level, at least one board member of every regulated institution must possess verifiable expertise in cyber risk management to ensure that security decisions were made at the level where strategic choices were taken.
Samuel Nartey George, the Minister of Communications, Digital Technology and Innovations, praised the ideological shift among banks, noting with approval that financial institutions no longer recognised technology merely as an enabler but as the business itself.
He singled out the Central Bank as one of the best-performing sectoral Computer Emergency Response Teams in the country, while highlighting gaps, including many fintechs not yet onboarded onto the FISOC platform.
George announced that the Ministry was reviewing and updating its systems to make all Payment Service Provider licence holders to be designated as Critical Information Infrastructure – a step to strengthen Bank of Ghana’s enforcement hand in compelling compliance.
On data sovereignty, the Minister pointed to the escalating geopolitical and military targeting of technology infrastructure worldwide as justification for keeping critical financial data onshore.
“If you are a bank using a data centre somewhere in the Gulf, and a drone took out that data centre today, you need resilience locally to ensure business continuity and disaster recovery,” he said, referencing the Iran-US-Israel conflict as an illustration of information infrastructure becoming a centre of geopolitical competition.
Copyright © 1994 - 2026 GhanaWeb. All rights reserved.
