By Majeed Salaam
Nigeria’s digital regulatory authorities are intensifying pressure on organisations to improve transparency around cyber incidents, warning that concealment of breaches is worsening systemic vulnerabilities across the financial technology ecosystem.
The National Information Technology Development Agency (NITDA) has called on companies to promptly disclose cyberattacks and share threat intelligence, following a recent breach that affected a commercial bank and reportedly extended to connected payment infrastructure, including Remita.
The agency said the interconnected nature of Nigeria’s digital economy means that isolated breaches can rapidly escalate into broader systemic risks if not properly disclosed and contained.
“Our main focus is deepening synergy among stakeholders,” NITDA Director-General, Kashifu Abdullahi, said in an interview at GITEX Africa in Morocco.
He challenged the prevailing corporate culture around incident management, arguing that reputational concerns should not override systemic security obligations.
“The mindset that organisations should hide attacks to protect their reputation must change. They may not need to make incidents public, but they should share intelligence so others can protect themselves,” he said.
The warning comes at a time when Nigeria’s digital financial infrastructure is becoming more integrated, increasing both efficiency and exposure. As platforms interlink banking systems, payment processors and government-backed financial infrastructure, a breach in one node can potentially cascade across multiple services.
NITDA noted that emerging technologies, particularly artificial intelligence, are expanding both the sophistication and speed of cyber threats. This evolution, the agency said, requires a shift from reactive defence to coordinated intelligence sharing across institutions.
“If one organisation is compromised, it can become a launch pad to attack others,” Abdullahi added, stressing that regulatory coordination is being strengthened with national institutions and the supervising ministry.
Parallel to NITDA’s position, the Nigeria Data Protection Commission (NDPC) has opened an investigation into the reported breach, focusing on potential compromise of sensitive customer data and the resilience of affected systems.
The probe is being conducted under the framework of the Nigeria Data Protection Act, 2023, with emphasis on identifying the type and scope of data exposed, the risk to data subjects and the adequacy of mitigation measures deployed by affected entities.
“The investigation aims to ensure that data subjects are protected with appropriate technical and organisational measures,” the commission said, noting that it will also assess the systemic risk posed by such incidents.
The NDPC further warned that operators of digital payment systems will face closer scrutiny to ensure compliance with minimum security and governance standards. It added that firms without adequate technical and organisational safeguards would be examined as part of a wider ecosystem integrity review.
National Commissioner and Chief Executive of the NDPC, Vincent Olatunji, directed that compliance checks will extend beyond the immediate incident to include broader operational practices across the sector.
“The commission’s National Commissioner/CEO, Dr Vincent Olatunji, has directed that organisations employing digital payment systems without appropriate technical and organisational measures as mandated under the Nigeria Data Protection Act, 2023, will also be examined as part of a wider effort to ensure the integrity of the ecosystem,” the statement said.
The regulatory posture reflects growing concern over the resilience of Nigeria’s expanding digital economy, particularly as financial services, government platforms and private sector infrastructure become increasingly interdependent.
Industry stakeholders have long warned that while digitisation has improved efficiency and financial inclusion, it has also widened the attack surface for cybercriminals. Weak points in third-party integrations, legacy systems and data governance frameworks remain persistent vulnerabilities.
