The Nigerian banking industry’s strategic pivot toward enhanced risk management frameworks, prompted by the convergence of sophisticated cyber threats and artificial intelligence adoption, signals a fundamental recalibration of how financial institutions conceptualize operational resilience. The EY report highlighting this transformation arrives at a moment when the sector is already navigating monetary policy shifts, digital transformation imperatives, and evolving regulatory expectations under the Central Bank of Nigeria’s (CBN) refreshed leadership. For an economy where banking stability directly influences investment confidence and payment system integrity, the industry’s ability to adapt its risk architecture to these emerging challenges carries systemic implications.
The survey findings indicating that 56 per cent of Nigerian banks now identify cybersecurity as their foremost operational risk represent a significant shift from traditional credit and liquidity concerns that historically dominated boardroom discussions. This reordering of risk priorities reflects the sector’s deepening digitalization, which has expanded attack surfaces even as it enhances customer convenience and operational efficiency. Mobile banking adoption, agent banking networks, and real-time payment systems have created multiple entry points that sophisticated threat actors can exploit, while the sensitive nature of financial data makes banks particularly attractive targets for ransomware and data theft operations.
The AI dimension adds complexity to this risk calculus. Financial institutions are increasingly deploying machine learning algorithms for fraud detection, credit scoring, and customer service automation—applications that can enhance competitiveness and reduce costs. However, the EY report’s finding that 80 per cent of global financial services firms view AI as simultaneously a risk and an opportunity resonates strongly in the Nigerian context. Adversarial AI techniques can potentially circumvent detection systems, while algorithmic decision-making introduces new dimensions of model risk and regulatory compliance complexity. Banks must now ensure that their AI governance frameworks are as robust as their cybersecurity protocols.
From a financial stability perspective, the concentration of cyber risk in the banking sector raises concerns that extend beyond individual institutions. Nigeria’s payment system has become increasingly interconnected, with banks, fintechs, mobile money operators, and switching companies all relying on shared infrastructure. A successful cyber attack on a major bank could potentially cascade through the system, disrupting payment flows, eroding customer trust, and triggering liquidity pressures. The CBN’s oversight of systemic risk must therefore expand beyond traditional capital adequacy and liquidity ratios to encompass cyber resilience and operational continuity planning.
The regulatory environment is evolving in response. The CBN has issued increasingly stringent cybersecurity guidelines, mandating incident reporting frameworks, regular penetration testing, and board-level oversight of cyber risk. The Nigeria Data Protection Act, which establishes a legal framework for data privacy and security, adds compliance obligations that intersect with banking regulations. For banks, navigating this multiplatform regulatory landscape requires integrated risk management approaches that treat cyber, data, and operational risks as interconnected rather than siloed.
The investment implications are twofold. First, banks that demonstrate superior cyber resilience may gain competitive advantage in attracting corporate clients and high-net-worth individuals who prioritize security. Second, the technology spending required to maintain robust defenses—estimated to consume growing portions of IT budgets—puts pressure on cost-to-income ratios at a time when net interest margins face headwinds from monetary policy tightening. Banks must balance investment in defensive capabilities against shareholder return expectations, a tension that will influence sector profitability in coming years.
For the broader economy, the banking sector’s ability to manage cyber-AI risks will partly determine Nigeria’s attractiveness to foreign portfolio investors. International investors increasingly scrutinize cybersecurity practices when allocating capital to emerging market financial institutions, recognizing that a major breach could trigger valuation declines and regulatory sanctions. As Nigeria seeks to rebuild investor confidence following years of currency volatility and policy uncertainty, demonstrating that its financial system can withstand 21st-century threats is essential to the “Renewed Hope” agenda’s capital mobilization objectives.
The EY report’s emphasis on talent development as a critical success factor highlights a specific constraint facing Nigerian banks. Cybersecurity and AI governance require specialized skills that remain scarce in the domestic labor market, driving competition with technology companies and international employers for limited expertise. Banks that invest in internal capacity building, partnerships with educational institutions, and retention strategies for technical talent will be better positioned to navigate the evolving threat landscape.
Looking ahead, the industry’s response to these challenges will likely involve greater collaboration, both among banks and with regulatory authorities. Information sharing on threat intelligence, joint investment in security infrastructure, and coordinated incident response protocols can enhance collective resilience without requiring each institution to duplicate capabilities. The EY report’s emphasis on ecosystem-wide approaches to risk management recognizes that in an interconnected financial system, security is only as strong as the weakest link.




