The Bank of Ghana has launched a revised Cyber and Information Security Directive (CISD) 2026, marking a shift toward stricter oversight of digital risks as financial services become increasingly technology-driven.
Unveiled at a high-level event in Accra, the framework broadens regulatory focus from traditional banking supervision to protecting the data infrastructure underpinning the economy, as cyber threats grow in scale and sophistication.
Governor Johnson Pandit Asiama said the move reflects lessons from earlier efforts dating back to 2018, warning that risks have evolved beyond isolated IT disruptions into systemic threats.
“We are no longer just supervising capital adequacy ratios or liquidity positions of financial institutions,” Asiama said. “We are now, more than ever, safeguarding the confidentiality, the integrity and the availability of the data that powers our economy.”
The directive comes amid rapid expansion in digital financial services, driven by mobile money, cloud computing and artificial intelligence. While these innovations have deepened financial inclusion, they have also “invited sophisticated and persistent information security risks,” including ransomware attacks and large-scale data breaches, which Asiama described as “national security concerns.”
The updated framework introduces governance rules for artificial intelligence and machine learning, aimed at ensuring systems used in fraud detection, credit scoring and customer service are “fair, they are transparent, and they are secure.” It also imposes stricter controls on cloud adoption, requiring sensitive financial and personal data to remain within Ghana’s borders in line with the Data Protection Act 2012 and the Cybersecurity Act 2020.
Only non-sensitive front-end services may be hosted in the cloud, subject to regulatory approval and risk-based safeguards.
A central pillar of the directive is strengthened governance and accountability. Financial institutions are now required to include at least one board member with verifiable expertise in cyber risk management, elevating oversight to the highest level of decision-making. The framework also adopts a proportional approach, scaling requirements based on the size and risk profile of institutions.
The directive expands coverage beyond banks to include savings and loans companies, microfinance institutions and fintech firms, reflecting concerns that vulnerabilities in any part of the ecosystem could expose the entire system.
A key operational component is the enhanced role of the Financial Industry Command Security Operations Center (FICSOC), designated under law as the sector’s Computer Emergency Response Team. The central bank said the facility will serve as a coordinated hub for monitoring and responding to cyber incidents across the financial industry.
To sustain 24-hour operations, the Bank of Ghana is developing a shared services model that distributes costs across participating institutions while ensuring continued investment in infrastructure, technology and skilled personnel.
“As a central bank, we are ready to lead,” Asiama said, describing cybersecurity as “a continuous journey of vigilance and adaptation.”
He added that as the sector moves toward developments such as open banking and quantum computing, resilience will depend on “talent, technology, and trust,” positioning the directive as a core element of financial sector strategy rather than a compliance exercise.
The move underscores regulators’ growing emphasis on digital resilience, as policymakers seek to balance innovation with safeguards to protect consumer trust and maintain stability in increasingly interconnected financial systems.
