The National Insurance Commission of Ghana (NIC) has issued cybersecurity directives (the Cybersecurity Directives), which took effect on 1 June 2025. The Cybersecurity Directives outline a framework to guide insurers and reinsurers to develop strong, robust and resilient cybersecurity systems. The directives are primarily targeted at insurers and reinsurers. However, the NIC may apply some of the requirements to brokers, technical service providers, and innovative insurers and intermediaries depending on the nature, size and complexities of their operations.
Key requirements under the directives
An insurer or reinsurer is required to comply with the following key requirements:
Required action |
Details of requirement |
|
Governance and leadership |
The board of directors must (i) embed a culture of cybersecurity risk awareness, approve the company’s technology and cybersecurity strategies and oversee the implementation of a cybersecurity framework, and (ii) establish a change control board committee to review and approve cybersecurity related changes. The senior management must (i) ensure that appropriate structures, staff, expertise, and resources are in place, (ii) appoint a person responsible for technology and cyber risk governance (either as a Head of Information Technology, Chief Technology Officer, Chief Information Officer, Head of Cyber Security or Chief Information Security Officer), (iii) keep the board informed about major incidents and developments, particularly those involving third-party service providers, and (iv) report any cyber incidents to the NIC and the Cyber Security Authority within 14 days of an incident. |
|
Technology and cybersecurity strategy |
Develop a technology and cybersecurity strategy that outlines the long-term vision, goals, and objectives for managing technology and cyber risk. This strategy should align with its broader business strategy and anticipate emerging risks and technological trends. |
|
Cyber risk management framework |
Establish a cybersecurity risk management framework. The framework should set out how risks are identified, assessed, managed, monitored, and reported. It must also align with its overall enterprise risk management structure, ensuring that cybersecurity is not treated as a siloed concern but an integral part of business operations. An entity must also conduct regular vulnerability assessments, threat monitoring, and risk classification exercises, all backed by up-to-date data and risk metrics. |
|
Technology operations and resilience |
Ensure that its systems remain stable, scalable, and secure even during disruptions, cyber threats, or technological failures. The key elements to achieve this level of resilience include maintaining frameworks and processes such as technology architecture framework, technology asset management, project management, system development life cycle framework, change and release management process, patch management, and incident and problem management process. |
|
Incidence communication plan |
Establish a clear and structured communication plan to manage reporting cyber incidents and effects to stakeholders. The plan should include designating communication officers to handle internal and external communications, defining reportable incidents, and ensuring timely notifications. All significant cyber incidents must be reported to the NIC within 14 days, detailing the nature, impact, and response measures. If an entity has any computer system or network that is considered essential for national security or economic and social well-being of citizens (critical information infrastructure), it must report to the Cyber Security Authority. The goal is to ensure transparency, accountability, and effective coordination during cyber incidents. |
|
Enterprise disaster recovery programme |
Establish an enterprise disaster recovery programme that sets out the approach to recovering technology services during a disruption and align the disaster recovery program with its business continuity plans. Full-scale disaster recovery tests must be carried out at least every 2 years or (if directed by the NIC) annually. |
|
Cyber Security Annual Report |
Submit an annual cybersecurity report to the NIC. This report must detail the risk management framework, the number of cyber threats and incidents faced during the year, financial impacts, and any significant security lapses. It must also discuss how the entity is preparing for emerging risks, including blockchain, cryptocurrency, and machine learning and other evolving threats. |
Non-compliance
Failure to comply with the Cybersecurity Directives will be a regulatory breach and may trigger any of the regulatory sanctions or enforcement actions available to the NIC under the Insurance Act 2021, (Act 1061) including issuing directions, conducting investigations and imposing administrative penalties.
Conclusion
As digital transformation continues to reshape financial services, the Cybersecurity Directives ensure that Ghana’s insurance industry is poised for safe and secure growth in the digital era. Together with the Cybersecurity Act, 2020 (Act 1038) and other sector-specific regulations, the directives form part of a broader regulatory ecosystem aimed at establishing a strong and coordinated cybersecurity regime in Ghana.
