In today’s increasingly digital environment, cybersecurity has become a critical issue for organizations across the globe, including Nigeria. As organizations continue to rely heavily on digital systems and infrastructures for communication, financial transactions, data storage, and operational processes, they are becoming increasingly vulnerable to cyberthreats and breaches such as data theft, ransomware attacks, phishing schemes, and unauthorized system access. These threats not only expose companies to financial losses but can also damage corporate reputation, disrupt business operations, and result in regulatory penalties. In Nigeria, several regulatory frameworks such as the Nigeria Data Protection Act, 2023 and other sector specific compliance regulations place increasing obligations on companies to protect and safeguard sensitive information and implement effective cybersecurity measures.
As a result of the above, it has become imperative for companies to adopt proactive and practical risk management strategies aimed at identifying vulnerabilities, strengthening internal controls, and mitigating potential cyber threats. At the heart of these are legal and compliance issues which companies have to comply with in a world of increasing cyber security risks. To effectively manage cyber risks, organizations must first understand the modern forms cyber threats and risks may take. Some of the most prevalent threats include the following:
1. Phishing Attacks: Phishing is one of the most common and dangerous cyber threats to businesses, responsible for many data breaches. It occurs when attackers pretend to be trusted contacts and trick employees into clicking malicious links, downloading harmful files, or revealing sensitive information such as passwords or financial details. Modern phishing attacks are highly sophisticated, including corporate email compromise, where criminals steal the email credentials of executives and send fraudulent payment requests. Because phishing targets human behavior rather than technical systems, it is usually difficult to stop. Businesses can reduce the risk by using email security gateways, post-delivery protection tools, and security awareness training to help employees identify and report suspicious emails.
2. Malware Attacks: Malware refers to harmful software such as viruses and trojans that hackers use to access networks, steal data, or damage systems. It often spreads through infected websites, spam emails, or compromised devices. Small businesses are especially vulnerable because malware can damage devices, cause costly repairs, and expose sensitive business or customer data. To prevent malware attacks, organizations should implement endpoint protection systems and web security tools that block malicious downloads and prevent access to dangerous websites.
3. Ransomware: Ransomware is a cyberattack where hackers encrypt a company’s data and demand payment to restore access. It has become increasingly common because it is highly profitable for cybercriminals. Businesses that are often targeted are the ones that lack strong security systems or reliable backup systems. When important data is locked, organizations may face major operational disruptions and financial losses. To reduce this risk, businesses should install strong endpoint protection across all devices and implement secure cloud backup systems. Reliable backup systems allow companies to recover their data without paying ransom demands.
4. Insecure Passwords: Weak or easily guessed passwords are a major cybersecurity risk for many businesses. Employees often reuse passwords across multiple accounts or create simple passwords that attackers can easily guess. This can allow hackers to gain unauthorized access to sensitive company systems and information. The problem often occurs because employees are unaware of the risks associated with poor password practices. Businesses should use password management tools to generate and store strong passwords securely. In addition, multi-factor authentication (MFA) should be implemented to add an extra layer of security protection.
5. Insider Threats: Insider threats arise from individuals within the organization, such as employees, former staff, contractors, or partners who have access to company systems. These threats may occur intentionally due to malicious motives or unintentionally due to negligence or lack of awareness. Because insiders already have authorized access, they can cause serious data breaches or security incidents. The risk increases when employees have access to systems or information, they do not need for their roles. Businesses can reduce insider threats by promoting cybersecurity awareness, providing regular employee training, and limiting system access based on job responsibilities.
Key Compliance Obligations for Companies in Nigeria.
As cyber threats continue to evolve, several legal and regulatory frameworks impose specific obligations on companies to safeguard digital systems and personal data. To remain compliant and avoid regulatory sanctions, organizations must prioritize the following key compliance obligations.
1. Risk Management Requirements: Nigerian companies must continually evaluate and mitigate risks to ensure that they avoid any potential breaches that may occur from cybersecurity threats and risks. Central Bank of Nigeria (CBN) Guideline on Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks, 2024 mandates that Nigerian financial institutions move beyond basic security to a structured, continuous risk lifecycle. Under this guideline, companies must execute these four core risk management activities:
• Risk Identification: Organizations must identify all information assets and the specific threats or vulnerabilities associated with their confidentiality, integrity, and availability.
• Risk Assessment: A formal risk assessment must be conducted at least annually. Also, new assessments are required immediately following major changes, such as mergers, acquisitions, or the deployment of new technology and it also requires that the findings be recorded in a Cybersecurity Risk Control Self-Assessment report.
• Risk Measurement: Institutions are now required to quantify the financial loss and reputational damage that could result from identified cyber risks.
• Risk Mitigation & Treatment: Security measures such as encryption or multi-factor authentication must be implemented in direct proportion to how critical the asset is and based on the assessment, management must explicitly choose to reduce, accept, avoid, or transfer (e.g., through insurance) each identified risk.
2.Registration as a Data Controller / Processor with the NDPC: Pursuant to section 44 of the Nigeria Data Protection Act 2023 (NDPA), organisations that process personal data in Nigeria are required to register with the Nigeria Data Protection Commission (NDPC) as a Data Controller or Data Processor, particularly where they process personal data on a large scale or process sensitive personal data. Registration enables the NDPC to ensure compliance with applicable data protection obligations. Organisations are generally required to provide details of their data processing activities, the categories of personal data processed, and the security measures implemented to protect such data. Failure to register where required may expose organisations to regulatory sanctions and administrative penalties under the NDPA.
3. Conducting Data Protection Impact Assessments (DPIAs): Prior to the commencement of any project or data processing activity in Nigeria, an organization must identify its objectives and determine the necessity of a Data Protection Impact Assessment (DPIA). Under Section 28 of the Nigeria Data Protection Act (NDPA) 2023, a data controller is legally mandated to carry out a DPIA where processing is likely to result in a high risk to the rights and freedoms of data subjects. The NDPA General Application and Implementation Directive (GAID) 2025 clarifies these high-risk circumstances. A DPIA is mandatory when evaluating or scoring (profiling) data subjects, when engaging in automated decision-making with legal or similar significant effects, when conducting systematic monitoring and when sensitive or highly personal data is involved etc. Adherence to Section 28 of the NDPA 2023 and the GAID 2025 is a mandatory prerequisite for high-risk data processing. Failure to conduct a DPIA where required not only invites significant regulatory sanctions from the NDPC but also compromises the organization’s commitment to Data Protection.
4. Appointment of Data Protection Officers: Pursuant to section 32 of the Nigeria Data Protection Act 2023 (NDPA), a data controller of major importance is required to designate a Data Protection Officer (DPO) with expert knowledge of data protection law and practices and the ability to carry out the tasks prescribed under the Act. The Act further provides that a data controller or data processor must ensure that its Data Protection Officer is involved, properly and in a timely manner, in all issues relating to the protection of personal data. The duties of the DPO include informing the organisation and its employees of their legal obligations under applicable data protection laws, overseeing internal data protection policies and audits, and preparing periodic internal compliance reports for management, which may be integrated into the organisation’s Record of Processing Activities (RoPA).
5. Filing of Annual Compliance Audit Returns (CARs): Under the Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025, data controllers and processors of major importance are required to conduct an annual audit of their data protection practices. It mandates the filing of a Compliance Audit Return (CAR) with the Nigeria Data Protection Commission (NDPC) to demonstrate accountability and transparency, the deadline for this filing is 31st March of each year. The audit must be conducted and the CAR filed through a licensed Data Protection Compliance Organisation (DPCO), which provides an independent verification statement to the Commission. Failure to file the CAR by the prescribed deadline may result in penalty.
6. Breach Notification Obligations: Under Section 40 of the Nigeria Data Protection Act (NDPA) 2023, organizations are strictly required to report personal data breaches to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of an incident likely to result in a risk to the rights and freedoms of individuals. Where a breach is categorized as high risk, the data controller must also notify the affected data subjects immediately in plain and clear language. The GAID 2025 further clarifies that these notifications must include a description of the breach, the categories of data affected, likely consequences, and the mitigation measures taken.
7. Legal Consequences: Cybersecurity incidents can expose organizations to significant legal, financial, and reputational consequences. Under the Cybercrimes (Prohibition, Prevention, etc.) Act, unauthorized access to computer systems, cyber fraud, identity theft, and related cyber offences attract criminal penalties, including fines and imprisonment for offenders. Organizations that fail to implement adequate safeguards may also face regulatory scrutiny, particularly where their systems are exploited to facilitate cybercrime. In addition, the Nigeria Data Protection Act empowers the Nigeria Data Protection Commission to impose administrative fines and corrective measures on organizations that fail to adequately protect personal data or comply with statutory data protection obligations.
Strategies for Strengthening Cybersecurity Compliance.
To effectively manage regulatory obligations and reduce cybersecurity risks, companies and organisations operating in Nigeria should consider adopting the following strategies:
1. Conduct Regular cybersecurity Risk Assessments: Organizations should carry out periodic cybersecurity risk assessments tailored to their specific operational and technological environment. A structured and tiered risk management approach enables companies to identify vulnerabilities, prioritize the protection of critical assets, and allocate resources efficiently.
2. Develop and Maintain an Incident Response Plan: Companies should establish a comprehensive incident response plan outlining procedures for the detection, containment, investigation, and remediation of cyber incidents. The plan should also include clear protocols for notifying regulatory authorities and affected stakeholders within the timelines required by law.
3. Implement Regular Cybersecurity Training for Employees: Human error remains one of the leading causes of cybersecurity incidents. Regular training programs focusing on phishing awareness, secure data handling, and general cybersecurity best practices can significantly reduce vulnerabilities and promote a culture of security within the organization.
4. Ensure Continuous Compliance Monitoring and Reporting: Organizations should actively monitor developments in cybersecurity regulations and guidelines, both within Nigeria and internationally. Continuous compliance monitoring enables companies to remain aligned with evolving regulatory standards and to respond proactively to emerging legal requirements.
5. Leverage Technology and Automation for Security Management: The use of advanced cybersecurity technologies, including automated monitoring tools and artificial intelligence-driven threat detection systems, can significantly strengthen an organization’s security posture. Automated systems can detect anomalies, flag potential threats, and initiate rapid responses, thereby enhancing both regulatory compliance and operational resilience.
Conclusion
Cybersecurity has become an essential priority for organizations operating in today’s digital economy. As businesses increasingly rely on digital systems for their operations, they must also recognize the growing risks posed by cyber threats such as phishing, ransomware, malware, and insider attacks. These threats not only cause financial and operational disruptions but may also expose companies to regulatory penalties and reputational damage.
In Nigeria, legal frameworks such as the Nigeria Data Protection Act and the Cybercrimes (Prohibition, Prevention, etc.) Act place clear obligations on organizations to safeguard personal data and maintain secure digital systems. Consequently, companies must adopt proactive cybersecurity practices, including risk assessments, employee training, incident response planning, and continuous compliance monitoring. By strengthening internal controls and prioritizing cybersecurity governance, Nigerian organizations can better protect their systems, maintain regulatory compliance, and build long-term trust with customers and stakeholders.
Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.
For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact:
