Compliance with the Bank of Ghana Cyber & Information Security Directive

By 0
Compliance with the Bank of Ghana Cyber & Information Security Directive


Cybersecurity Ventures in its 2019 Official Annual Cybercrime Report, mentions that Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades. It also predicts that cybercrime will cost the world in excess of $6 trillion annually by 2021.

Cybercrimes and information Security (InfoSec) breaches are on the ascendancy in recent times and Financial Institutions (FIs) are under a great threat. Their impacts on FIs are severe in terms of reputational damage, direct and indirect loss. FIs are prone to higher cyber risk than other industries. Most Cyber-attacks are targeted at FIs, because the motive of most cyber criminals is to gain financial advantage or to frustrate customers. FIs must therefore pay attention to the security of their IT infrastructure.

It is highly commendable that the Bank of Ghana (BOG) came up with the Cyber & Information Security Directive (CISD) in October 2018 to help protect FIs from cyber-attacks and InfoSec breaches.

The BOG Cyber & Information Security Directive

The Bank of Ghana Cyber & Information Security Directive “Provides a framework for establishing Cyber and Information Security protocols and procedures for; routine and emergency scenarios, delegation of responsibilities, inter- and intra-company communication and cooperation, coordination with government authorities, establishment of reporting mechanisms, physical security measures for IT Datacentres and Control Rooms, and assurance of data and network security.”

The Directive was effective in January, 2019 and applies to all regulated financial institutions licensed or registered under the Banks & Specialised Deposit Taking Institutions Act, 2016 (Act 930) and any other entity regulated by the BOG under any other enactment. It also applies to Ghanaian banks and their international affiliates and Ghanaian affiliates of international banks.

It contains 20 different parts (Part I to XX) and specifies timelines (Between 6 to 36 months) for implementing Part I to XVI of the Directive.

Previous BOG Directive

A letter (Reference FSD/ICRO/ALL BANKS/BO/2016) from BOG, dated 13th June 2016 and titled “Recommendations to mitigate the occurrence of fraud in the banking industry”, instructed all commercial banks in Ghana to put in place a list of mandatory remedial measures by September 30, 2016 to help eliminate or minimize the occurrences of fraud in the banking industry.

It was expected that; all the mandatory measures would have been implemented by the stipulated deadline. However, as I write this article, less than 35% of the 23 banks in Ghana have fully complied with this Directive after over 2 years of the deadline.

The good news however is, the Cyber & Information Security Directive captures some of the mandatory remedial measures stated in the 2016 Directive.

My prayer and hope is that; the BOG’s Cyber & Information Security Directive does not end up like the 2016 Directive. The BOG needs to strictly monitor adherence to the implementation schedule and crack the whip when the need be. Aside ensuring compliance with the timelines, appropriate assessments need to be conducted to confirm that the Directive is well implemented.

Panacea to Compliance

After scrutinizing the 131 page Cyber & Information Security Directive, I come to a firm conclusion that, the panacea to compliance with the Directive is the adoption of ISO 27032 and ISO 27035, and the implementation of PCI DSS (Payment Card Industry Data Security Standard) & ISO 27001 standards. These standards are already yielding results as evident in section 6.10 of BOG’s 2017 Payment Systems Oversight Annual report; “Security certifications such as ISO 27001 and PCI DSS assisted in promoting a robust and resilient operational environment”

The implementation of these standards in addition to the other requirements of the Directive will ensure full compliance by FIs.


It is in the utmost interest of FIs and their customers that this Directive was issued. Hence, FIs should do their best to ensure strict compliance to help secure their investments and information and that of their customers.  

Colossal amounts of money and efforts are needed to get the Directive fully implemented hence, this may be a hindrance to some FIs. FIs therefore need to devise strategies that can help them implement the Directive at a minimal cost and effort.

In order to realize the objectives of the Directive, the BOG should go all out to ensure strict adherence. BOG should perform regular monitoring and assessment of the implementation to ensure conformity. This will help safeguard FIs and increase customer confidence in the financial sector.


Sherrif Issah – (Member: Institute of ICT Professionals, Ghana; Consultant @ Digital Jewels Ltd.)

For comments, contact author  Mobile: +233243835912