In an era where financial transactions are increasingly digital and interconnected, the Bank of Ghana has placed cybersecurity at the heart of banking stability with the launch of its revised Cyber and Information Security Directive (CISD) 2026, a move expected to redefine how financial institutions manage risk and protect customer data.
The directive, unveiled in Accra, underscores the critical role of cyber and information security in safeguarding the integrity of Ghana’s banking system, as the country deepens digital financial inclusion through mobile money, cloud computing and artificial intelligence.
Governor of the Bank of Ghana, Johnson Asiama, described the new directive as a fundamental shift in regulatory philosophy, noting that protecting the financial system now goes beyond traditional metrics such as capital adequacy and liquidity.
“The theme ‘A Safer and More Resilient Digital Financial Industry’ is not merely a slogan; it is a commitment we make to every Ghanaian who entrusts their accounts and transactions to this sector,” he said.
He explained that in today’s digital economy, the central bank’s mandate has expanded to include safeguarding the confidentiality, integrity and availability of data that powers financial services.
Over the past decade, innovations such as mobile money, cloud computing and artificial intelligence have transformed Ghana’s financial landscape, extending banking services to millions previously excluded and accelerating economic activity.
However, these gains have also exposed the sector to increasingly sophisticated cyber threats.
From ransomware attacks capable of paralysing banks for days to large-scale data breaches that can erode public confidence, Dr Asiama warned that cybersecurity risks are no longer isolated IT issues but have evolved into matters of national security.
From compliance to cyber resilience
The Governor noted that while the original directive introduced in 2018 laid a solid foundation for managing cyber risks, it is no longer sufficient to address the complexities of today’s threat environment.
“A framework designed for the challenges of 2018 cannot adequately solve the problems of 2026,” he said, stressing that the central bank is now moving beyond compliance to a posture of active and collective cyber resilience.
This shift is backed by the Cybersecurity Act, 2020 (Act 1038), which designates the Bank of Ghana’s Financial Industry Command Security Operations Centre (FICSOC) as the sectoral Computer Emergency Response Team (CERT) for the financial industry.
Under this mandate, the central bank is expected to play a more proactive role in defending and coordinating responses to cyber threats across the sector.
Key pillars of the 2026 directive
The revised CISD is built on strong governance, accountability and proactive defence, and introduces several innovations aimed at future-proofing Ghana’s financial system.
A major highlight is the introduction of a comprehensive governance framework for artificial intelligence and machine learning systems.
With banks increasingly deploying AI for fraud detection, credit scoring and customer service, the directive seeks to ensure that these systems are transparent, secure and fair.
The directive also sets clear rules for cloud computing, emphasising that while cloud adoption is essential for modern banking, it must be done within strict regulatory boundaries.
In line with the Data Protection Act, 2012 (Act 843) and the Cybersecurity Act, sensitive financial data must remain within Ghana’s territorial borders, with only non-critical services permitted in the cloud under controlled conditions.
Another key innovation is the introduction of a proportionality framework, which tailors cybersecurity requirements to the size and risk profile of financial institutions.
This ensures that smaller institutions such as rural banks and microfinance companies are not overburdened, while still maintaining robust security standards.
Boardrooms now accountable for cyber risk
In a significant governance shift, the directive mandates that at least one member of the board of every regulated financial institution must possess verifiable expertise in cyber risk management.
According to Dr Asiama, this requirement elevates cybersecurity from a technical issue to a strategic business priority, ensuring that critical decisions are taken at the highest level of leadership.
“Security is no longer just an IT problem; it is a strategic business risk,” he stressed.
Expanding protection across the financial ecosystem
The Bank of Ghana is also expanding the scope of cybersecurity oversight to cover the entire financial ecosystem, including savings and loans companies, microfinance institutions, fintech firms and other stakeholders.
This move, the Governor said, is aimed at eliminating weak links within the system, as cyber threats often exploit vulnerabilities in smaller or less secure institutions.
To support this effort, the central bank is strengthening the Financial Industry Command Security Operations Centre as a unified “nerve centre” for cyber defence.
However, Dr Asiama indicated that sustaining such a sophisticated system would require shared responsibility across the industry, including financial contributions from participating institutions to ensure continuous upgrades, skilled personnel and 24/7 operational readiness.
Cybersecurity as national and economic priority
First Deputy Governor, Zakari Mumuni, reinforced the urgency of the directive, noting that cyber incidents are no longer distant possibilities but constant realities.
“In today’s interconnected world, cybersecurity is not just a technical issue; it is a matter of national and economic security,” he said.
He explained that the revised directive responds to rapid digital transformation, increased reliance on third-party technologies, the growing sophistication of cyber threats and emerging risks associated with artificial intelligence and data ecosystems.
Dr Mumuni emphasised that the success of the directive depends on collective responsibility, with all stakeholders—from regulators and banks to fintechs and service providers—playing a role in safeguarding the system.
Building trust in a digital future
The Bank of Ghana believes that the long-term success of Ghana’s digital financial ecosystem will depend on three critical pillars: talent, technology and trust.
As the country moves towards emerging frontiers such as open banking and quantum computing, the central bank is positioning cybersecurity as the foundation upon which future innovations must be built.
Dr Asiama urged stakeholders to embrace the directive not merely as a compliance requirement, but as a strategic imperative for business sustainability and national development.
The launch of the CISD 2026 marks a decisive step in strengthening Ghana’s financial system against evolving cyber threats, reinforcing public confidence and ensuring that the benefits of digital innovation are not undermined by vulnerabilities in security.
