Accra, March 27, – The Bank of Ghana (BoG) has introduced the revised Cyber and Information Security Directive (2026) to reinforce the protection of Ghana’s digital financial space and strengthen resilience against growing cyber threats.
The directive outlines key policy areas including governance and oversight structures, artificial intelligence and machine learning governance, cloud computing security, and a proportionality framework, with emphasis on board-level responsibility for cyber risk management.
The new framework expands the scope of the Financial Industry Command Security Operations Centre (FICSOC), which previously focused mainly on universal banks, to include savings and loans companies, microfinance institutions, fintech firms, and partner regulatory bodies.
The directive, launched in Accra on Wednesday, updates the 2018 framework and brought together senior government officials, regulators, banking executives, and financial technology operators.
Mr Julius Debrah, the Chief of Staff, who launched the directive, described it as more than a regulatory document, stating that it represented a critical component of economic sovereignty and national financial protection.
He said safeguarding the financial sector was essential because of its role in business activity, investments, and public confidence, stressing that cyber risk must be treated as a strategic national issue rather than only a technical concern.
He called for collective responsibility across the financial sector, urging regulators, financial institutions, and national agencies to prioritise cyber resilience and invest in robust protection systems.
Dr Johnson Pandit Asiama, Governor of the Bank of Ghana, explained that the revised directive was intended to shift institutions from a compliance-based approach to a proactive cyber resilience model, where security would be embedded into governance systems and operational structures.
He noted that although the 2018 directive laid a foundation, evolving technology and digital finance risks required a more comprehensive and modern framework to ensure secure and transparent financial systems.
On cloud computing, the Governor clarified that the directive did not support the full migration of core banking systems and sensitive data onto cloud platforms, citing the Cybersecurity Act, 2020 and the Data Protection Act, 2012, which require that sensitive financial data remain protected, with only non-sensitive services permitted on cloud platforms.
He said the proportionality principle within the directive meant cybersecurity requirements would be applied based on the size and risk exposure of institutions, ensuring fairness in regulatory compliance.
Dr Asiama further stated that under the new governance requirements, each regulated financial institution must have at least one board member with proven expertise in cyber risk management to strengthen oversight at the highest decision-making level.
Mr Samuel Nartey George, Minister of Communications, Digital Technology and Innovations, commended the banking sector for recognising technology as central to financial services delivery rather than merely a support function.
He noted that although the Bank of Ghana’s Computer Emergency Response Team remained one of the strongest among sectoral response units, gaps still existed, particularly with some fintech companies not yet integrated into the FICSOC platform.
The Minister announced that the Government was reviewing policies to classify all Payment Service Provider licence holders as Critical Information Infrastructure, a move expected to strengthen regulatory enforcement and cybersecurity compliance.
Touching on data sovereignty, he emphasised the importance of maintaining critical financial data within national borders, citing global geopolitical tensions and attacks on technology infrastructure as risks to offshore data hosting.
He said local data infrastructure was essential for business continuity and disaster recovery in the event of international disruptions affecting foreign data centres.
GHBUSS
27 March 2026
No comments:
Post a Comment