The two reporting obligations and their timelines

Every CBN-licensed fintech that experiences a material security incident has two separate regulatory reporting obligations running simultaneously. The first is to CBN under the Risk-Based Cybersecurity Framework's incident reporting requirements. The second is to the Nigeria Data Protection Commission under the NDPA 2023 if personal data was affected. These are not the same report sent to two places — they have different formats, different expectations, and different timelines.

What the CBN initial notification must contain

The 24-hour CBN notification does not need to be a complete forensic report. It is an alert that a material incident has occurred. CBN's cybersecurity framework specifies the minimum content of the initial notification. Based on our experience supporting Nigerian fintechs through CBN-reportable incidents, include the following in the first message:

Send this to CBN's Technology Risk department via the designated incident reporting email address. If you do not have this contact already saved, find it now — in the middle of an incident is not the time to be hunting for a regulatory contact address.

What the NDPC notification must contain

The NDPA 2023 specifies the content of a breach notification to the NDPC. The 72-hour notification must describe: the nature of the personal data breach including the categories of data affected (names, BVN, account numbers, transaction history) and the approximate number of data subjects affected, the likely consequences of the breach (identity fraud, financial loss, social engineering risk), the measures taken or proposed to address the breach including to mitigate its possible adverse effects, and the name and contact details of the Data Protection Officer or the person responsible for data protection at the organization.

The NDPC notification is submitted through the NDPC's official notification portal or via email to the Commission's designated contact. Organizations that have previously registered with the NDPC and filed data protection compliance audits have an established relationship with the Commission that typically results in a more constructive engagement during breach notification.

The 72-hour full incident report to CBN

The full report submitted within 72 hours of the initial notification must build on the initial report with confirmed findings. By 72 hours, your investigation should have established: the initial access vector (how the attacker got in), the extent of access (which systems, which data), the timeline of the attack (when access was first gained, how long the attacker was present), confirmation of containment, and an initial assessment of financial impact to customers. If your investigation is not complete at 72 hours — which is common in sophisticated attacks — submit what you have confirmed, clearly mark findings as preliminary, and commit to a supplementary report within a defined additional period.

The post-incident review to CBN at 30 days

CBN requires a post-incident review submitted within 30 days of incident resolution. This report covers the complete confirmed attack timeline, root cause analysis (what security control failed or was absent), a comprehensive list of affected customer accounts with amounts involved where financial loss occurred, the remediation actions completed, and the preventive measures implemented to prevent recurrence. This is the report CBN uses to assess whether your security posture was adequate before the incident and whether your remediation is appropriate. A thorough, candid review that demonstrates understanding of root cause and credible remediation is received significantly better than a defensive report that minimizes the incident.

What not to do in the first 24 hours

Three decisions made in the first 24 hours consistently compound the regulatory consequences of a breach:

Delaying notification to gather more facts: Regulators understand that a 24-hour report will be incomplete. They do not accept incomplete facts as a justification for late notification. Notify with what you know and update with what you learn.

Informing the press before the regulator: If CBN learns about your breach from a news article before they receive your notification, the regulatory relationship is damaged in a way that is very difficult to recover. Notify CBN first, always. Public disclosure follows regulator notification, not the other way around.

Destroying or altering logs during containment: The impulse to restore clean systems quickly is understandable. But overwriting compromised servers before forensic imaging destroys the evidence CBN and the NDPC may request. Contain first (isolate), then preserve (image), then remediate (clean). Never remediate before forensic preservation.

Engagement note from a breach response support

Late CBN notification resulted in a separate adverse ITRA finding

We were engaged by a Nigerian payment company 48 hours after a confirmed breach. The team had spent the first 48 hours on containment without notifying CBN, believing they needed to confirm full scope before reporting. When we joined, the first action we recommended was immediate CBN notification — now 24 hours past the required window. CBN accepted the report but noted the late notification explicitly. When the company's ITRA occurred six months later, the examiner cited the late notification as a finding under the incident management control domain, resulting in an adverse rating on that domain that required a remediation plan. The breach itself — which was contained and remediated — resulted in a less severe rating than the late notification. The lesson: the notification obligation has its own compliance timeline, independent of your readiness to report.

Experiencing a breach now or preparing your incident response plan before one happens? We provide breach response support and regulatory notification preparation for Nigerian fintechs.

Get Breach Response Support Now

Frequently asked questions

What counts as the start of the reporting clock — when we first suspected something, or when we confirmed a breach?

CBN's breach notification timeline starts from when you have reasonable grounds to believe a material incident has occurred — not from when forensic confirmation is complete. Waiting for complete forensic certainty before notifying can result in a late notification finding. The correct approach is to notify CBN with what you know within 24 hours ('we have detected anomalous activity consistent with unauthorized access affecting approximately X accounts') and update with confirmed findings as the investigation progresses.

Do we have to notify NDPC even if no customer data was accessed, only system data?

If only internal system data (logs, configuration files, infrastructure metadata) was accessed without any personal data of customers or employees being compromised, the strict NDPA notification obligation may not apply. However, CBN's incident reporting requirement covers system-level breaches regardless of whether customer personal data was accessed — because system access affects the integrity of financial records. When in doubt, report. A voluntary report of an incident that turns out not to trigger mandatory notification creates a better regulatory relationship than a missing report for one that does.

What happens if we miss the CBN 24-hour notification window?

A late notification is itself a regulatory violation separate from the underlying breach. CBN will note the late notification in the examination record and it typically leads to an adverse finding on the incident management section of the next ITRA. In serious breaches, CBN may issue a separate directive specifically for the late notification failure. The penalty is not primarily financial in most cases — it is reputational within the regulatory relationship and can trigger more intense scrutiny of your overall compliance posture.

Do we need to notify customers if their data was breached?

Yes. The NDPA 2023 requires data controllers (which every fintech is, relative to its customers) to notify affected data subjects when a breach is likely to result in high risk to their rights and freedoms. For a breach exposing financial credentials, BVN, or transaction history, the risk threshold is clearly met. The NDPA does not specify a fixed timeline for customer notification but expects it to happen 'without undue delay'. Practically, coordinate customer notification with your legal team after the initial regulator notification.

Related reading

Blog: First 72 hours after a fintech breach · CBN data breach notification process · Incident response plan template

Services: Penetration testing · Secure architecture review