BoG Launches Revised Cyber and Information Security Directive to Bolster Financial Sector Resilience
The Bank of Ghana (BoG) has officially launched its revised Cyber and Information Security Directive (CISD) 2026, introducing a comprehensive regulatory framework aimed at strengthening the resilience of Ghana’s increasingly digitised financial ecosystem.
Governor of the Bank of Ghana, Dr Johnson Pandit Asiama, speaking at the launch in Accra on March 25, described the directive as a critical step in safeguarding the integrity of the country’s financial system amid rising cyber threats.
“The theme for this launch, ‘A Safer and More Resilient Digital Financial Industry’, is not merely a slogan; it is the central pillar of our regulatory philosophy and a commitment we make to every Ghanaian,” he stated.
According to the Governor, the evolution of financial technologies such as mobile money, cloud computing and artificial intelligence has significantly enhanced financial inclusion and efficiency, but has also exposed the sector to increasingly sophisticated cyber risks.
“These threats are no longer just isolated IT incidents; they are national security concerns,” he cautioned, citing risks ranging from ransomware attacks to large-scale data breaches.
Shift from compliance to cyber resilience
Dr Asiama noted that while the initial cybersecurity directive introduced in 2018 laid the foundation for digital risk management, the current threat landscape necessitated a more proactive and adaptive approach.
“We have moved beyond simple compliance toward a posture of active and collective cyber resilience,” he said.
The revised directive is underpinned by provisions of the Cybersecurity Act, 2020 (Act 1038), which designates the Bank of Ghana’s Financial Industry Command Security Operations Centre (FICSOC) as the sectoral Computer Emergency Response Team (CERT) for the financial industry.
This designation, the Governor explained, expands the central bank’s role from a passive regulator to an active coordinator of cybersecurity defence across the sector.
Key reforms under CISD 2026
The CISD 2026 introduces several policy innovations aimed at addressing emerging risks and aligning industry practices with global standards.
Among the key provisions is the introduction of a governance framework for artificial intelligence and machine learning systems used in financial services, ensuring such technologies are “fair, transparent, and secure.”
On cloud adoption, the directive allows for the use of cloud infrastructure for non-sensitive operations under a tightly controlled, risk-based framework, while mandating that sensitive financial data remains within Ghana’s jurisdiction in line with data sovereignty requirements.
“The physical location of databases containing personal and financial information must remain within the territorial boundaries of Ghana,” Dr Asiama emphasised.
The directive also introduces a proportionality framework, allowing regulatory requirements to be scaled based on the size and risk profile of institutions, as well as mandating cybersecurity expertise at the board level to elevate oversight and accountability.
Additionally, regulatory coverage has been expanded beyond universal banks to include other financial institutions, fintechs and relevant sector players, in a move to strengthen system-wide resilience.
Financing sector-wide cyber defence
The Governor disclosed that the central bank is developing a shared services funding model to sustain the operations of FICSOC, which serves as the nerve centre for the sector’s cybersecurity infrastructure.
“To ensure sustainability, continuous upgrade, and 24/7 operational effectiveness, we must move toward a model of shared responsibility,” he noted.
The proposed model, he added, will be structured to ensure transparency, fairness and value for participating institutions.
Industry urged to embed cybersecurity in strategy
Dr Asiama urged financial institutions to treat cybersecurity not merely as a regulatory obligation but as a core component of business strategy.
“Cybersecurity is not a destination; it is a continuous journey of vigilance and adaptation,” he stated, adding that future resilience will depend on investments in talent, technology and trust.
He reiterated the Bank of Ghana’s commitment to working collaboratively with industry stakeholders to build a secure, resilient and trusted digital financial system.
“This Directive is more than a set of rules to be complied with; it is a collective pact to protect the digital soul of our economy,” he concluded.
