Nigeria moves to mandate organisations to disclose cyber attacks amid rising threats

Nigeria is moving to end the culture of silence around cyberattacks, pushing banks, fintechs, and other organisations to disclose breaches or at least share intelligence in the wake of rising threats.

Kashifu Abdullahi, director-general of the National Information Technology Development Agency (NITDA), Nigeria’s tech regulator, said organisations must begin disclosing breaches, or at the very least, share intelligence, because attacks are becoming more frequent and increasingly interconnected. 

“The landscape is elevated because of AI and other dynamics, and we are all connected,”  Abdullahi told TechCabal on the sidelines of GITEX Africa in Morocco on April 9. “If one organisation is compromised, it can become a launch pad for others.”

His comments come as cyber incidents continue to hit both financial institutions and government agencies, more recently, the Corporate Affairs Commission. Despite this, reporting remains weak. In its latest publicly available fraud report, the Nigeria Inter-Bank Settlement System (NIBSS) said only 60 out of 163 institutions reported fraud incidents in 2023, a compliance rate of just 37%. 

“Non-reporting of fraud incidents is a breach of the CBN circular on the Establishment of Industry Fraud Desks,” it said. 

Data from the Financial Institutions Training Centre (FITC) showed that the amount involved in fraud cases reached ₦5.26 billion ($3.81 million) across 14,697 incidents in the third quarter of 2025. 

For Abdullahi, the reluctance to disclose incidents is rooted in reputational concerns that no longer hold in a connected digital ecosystem. 

“If you look at what happened recently, they exploited a bank, from the bank they got access to Remita, and so on,” he said. “That notion that if I am attacked and I make it public, it will damage my image has to change.”

Instead of silence, regulators want structured information sharing across institutions and agencies to prevent attacks from spreading across the system. 

NITDA said it is working with the Office of the National Security Adviser and the Ministry of Communications, Innovation, and Digital Economy to improve coordination among agencies and private sector players. 

On April 1, Minister Bosun Tijani said the government would partner with industry players to establish a cybersecurity coordination council. Three weeks later, he said the council will focus on building a coordinated national cyber resilience framework anchored on accountability, intelligence sharing, and policy alignment. 

The Central Bank of Nigeria has also stepped in. On March 30, it introduced a cybersecurity self-assessment tool (CSAT), requiring financial institutions to evaluate their preparedness for threats, while formally recognising AI as a tool in combating financial crime.

“We are always trying to be ahead of the game,” Abdullahi said.

If Nigeria follows through, it would align with a growing global shift toward mandatory breach disclosure and coordinated cyber defence. 

In Europe, the General Data Protection Regulation (GDPR) requires organisations to notify users when a data breach poses a high risk. In Africa, Algeria mandates breach reporting within five days, while Kenya requires initial disclosures within 48 hours. 

Under South Africa’s Protection of Personal Information Act (POPIA), organisations must notify both regulators and affected individuals after a breach. In April, 2025, regulators tightened enforcement by requiring companies to log incidents through a central portal, detailing what happened, the data involved, and mitigation steps. 

According to the International Monetary Fund, stronger reporting and information sharing among financial institutions can significantly improve collective resilience against cyber threats.

For Nigeria, regulators are now betting that forcing more openness, whether through disclosure or intelligence sharing, will make the system harder to exploit.