The Bank of Ghana has unveiled a revised Cyber and Information Security Directive (CISD 2026), built around six strategic pillars aimed at protecting the country’s financial sector from growing digital and cybersecurity threats.
The new directive is intended to strengthen cybersecurity governance, improve risk management and ensure a safer and more resilient digital financial ecosystem.
At the launch of the directive, the Governor of the Bank of Ghana,
Johnson Asiama
said the new framework goes beyond regulatory compliance and represents a commitment to protecting individuals and businesses that entrust their financial data to the banking and financial sector.
He explained that the rapid digital transformation in the financial sector has brought convenience and innovation but has also exposed institutions to sophisticated cyber threats such as ransomware attacks and large-scale data breaches, which could undermine public confidence and threaten national security.
According to him, the first cybersecurity directive introduced in 2018 laid the foundation for digital security in the financial sector, but the evolving nature of cyber threats made it necessary to review and strengthen the framework to address current and future risks.
He noted that the country has now moved beyond basic compliance to a system focused on active and collective cyber resilience across the financial sector.
Six Key Pillars of the New Directive
The Cyber and Information Security Directive (CISD 2026) is built around six key pillars designed to strengthen the financial sector’s defence against cyber threats.
The first pillar focuses on Artificial Intelligence and Machine Learning Governance, which seeks to ensure transparency, fairness and security as financial institutions increasingly use AI for fraud detection, credit scoring and customer service.
The second pillar is Cloud Computing Security, which promotes responsible and risk-based adoption of cloud technologies while ensuring data sovereignty and protection of sensitive financial information.
The third pillar, the Proportionality Framework, is designed to tailor cybersecurity requirements to the size and risk profile of financial institutions, ensuring that smaller banks and fintech companies are not overburdened by regulatory requirements.
Another key pillar is Board-Level Accountability, which requires financial institutions to have at least one board member with verified cybersecurity risk expertise to ensure that cyber risk management becomes a top-level strategic issue.
The directive also introduces Inclusive Oversight, expanding cybersecurity regulation beyond universal banks to include microfinance institutions, savings and loans companies, fintech firms and partner regulators to create a unified cybersecurity defence system across the financial sector.
The final pillar focuses on Proactive Defence and Preparedness, aimed at strengthening systems to anticipate, prevent and respond quickly to emerging cyber threats.
The Governor also highlighted the importance of the Financial Industry Command Security Operations Centre, noting that building and maintaining such a national cybersecurity infrastructure requires significant investment in technology, infrastructure and skilled personnel, with the Bank of Ghana bearing the initial cost of establishing the system.
The new directive is expected to significantly strengthen cybersecurity resilience within Ghana’s financial sector as digital banking and financial technology services continue to expand.