The Bank of Ghana (BoG) has formally launched the revised Cyber and Information Security Directive (CISD) 2026, activating a regulatory framework that expands cybersecurity obligations across the financial sector and introduces requirements that were absent from the 2018 original, including mandatory board-level expertise in cyber risk and strict rules on where financial data may be stored.
Governor Johnson Pandit Asiama, speaking at the launch in Accra, described the directive as a deliberate shift in the scope of central bank supervision. “We are no longer just supervising capital adequacy ratios or liquidity positions of financial institutions,” he said. “We are now, more than ever, safeguarding the confidentiality, the integrity and the availability of the data that powers our economy.”
The revised directive introduces tougher governance standards and expands sector-wide monitoring systems as rising digital payments expose banks and fintechs to more sophisticated attacks. Under the new rules, each regulated financial institution must have at least one board member with verifiable expertise in cyber risk management, a requirement designed to embed security accountability at the highest level of institutional governance rather than confining it to technology departments.
The framework also introduces governance rules specifically covering artificial intelligence (AI) and machine learning, targeting systems used in fraud detection, credit scoring, and customer service to ensure they meet standards of fairness, transparency, and security.
On cloud computing, the directive draws a firm line: sensitive financial and personal data must remain within Ghana’s borders, in alignment with the Data Protection Act 2012 and the Cybersecurity Act 2020. Only non-sensitive front-end services may be hosted externally, subject to regulatory approval and risk-based conditions.
The directive spans 20 sections covering governance, risk management, audit, asset management, cyber defence, incident response, access control, electronic banking, cloud services, physical security, business continuity, and secure development, and applies proportionally across institutions based on their size and risk profile. Coverage has been extended beyond commercial banks to include savings and loans companies, microfinance institutions, and fintech firms, reflecting the regulator’s view that vulnerabilities anywhere in the ecosystem can threaten the entire system.
The Financial Industry Command Security Operations Center (FICSOC), designated under law as the sector’s Computer Emergency Response Team, has been given a strengthened central role in coordinating monitoring and incident response. The Bank of Ghana said it is developing a shared services model to distribute the costs of 24-hour operations across participating institutions.
Asiama framed the directive as a foundational piece of financial sector strategy. “As the sector moves toward open banking and quantum computing, resilience will depend on talent, technology, and trust,” he said.
