The Bank of Ghana (BoG) has launched a sweeping new cybersecurity directive designed to protect the country’s fast-growing digital financial sector from increasingly sophisticated cyber threats.
Speaking at the launch in Accra on March 25, Governor Dr. Johnson Pandit Asiama said the revised Cyber and Information Security Directive (CISD) 2026 marks a decisive shift toward building a safer and more resilient financial ecosystem as digital services expand.
He noted that innovations such as mobile money, cloud computing and artificial intelligence have dramatically improved financial inclusion and efficiency, but have also exposed banks, fintechs and other institutions to complex cyber risks — including ransomware attacks and major data breaches.
According to the Governor, cyber threats have evolved beyond isolated technical incidents and now pose serious national security concerns, requiring a coordinated and proactive response across the entire financial industry.
The new directive builds on the original cybersecurity framework introduced in 2018 but reflects the realities of a much more dangerous digital landscape. Dr. Asiama emphasized that regulators are moving from a basic compliance approach to one focused on active, collective cyber resilience.
Central to the framework is the role of the Financial Industry Command Security Operations Centre (FICSOC), designated under Ghana’s Cybersecurity Act as the sector’s emergency response hub. This expands the central bank’s responsibility from oversight to real-time coordination of cyber defence efforts across financial institutions.
Among the most notable changes is the introduction of rules governing the use of artificial intelligence and machine learning in financial services. Institutions must now ensure such systems operate in ways that are fair, transparent and secure.
The directive also sets strict conditions for cloud computing. While financial institutions may use cloud services for non-sensitive operations, highly sensitive financial and personal data must be stored within Ghana’s borders, reinforcing data sovereignty requirements.
In addition, regulatory requirements will now be tailored to the size and risk profile of institutions, ensuring that smaller firms are not overburdened while still maintaining strong security standards. Financial institutions are also expected to strengthen oversight by ensuring cybersecurity expertise is represented at the board level.
Coverage of the directive has been broadened beyond traditional banks to include fintech companies and other players in the financial ecosystem, reflecting the interconnected nature of modern digital finance.
To sustain sector-wide cyber defence capabilities, the Bank of Ghana is developing a shared funding model for FICSOC’s operations, which will support continuous upgrades and round-the-clock monitoring. The Governor said the model will be designed to ensure fairness, transparency and value for participating institutions.
Dr. Asiama urged industry leaders to view cybersecurity not merely as a regulatory requirement but as a strategic priority essential to maintaining public trust and long-term stability.
He stressed that protecting Ghana’s digital financial infrastructure will require ongoing investment in skilled personnel, advanced technology and strong collaboration among stakeholders.
Describing the directive as a collective commitment to safeguard the nation’s digital economy, he concluded that cybersecurity must remain a continuous journey of vigilance and adaptation as threats evolve
