CYBERSECURITY LEGAL TOOLKIT FOR BUSINESSES IN NIGERIA

Cyberattacks are a common and growing threat to businesses, especially ones that use the internet and social media. A report by Sophos reveals that 86% of Nigerian businesses suffer from cybersecurity breaches, mainly in the public cloud. The report also stated that Nigeria recorded 82,000 cases of data breaches in the first quarter of 2023, up from 50,000 recorded in Q4 2022. This is especially worrisome because cyberattacks damage a business’s reputation, finances, and legal standing.

One of the main techniques of cybercriminals is social engineering, which exploits human psychology to trick employees into revealing data or clicking malicious links. Cybercriminals often impersonate trusted contacts or authorities to manipulate their targets through emails, phone calls, or online platforms. Although data shows that many Nigerians lack basic knowledge and skills for online safety, business owners in Nigeria have a legal obligation to secure their critical IT infrastructure from cyberattacks. They must thus train their employees on online safety and protect their customers’ data and assets from cyberattacks, as these could be misused, exposed, or stolen, exposing the business to administrative sanctions and loss of reputation.

This legal obligation is enshrined in Section 24(1) and (2) of the Nigeria Data Protection Act 2023, which provides that: “A data controller and data processor shall use appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data. Notwithstanding anything to the contrary in this Act or any other law, a data controller or data processor owes a duty of care, in respect of data processing, and shall demonstrate accountability, in respect of the principles contained in this Act.”

The data controller is the person or organization that decides what personal data is collected, how it is used, and who it is shared with. They are ultimately responsible for protecting the privacy of the data and ensuring that it is processed in accordance with the law. While the data processor is the person or organization that processes personal data on behalf of the data controller. This could include storing the data, analyzing it, or sending it to other organizations. The data processor is required to follow the instructions of the data controller and to take appropriate security measures to protect the data.

To assist Nigerian businesses in fending off the incessant cyberattacks, the Office of the National Security Adviser (ONSA), the National Information Technology Development Agency (NITDA), and the UK Foreign Commonwealth and Development Office (FCDO) collaborated to develop a cybersecurity toolkit for SMEs which can be assessed for free on: https://gcatoolkit.org/small- business-dapnigeria/. The toolkit is part of the Digital Access Programme (DAP), which aims to promote digital inclusion and economic growth in Nigeria. The toolkit covers various topics such as cyber risk assessment, data protection, phishing, ransomware, password management, device security, network security, cloud security, incident response, and cyber insurance. The toolkit also includes self-assessment tools, checklists, templates, videos, podcasts, webinars, and case studies to help SMEs implement the recommended actions.

In addition to implementing the tips contained in the cybersecurity toolkit as provided above, we have developed a legal toolkit for Nigerian businesses to go with:

  1. Understand that complying with the Nigeria Data Protection Act, Cybercrimes (Prohibition, Prevention, etc) Act and sector-specific laws on cybersecurity, is mandatory. Non-compliance, therefore, can expose your business to prosecution or heavy sanctions as high as 2% of the organisation’s annual gross revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

  2. To help you comply with the law, hire an in-house data protection officer or consult experienced law firms like The Firma Advisory. Some data controllers (data controllers and processors of major importance) must have a data protection officer, but the Nigerian Data Protection Commission (NDPC) has not designated them yet.

  3. Establish and enforce organisational measures of cybersecurity, compliant with your sector's regulation, and if unregulated, the Nigerian Data Protection Act and the Cybercrimes Act.

  4. Use the technical data security standards recommended by your sector regulator or the Nigeria Data Protection Act if your sector is unregulated. The law sets minimum or best practices for security, but you can use higher levels of security to prevent cyberattacks. Section 39(1) of the Nigeria Data Protection Act requires that “Data Controller and Data Processor to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of Personal Data in its possession.”

  5. All businesses are encouraged to file a data audit report, however, if you handle the data of more than 2000 persons in a period of 12 months, you must file a data audit report with the Nigerian Data Protection Commission.

  6. In the event of a cyberattack, report the incident to your customer, your sector regulator and the Nigerian Data Protection Commission. The timeline within which to report varies across sectors, but the Nigerian Data Protection Act requires that a breach be reported within 72 hours of you becoming aware of it.

Conclusion:

Cybersecurity is a vital aspect of any business that operates online, especially in Nigeria, where cyberattacks are prevalent and costly. Nigerian businesses should comply with the cybersecurity legal requirements and endeavour to implement and enforce the cybersecurity toolkit as developed under the DAP initiative. The toolkit provides practical guidance and resources for SMEs to improve their cybersecurity awareness, practices, and resilience. By using the toolkit, SMEs can reduce their exposure to cyber risks, protect their customers' data and assets, and increase their trust and reputation in the digital market. October is cybersecurity awareness month and there is a need for Nigerian businesses to build a culture of vigilance to cyber issues. Cybersecurity is not only a technical issue but also a business issue that affects the bottom line and the reputation of any organization. Therefore, Nigerian businesses should take proactive steps to secure their online presence and operations from cyber threats.