The Bank of Ghana (BOG) has issued the Cyber and Information Security Directive to solicit comments and inputs from the banking industry and the general public.

This is in line with the Bank of Ghana’s Procedures for the Issuance of Directives, 2020.

In light of this, the Exposure Draft shall be made available on the BOG’s website at www.bog.gov.gh for a period of not less than 14 days from the date of the publication of the Exposure Draft, for comments.

In a publication, the Central Bank said all comments should be sent to the Bank of Ghana via email at information.security@bog.gov.gh by 30 September 2025.

Accordingly, the Bank of Ghana shall consider all material comments received and provide a written explanation for comments that were incorporated into the final directive or otherwise.

The objective of this Directive is to create a secure digital environment for the financial services industry, fostering trust and confidence in ICT systems and ensuring the integrity of transactions conducted within the cyberspace; create an assurance framework for design of security policies and for promotion of compliance to global security standards and best practices by way of cyber and information security assessment, amongst others.

Governance

For governance, the Board of Regulated Financia Institutions (RFIs) are responsible to determine the RFI's cyber and information security risk management strategy, approve institutional policies of cyber and information security, outsourcing, survivability, backup and recovery from cyber incidents and attacks, and disaster events, and others.

Secondly, the Senior Management of a RFI shall create the institutional framework for cyber and information security risk management and oversee its implementation and maintenance, formulate institutional policies about cyber and information security, outsourcing, survivability, backup and recovery from cyber incidents and disaster events, among others.

Cyber and Information Security Policy and Procedures

The policies for managing cyber and information security risks shall be presented to and approved by the Board.

These policy documents, according to the directive, shall cover the cyber threat environment and its potential impact on the RFI; the RFI's approach to managing cyber and information security risks and in determining and monitoring the level of exposure to cyber and information security threats and the principles behind implementing cyber and information security measures.

In recent years, cyber-related systems and networks have been playing an increasing role in the financial sector. The financial sector relies on these infrastructures for processing transactions and transferring funds which has made them attractive and susceptible targets for cyber-attacks.

Being high-profile targets creates a distinct challenge for financial RFIs, since they must strike an optimal balance between security and maintaining efficient and reliable operations for their customers.