The dual-reporting mandate
Nigerian fintechs operate under overlapping regulatory jurisdictions. A significant data breach triggers mandatory reporting to both the Central Bank of Nigeria (CBN) and the Nigeria Data Protection Commission (NDPC). Ignorance of these timelines is not an accepted defense, and the penalties for concealment are severe.
The 24-Hour CBN Window
The CBN Risk-Based Cybersecurity Framework mandates that major incidents must be reported to the Director of Banking Supervision immediately, and formally within 24 hours.
The 72-Hour NDPC Window
Under the NDPA, you have 72 hours from the moment of discovery to notify the NDPC. If you miss this window, your notification must be accompanied by a reasoned justification for the delay.
Data Subject Notification
If the breach exposes PII (BVN, transaction history, passwords), you must inform the affected customers "without undue delay." This is legally required; PR spin attempting to hide the incident is a direct violation of the NDPA.
What to include in your notification
Regulators do not expect a complete forensic report within 72 hours, but they do expect a structured preliminary notification. Your submission should include:
- Nature of the breach: How the breach occurred (e.g., unauthorized API access, compromised employee credentials).
- Scope of exposure: The categories and approximate number of individuals affected, and the type of data compromised (e.g., 10,000 users; names, email addresses, and encrypted passwords).
- Immediate mitigation: Steps your engineering team has already taken to contain the breach (e.g., isolating servers, rotating API keys, forcing password resets).
- Point of contact: The name and contact details of your Data Protection Officer (DPO) or Chief Information Security Officer (CISO).
Recovering from a security incident? You need a post-breach assessment to ensure the vulnerability is closed.
Request Incident Response SupportCustomer communication best practices
Drafting the customer notification email requires tight coordination between engineering, legal, and communications. The NDPA requires this notice to be clear and in plain language.
Do not use vague euphemisms like "we experienced a data security incident." State clearly what happened, what specific data of theirs was involved, what you are doing to protect them (e.g., invalidating sessions), and what steps they need to take immediately (e.g., enabling MFA, changing passwords across other sites).
The role of the post-breach pentest
Once the immediate bleeding is stopped and notifications are filed, regulators will demand proof that the underlying vulnerability has been permanently fixed. A post-breach penetration test is critical here. An independent report verifying that the specific attack vector (and related architectural flaws) has been remediated is often required by the CBN to formally close the incident file and restore full operational standing.
The cost of concealment
Globally and locally, regulators are aggressively penalizing companies not just for getting breached, but for failing to report the breach promptly. Engaging external legal counsel specializing in Nigerian data protection law within the first hour of a suspected breach is crucial to navigating the reporting liability.
Related reading
Guides: After a Breach (Incident Response) · NDPR/NDPA Compliance
Blog: NDPR Privacy Checklist
Frequently asked questions
{faq.q}
{faq.a}