• Thursday, April 18, 2024
businessday logo


Where is your weakest link? Safeguarding your company against data breaches and cybersecurity risks (Part 2 of 2)

‘88% of potential fraud starts with an email’

Technology, even artificial intelligence, now drives our daily social and business interactions. From the 11 million users of Uber to daily money transfers for personal and trade transactions using mobile phones, technology is now a bedrock of our existence that we happily take for granted.

We trust service providers to ensure our data security, guided by regulations and regulatory authorities. The Nigerian Data Protection Act came into force in June 2023, a little later than most, considering the European Union’s General Data Protection Regulation came into force in 2018, and post-2021 Brexit now governs alongside the amended UK Data Protection Act of 2018.

Read also: Safeguarding against data breaches and cybersecurity risks: Finding your weakest link (Part 1 of 2)

The Implementation Framework for the Nigerian Data Protection Regulation read along with the Nigerian Data Protection Act (NDPA) 2023, provides guidance for organisations ensuring customers’ data is collected, processed, stored, and transferred securely, free of misuse or unauthorised access. Public organisations are further guided by the Guidelines for the Management of Personal Data by Public Institutions in Nigeria. These regulations protect all citizens, although the NDPA 2023 now appears at odds with the Nigerian Data Protection Regulation 2019, which includes Nigerians abroad.

Other regulations include the Consumer Code of Practice Regulations 2007, which require protection of confidential information against accidental disclosure, and the Nigerian Communications Commission’s (regulation of telephone subscribers) Regulation 2011, which requires maintenance of the confidentiality of telephone subscribers. The Cybercriminal (Prohibition, Protection, etc.) Act 2015 renders intercepting electronic communication a crime, while the Credit Reporting Act 2017 dictates circumstances in which credit information of a data subject or customer may be disclosed.

Cybersecurity incidents and data breaches are bad for business. Organisations scramble for damage control, but the damage is either done or the potential for bad actors to infiltrate the organisation’s system remains until patched.

On March 18, 2024, the National Identity Management Commission (NIMC) announced it was investigating its security system. A cut in undersea cables had disrupted services across financial institutions and telecommunication organisations in Nigeria, which may have compromised the system of NIMC’s subcontractors. The Director General of NIMC assured Nigerians their data was secure, but this served as a wake-up call to conduct an audit or assessment of the commission tokenization agents that serve NIMC as third-party contractors. Similarly, in 2020, Plateau State’s PLASCHEMA investigated reports of an unsecured AWS S3 data bucket, which may have resulted in the exposure of clients’ data.

As of January 2024, the Nigeria Data Protection Commission confirmed that it was investigating 17 cases of data breaches. 50 events were verified out of the initial 1000 cases. These include Opay, META, DHL, Guarantee Trust Bank, and Zenith Bank, covering a wide range of sectors, not sparing educational institutions. Nigeria is not immune to data breaches, contrary to the argument in some quarters that the value of the naira makes Nigerian data unattractive to hackers.

Hefty fines follow noncompliance. The Nigerian Data Protection Commission had levied fines totalling ₦400 million as of January 28, 2024. This spells bad news for organisations in terms of the investigation exercise and the enforcement of penalties. When customer confidence is eroded, they move easily to competitors. Without competitors, for organisations like NIMC, customers will stall in their use of services, thus truncating the effort of the organisation to actualize its mission.

Where third parties have access to an organisation’s internal systems or customer information, that organisation’s risk is amplified. Implementing effective security controls requires significant investment. How extensive an organisation’s third-party risk management (TPRM) is depends on the nature of the business relationships it has with these vendors. The level of risk posed by the supplier of an organisation’s software as a service (SaaS) is much greater than that posed by their gardening contractor. A comprehensive TPRM system must include vendor evaluation, engagement, and monitoring, providing procedures for identifying, tracking, and assessing vendors. It enables the organisation to know whether third parties are complying with regulations, avoiding unethical practices, protecting confidential information, maintaining adequate security protocols, handling disruptions in their operation effectively, and responding appropriately to security threats.

To avoid overwhelming an organisation’s resources, outsourcing TPRM is an option. Aided by appropriate software, training, and experience, TPRM companies can take the pressure off while maintaining the right level of oversight. Another option is to dedicate a team within your organisation, trained and charged with TPRM responsibility.

Third-party contractors bring with them risks that have cybersecurity, financial, operational, reputational, and compliance ramifications. Every organisation will do well to prioritise third-party risk management to ensure its continued success.

NIMC Assures Nigerians Of Data Security



Olufunmilola J. Oyelahan; Cybersecurity Cert.(Harvard), MBA(Ife): Barrister and Solicitor, Nigeria (1991), Solicitor, England and Wales, UK (2005)