1. GOVERNING TEXTS

1.1. Legislation

The main legislation dealing with cybersecurity in Nigeria is the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 ('the Cybercrimes Act'). The Cybercrimes Act provides an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria. The Cybercrimes Act promotes cybersecurity, the protection of critical national information infrastructure, computer systems and networks, electronic communications, data and computer programs, and privacy rights.

In addition, there are other applicable policies and guidelines which include:

• the National Cybersecurity Policy, which was issued in 2014 by the Office of the National Security Adviser ('ONSA'), and seeks to facilitate an effective legal framework and governance mechanism for Nigeria's presence in cyberspace and develop an information security and control mechanism for the protection and safety of Nigeria's national critical information infrastructure ('CII') and its associated economic infrastructures operating in the cyberspace;
• the National Cybersecurity Strategy, which was issued in 2014 by the ONSA and comprises of short-, medium-, and long-term strategies that will address Nigeria's cyber-risk exposure, and cover all national priorities with the objective of developing comprehensive cybercrime legislation and cyber threat countermeasures that are nationally adoptable, and regionally and globally relevant in the context of securing the nation's cyberspace; and
• the Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers ('the Guidelines'), which were issued in 2018 by the Central Bank of Nigeria ('CBN') and came into force in January 2019. The Guidelines advise deposit money banks ('DMB') and payment service providers ('PSP') on the implementation of their cybersecurity programmes.

Please note the Nigerian Government recently issued a revised National Cybersecurity Policy and Strategy.

1.2. Regulatory authority 

There is no specific regulatory authority for the enforcement of the provisions of the Cybercrimes Act in Nigeria. Rather, it is the obligation of all security agencies in Nigeria to enforce the provisions of the Cybercrimes Act. The ONSA is responsible for coordinating the implementation of the Cybercrimes Act by the security agencies.

1.3. Regulatory authority guidance

Not applicable. 

2. SCOPE OF APPLICATION

Personal scope

The Cybercrimes Act applies to the following:

• a citizen or resident in Nigeria if the person’s conduct would also constitute an offence under a law of the country where the offence was committed; or
• outside Nigeria, where:
  • the victim of the offence is a citizen or resident of Nigeria; or
  • the alleged offender is in Nigeria and has not been extradited to any other country for prosecution.

Territorial scope

The Cybercrimes Act regulate cybercrimes committed in Nigeria. It extends beyond the shores of Nigeria where the victim of the offence is a Nigerian citizen or resident; or the alleged offender is in Nigeria and has not been extradited to any other country for prosecution.

Material scope

The Cybercrimes Act ensures the protection of critical national information infrastructure, promotes the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property, and privacy rights.

3. DEFINITIONS

Information security program: the Cybercrimes Act does not provide a definition of information security program.

Database: a digitally organised collection of data for one or more purposes which allows easy access, management, and update of data (Section 58 of the Cybercrimes Act).

Cybersecurity incident: the Cybercrimes Act does not provide a definition of cybersecurity indicent.

Cybersecurity/information security officer: the Cybercrimes Act does not provide a definition of cybersecurity/information security officer.

Computer data: every information, including information required by the computer to be able to operate, run programs, store programs, and store information, that the computer user needs, such as text files or other files that are associated with the program the computer is running (Section 58 of the Cybercrimes Act).

Computer program: a set of instructions written to perform or execute a specified task with a computer (Section 58 of the Cybercrimes Act).

Computer system: any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automated or interactive processing of data. The term covers any type of device with data processing capabilities including, but not limited to, computers and mobile phones. The device consisting of hardware and software may include input, output, and storage components which may stand alone or be connected in a network or other similar devices. The term also includes computer data storage devices or media (Section 58 of the Cybercrimes Act).

Critical infrastructure: systems and assets which are so vital to the country that the destruction of such systems and assets would have an impact on the security, national economic security, national public health, and safety of the Country (Section 58 of the Cybercrimes Act).

Electronic communication: communications in electronic format, instant messages, short message service (SMS), email, video, voicemails, multimedia message service (MMS), fax, and pager (Section 58 of the Cybercrimes Act).

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

4.1. Cybersecurity training and awareness

Pursuant to Section 41(3) of the Cybercrimes Act, all law enforcement, security, and intelligence agencies in Nigeria are required to develop institutional capacity for the effective implementation of the Cybercrimes Act. They are also required to collaborate with the Office of the National Security Adviser to organise training programs nationally or internationally for officers charged with the responsibility of prohibiting, preventing, detecting, investigating, and prosecuting cybercrimes.

4.2. Cybersecurity risk assessments

The Guidelines mandates all DMBs and PSPs to integrate their cybersecurity risk management system with their institution’s risk management framework and governance requirement. They are also required to prepare a self-assessment risk report which will capture:

• the procedure, tools, and framework used to conduct the cybersecurity self-assessment;
• threats and risks identified;
• potential value at risk/impact; and
• intended controls to be implemented and a timeline for remediation.

4.3. Vendor management

There is no general requirement relating to the management of vendors, however the Nigerian Data Protection Regulations 2019 ('NDPR'), issued by the National Information Technology Development Agency ('NITDA'), requires more generally data processors and data controllers to develop security measures to protect personal data.

4.4. Accountability/record keeping

The NDPR establishes that within six months after the NDPR has been issued, each organisation must conduct a detailed audit of its privacy and data protection practices (Section 4.1(5) of the NDPR).

In addition, a data controller has an obligation to send a soft copy of the summary of the audit containing information about processed data to the NITDA, where such data controller processes the personal data of more than 1,000 data subjects in six months (Section 4.1(6) of the NDPR).

Moreover, data controllers processing data of more than 2,000 data subjects within 12 months, must submit a summary of the audit to NITDA on an annual basis, not later than 15 March of the following year (Section 4.1(7) of the NDPR).

The summary should state the data controller's privacy and data protection practices including (Section 4.1(5) of the NDPR):

• personally identifiable information the organisation collects on employees of the organisation and members of the public;
• any purpose for which the personally identifiable information is collected;
• any notice given to individuals regarding the collection and use of personal information relating to that individual;
• any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
• whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
• the policies and practices of the organisation for the security of personally identifiable information;
• the policies and practices of the organisation for the proper use of personally identifiable information;
• organisation policies and procedures for privacy and data protection;
• the policies and procedures of the organisation for monitoring and reporting violations of privacy and data protection policies; and
• the policies and procedures of the organisation for assessing the impact of technologies on the stated privacy and security policies.

5. DATA SECURITY

The NDPR stipulates, under Section 2.6, that data processors and data controllers shall develop security measures to protect the data. Such measures include, but are not limited to, protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organisational policy for handling personal data (and other sensitive or confidential data), protecting emailing systems, and continuous capacity building for staff.

The Consumer Code of Practice Regulations of 2007, issued by the Nigerian Communications Commission ('NCC'), requires licensees to meet generally accepted fair information principles, which include having security measures that protect consumer information.

The Guidelines on Operations of Electronic Payment Channels in Nigeria, issued in 2016 by the CBN, mandate a card issuer or issuing bank to provide additional security measures, such as two-factor authentication for cardholders that utilise their cards for online transactions.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Under the Cybercrimes Act, any person or institution who operates a computer system or a network, whether public or private, has an obligation to immediately inform the Nigeria Computer Emergency Response Team ('ngCERT') Coordination Centre of any attacks, intrusions, and other disruptions liable to hinder the functioning of another computer system or network.

The Cybercrimes Act does not provide the process and formalities that need to be adhered to. However, the ngCERT on its website states that an incident report may be submitted by an individual or a company.

In the case of a natural person, the following information needs to be provided:

• the name, address, phone number, and email of the individual;
• whether or not the cyber attack is ongoing; and
• the impact of the cyber attack.

In the case of a legal entity, the following information is required:

• whether it is registered;
• whether it is a business, or a government ministry, department, or agency;
• its address, phone number, email, and website;
• the details of a contact such as his/her name, designation, email, phone number, and address;
• whether or not the cyber attack is ongoing;
• the impact of the cyber attack;
• the nature of the cyber attack and its symptoms;
• date and time of occurrence;
• whether the entity is aware of the vulnerabilities exploited;
• whether it discovered any suspicious traces or IP addresses; and
• the countermeasures taken.

The Cybercrimes Act provides that when the ngCERT Coordination Centre receives notice of a cyber attack, it may propose the isolation of affected computer systems or network pending the resolution of the issues.

In addition, the Internet Industry Code of Practice of 2019 ('the Internet Code of Practice') issued by the NCC mandates internet access service providers to notify affected customers of any breach within 48 hours of its occurrence, through email and text messages.

7. REGISTRATION WITH AUTHORITY

Since the internet can be used to provide diverse services, an entity will have to register with the appropriate regulatory authority for such services. For instance, a FinTech company will obtain a licence from the CBN while digital service providers will register with the National Broadcasting Commission.

8. APPOINTMENT OF A SECURITY OFFICER

Under the Cybercrimes Act, organisations do not have an obligation to appoint a security officer.

The Guidelines mandate DMBs and PSPs to appoint a chief information security officer ('CISO'), who will be responsible for the day-to-day cybersecurity activities and exposure of the company.

Furthermore, the NDPR mandates a data controller to designate a data protection officer ('DPO') for ensuring adherence to data protection and privacy.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial Services 

Section 19(3) of the Cybercrimes Act stipulates that financial institutions owe a duty to their customers to put in place effective counter-fraud measures to safeguard sensitive information.

The Guidelines requires the board of directors of all DMBs and PSPs to make cybersecurity a top priority at board meetings. They are required to possess current knowledge of all emerging threats and cyberattacks that may compromise their networks. They also have an obligation to conduct period risk assessments on their networks.

Health 

Section 29(1) of the National Health Act 2014 mandates health establishments to put control measures in place to prevent unauthorised access of medical records.

Telecommunications 

Section 4.2 of the Internet Code of Practice stipulates that an internet access service provider shall take reasonable measures to protect customer information from unauthorized use, disclosure, or access. An internet access service provider should consider the sensitivity of the data collected and the technical feasibility when implementing security measures.

Section 5.1 of the Internet Code of Practice also stipulates that an internet access service provider shall include in its terms and conditions of service a clear set of rules for the use of its service in a manner that complies with the Cybercrimes Act and all other applicable laws and regulations.

Employment 

Not applicable.

Education 

Not applicable.

Insurance 

Not applicable.

10. PENALTIES

Section 21(3) of the Cybercrimes Act stipulates that any person or institution who fails to report any cybersecurity incident to the ngCERT Coordination Centre within seven days of its occurrence, commits an offence and is liable to denial of internet services. Such persons or institution must, in addition, pay a mandatory fine of NGN 2 million (approx. €4,130) into the National Cyber Security Fund established under Section 44 of the Cybercrimes Act.

In addition, the NDPR provides that a data controller that violates the data privacy rights of any data subject is liable, in addition to any other criminal liability, to the following:

• in the case of a data controller dealing with more than 10,000 data subjects, payment of the fine of 2% of the annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx. €20,670), whichever is greater; and
• in the case of a data controller dealing with fewer than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. €4,130), whichever is greater.

11. OTHER AREAS OF INTEREST

Network and Information Systems

The Cybercrimes Act proscribes and penalises access to network and information systems without authorisation.

Section 6(1) of the Cybercrimes Act makes it an offence for any person who, without authorisation, intentionally accesses a computer system or network for fraudulent purposes, and obtains data vital to national security. Such persons upon conviction are liable to imprisonment for five years or to a fine of not more than NGN 5 million (approx. €10,320), or both.

Section 6(2) of the Cybercrimes Act makes it an offence for any person, without authorisation, to access a computer system with the intent of obtaining computer data, securing access to any program, commercial or industrial secrets or classified information. The offender upon conviction is liable to imprisonment for seven years or to a fine of not more than NGN 7 million (approx. €14,450), or both.

Section 11 of the Cybercrimes Act makes it an offence for any person to intercept by technical means, non-public transmissions of computer data, content, or traffic data, including network carrying or emitting signals, without authorisation. The offender upon conviction is liable to imprisonment for three years or to a fine of not more than NGN 1 million (approx. €2,060), or both.

Critical Information Infrastructure Operators

Under the Cybercrimes Act, the President of the Federal Republic of Nigeria, on the recommendation of ONSA, may declare certain assets to be critical national infrastructure.

The Cybercrimes Act does not provide for CII operators but makes it an offence for anyone to destroy or interfere with critical national information infrastructure. The offender will be liable upon conviction to imprisonment for not more than ten years without an option of a fine.

Operators of Essential Services

The Cybercrimes Act does not define an 'operator of essential services' but defines a 'service provider' as (Section 58 of the Cybercrimes Act):

• any public or private entity that provides to users of its services the ability to communicate by means of a computer system, electronic communication devices, mobile networks; or
• any other entity that processes or stores computer data on behalf of such communication service or users of such service.

Cloud Computing Services

The Nigerian Cloud Computing Policy (version 1.2) ('the Policy') defines cloud computing as the computing model for ubiquitous, convenient, on demand, and real time network access pool of configurable and rapidly provisioned computing resources (networks, servers, storage, applications, and services among others) required by and available to federal public institutions ('FPIs') and small medium enterprise ('SMEs') to carry out their businesses and operations.

The Policy recognises the three categories of cloud computing services which are:

• Software as a Service ('SaaS'): Where the consumer uses the provider's applications running on cloud infrastructure. These applications are accessible from various client devices through a client interface such as a web browser (e.g. web-based email) or a program interface.
• Platform as a Service ('PaaS'): PaaS capability is provided to consumers in a pre-installed cloud infrastructure platform such as relational database environment, Java development, etc. PaaS solution provides the platform for developers to create unique, customizable software.
• Infrastructure as a Service ('IaaS'): The consumer can provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.

In respect of the use of cloud computing services by public institutions, the Policy classifies data into four categories:

• Official, Public or Non-Confidential Data: This refers to data publicly available and non-sensitive. Such data are publicly available per the Nigeria Federal Open Data Initiative and Open Government Partnership commitments.
• Confidential, Routine Government Business Data: This includes health and financial information of natural person. These are regarded as data of moderate sensitivity.
• Secret, Sensitive Government and Citizen Data: This applies to data of both natural and juridical persons. These data are classified as sensitive because its loss may be serious and have material effects on the data subject or related entities.
• Classified or National Security Information: This is data considered sensitive to national security which therefore requires additional safeguards.

The Policy stipulates that cloud service providers servicing public institutions must comply with the cloud security certification programs that the Nigerian Government will establish. The certifications mentioned in the policy are:

• International Standards Organisation ISO 27001, which is the international standard that sets out the specification for an information security management system; and
• ISO/IEC 27018 Code of Practice, which deals with the protection of personally identifiable information in public clouds.

In respect of the operations of a cloud service provider ('CSP'), the Policy states that:

• the CSP shall maintain the utmost integrity to protect the data and meet the security requirements set forth by the NITDA;
• data shall not be stored, shared, processed, or modified by in any way that compromises the integrity of the data;
• the failure to satisfy any of the liabilities or obligations on the part of the CSP shall constitute a breach of the contract;
• violation of the contract or breach of data shall be disclosed by the CSP to NITDA as soon as the breach is discovered; and
• NITDA or a directed organisation identified by NITDA will conduct a root cause analysis and determine appropriate sanctions.

Digital Service Providers

A digital service provider has an obligation to respect the rights of data subjects, protect their data, and ensure that personal data is processed in accordance with the NDPR.

Akinkunmi Akinwunmi Lead Partner
[email protected]
Paragon Advisors, Lagos