Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.
Generally, organisations may be categorised into those that have experienced cybersecurity incidents and those that would experience cyber incidents. The reality is that most organisations, whether they have experienced a cyber threat/incident in the past or not, may be on their way to their first or next cyber threat/incident.
These incidents may manifest in different ways; the most common occurrences include personal data breaches, loss of information, or other information technology-related happenstances or incidents which impact the information technology system/network.
26 June 25
Other Insights:
A cybersecurity incident may be an incident which has been defined as such, either by law or in the organisation’s cyber-threat intelligence programs. Different laws have different requirements in respect of cyber incident responses and reporting. In preparing to respond to a cybersecurity incident, organisations are required to take into consideration applicable legal requirements for reporting cybersecurity incidents.
Against the recent spate of international cybersecurity incidents reported by Harrods, Marks & Spencer, Co-op, Adidas, among others, this article examines some key requirements under Nigerian law in relation to escalating/reporting cybersecurity incidents.
Cybercrimes Act (Prohibition, Prevention etc) Act 2015 and Cybercrimes Act (Prohibition, Prevention etc) (Amendment) Act 2024
A cyber threat under this law refers to any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network. Organisations are required to report all cyberthreats to the National Computer Emergency Response Team Coordination Center (ngCERT) through their respective sectorial Computer Emergency Response Team (CERT) or sectorial Security Operation Centers (SOC) (where available) immediately, and no later than 72 hours, after detection.
Therefore, organisations should identify the sectoral CERT or SOC relevant to their business operations and the relevant means of notifying such CERT or SOC in their incident response plans. Some sectoral CERTs and SOCs currently operating in Nigeria include (a) Nigeria Financial Computer Emergency Response Team (NigFinCERT); and (b) the Nigeria Communications Commission Computer Security Incident Response Team (NCC CSIRT).
Nigeria Data Protection Act 2023
A personal data breach is a security incident that results in or is likely to result in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.[4] Personal data breach as a cybersecurity incident would typically involve a breach of personal information through or contained in an information technology system/network. In the event of a personal data breach, organisations acting as data controllers are required to report such breaches to the Nigeria Data Protection Commission (NPDC) no later than 72 hours after becoming aware of such breach, where the breach is likely to result in a risk to the rights and freedoms of a data subject.
A personal data breach may be deemed to result in such risk, where, by the nature of the breach and personal data involved, is likely to impact any right and freedom of a data subject, such as social or economic rights as contained in the constitution or other legal or similar instrument. Some examples of this include personal data breaches involving account login information, residential address, criminal and health records, Bank Verification Numbers (BVN), National Identification Numbers (NIN) etc.
Click here to download and read the full article.
Should you have any questions regarding this article series, please do not hesitate to contact Sumbo Akintola or Timothy Ogele.
______________________
Contributor
Yetunde Olashore – Associate