The Bank of Ghana (BoG) has released a Cyber and Information Security Directive, opening it for public feedback as part of its Procedures for the Issuance of Directives, 2020. This marks a proactive move to strengthen Ghana’s financial system against the rising tide of cyber threats.
Public Consultation
The BoG has published an Exposure Draft of the directive on its official website (www.bog.gov.gh). It will remain available for at least 14 days to allow stakeholders and the general public to share feedback.
Comments should be sent to information.security@bog.gov.gh no later than September 30, 2025. The Bank has committed to reviewing all material submissions and providing explanations for which recommendations were adopted or not.
Objectives of the Directive
The directive is designed to:
- Secure financial technology systems, boosting public trust in digital transactions.
- Establish a compliance framework consistent with international cybersecurity standards.
- Promote proactive cyber risk management, with regular assessments and oversight.
- Safeguard financial operations from system failures, attacks, or disruptions.
Governance Structure
The directive makes governance a shared responsibility:
- Boards of Regulated Financial Institutions (RFIs) must define cyber risk strategies, approve institutional policies, and ensure readiness for incidents and recovery.
- Senior Management must implement these policies, maintain operational frameworks, and oversee day-to-day risk management and response plans.
This approach reinforces that cybersecurity is a boardroom issue, not just a technical matter.
Cybersecurity Policies and Procedures
RFIs will need board-approved policies that:
- Address the evolving threat environment and its potential impact.
- Define how the institution will manage and monitor risks.
- Establish guiding principles for implementing and maintaining security measures.
Such requirements highlight that cybersecurity is not static it must evolve alongside new threats and technologies.
Why Cybersecurity is Critical for Finance
Globally, financial institutions have become prime targets for cyberattacks, given their central role in payment systems, fund transfers, and sensitive data storage. Ghana’s financial sector is no exception.
The directive acknowledges this dual challenge: protecting digital infrastructure while maintaining reliable and efficient customer service. Achieving this balance is essential for long-term trust in the system.
What This Means for Businesses
For financial institutions, the directive sets a clear expectation: cybersecurity must be woven into both strategy and daily operations. Boards and executives alike will be held accountable for how risks are managed and mitigated.
For the broader business community, it’s a reminder that cybersecurity is no longer optional. As regulatory frameworks tighten, organizations of all sizes will be expected to adopt structured policies, conduct regular risk assessments, and align with global best practices.
Key Insight: The Bank of Ghana’s directive is more than a compliance requirement. It signals a broader shift toward embedding cybersecurity into financial governance. Businesses that act early will not only meet regulations but also strengthen trust with their clients and partners.