Why Nigerian fintechs cannot afford to improvise

The regulatory environment for Nigerian financial technology companies has shifted decisively. The NDPA imposes a hard 72-hour breach notification deadline with fines of up to ₦10 million or 2% of annual gross revenue. The CBN's Risk-Based Cybersecurity Framework requires licensed institutions to maintain and regularly test incident response capabilities. In 2024, the CBN levied over ₦1 billion in cumulative cybersecurity-related fines, and several enforcement actions specifically cited the absence of documented incident response procedures.

NIBSS data from 2024 shows over ₦18 billion in fraud losses across Nigerian financial institutions. The median detection time for breaches in the sector is 120 days. Every additional day an attacker spends inside your network increases the scope of compromise, the volume of data exfiltrated, and the regulatory penalty you face. A tested incident response plan reduces detection-to-containment time from weeks to hours.

This framework follows the six-phase model established by NIST SP 800-61 (Computer Security Incident Handling Guide), adapted for Nigeria's regulatory requirements and the operational realities of fintech startups.

Phase 1: Preparation

Preparation is the only phase that happens before the breach. It is also the phase most Nigerian fintechs skip entirely, treating incident response as something they will figure out when it happens. That approach is how you end up paying ₦100 million in fines instead of ₦5 million.

Build your incident response team

Every person on this team must know their role before the incident occurs. During a breach, there is no time to figure out who does what.

Incident Commander

Owns the incident. Makes final decisions on containment, communication, and escalation. Typically the CTO or VP Engineering. This person has authority to shut down production systems, engage external vendors, and approve public communications. There must be a designated backup IC for when the primary is unavailable.

Technical Lead

Senior engineer responsible for hands-on investigation: log analysis, forensic imaging, system isolation, and evidence preservation. Must have root/admin access to all production infrastructure and familiarity with your cloud security tooling (CloudTrail, VPC Flow Logs, SIEM dashboards).

Communications Lead

Controls all external and internal messaging. No one communicates with customers, press, or partners without this person's approval. Manages the customer notification process, press holding statements, and partner notification emails.

Regulatory Liaison

Responsible for all regulatory notifications: NDPC breach notification, CBN incident report, and coordination with law enforcement. Must understand the NDPA notification requirements and CBN reporting deadlines. For CBN-licensed fintechs, this is a critical role.

Communication tree

Document the exact escalation path. When the on-call engineer detects anomalous activity at 2 AM, they must know exactly who to call, in what order, and through what channel. The communication tree should include primary and backup contacts for every role, personal mobile numbers (not just work email), and an out-of-band communication channel (Signal group, personal WhatsApp group) in case corporate Slack or email is compromised.

Tool inventory

Document every tool your team will need during an incident and verify access quarterly:

Phase 2: Detection and analysis

Detection is where most Nigerian fintechs fail catastrophically. Without adequate monitoring, breaches go undetected for months. The Sterling Bank-Remita breach involved a 9-day persistence window. Many smaller fintechs have no detection capability at all.

Indicators of compromise (IOCs)

Your team must know what to look for. These are the most common IOCs in Nigerian fintech breaches:

Severity classification

Not every alert is a critical incident. Your plan must define severity levels to prevent alert fatigue and ensure appropriate escalation:

Phase 3: Containment

Containment has two sub-phases: short-term containment to stop the immediate damage, and long-term containment to prepare for eradication without losing the evidence you need for forensics and regulatory reporting.

Short-term containment

Execute within the first 1-4 hours of confirmed compromise. The goal is to stop the attack from spreading without destroying evidence. See our detailed first 72 hours playbook for hour-by-hour containment steps.

Long-term containment and evidence preservation

Once the immediate threat is stopped, preserve evidence for forensics, regulatory reporting, and potential legal proceedings.

Need help building or testing your incident response plan? We run tabletop exercises and simulate real attack scenarios against your infrastructure.

Build Your IR Plan

Phase 4: Eradication

Eradication eliminates the root cause. Containment stops the bleeding; eradication removes the knife.

Phase 5: Recovery

Recovery brings systems back to normal operations with enhanced monitoring to detect any attacker re-entry.

Phase 6: Post-incident activities

This is the phase that separates companies that improve from companies that get breached twice.

Lessons learned retrospective

Conduct a blameless post-incident review within 5 business days of incident closure. The retrospective must answer:

Regulatory reporting

Map your post-incident obligations to each regulator:

NDPC reporting

Submit supplementary notifications with findings from your forensic investigation. Provide evidence of remediation (pentest reports, patching records). Respond to any information requests from the Commission within the specified timeframe.

CBN reporting

Submit the incident report required under the CSAT framework. Include root cause analysis, remediation steps, and evidence that controls have been strengthened. The CBN may require a follow-up audit.

Law enforcement

Provide the Nigeria Police Force Cybercrime Unit or EFCC with forensic evidence if a criminal investigation is underway. Cooperate with evidence requests while coordinating with your legal counsel.

Process improvements

Update your IR plan based on the retrospective findings. Common improvements after a first incident include: deploying a SIEM or upgrading log retention, implementing zero-trust network segmentation, adding security awareness training for all staff, establishing a continuous pentest programme, and documenting communication templates for each stakeholder type.

Regulatory Requirement

Testing is not optional

The CBN's Risk-Based Cybersecurity Framework requires financial institutions to conduct incident response exercises at least annually. The NDPC evaluates whether your "organisational measures" include tested response procedures. An untested plan is, from a regulatory perspective, no plan at all. Schedule tabletop exercises every six months and a full simulation annually.

Communication templates

Pre-draft these templates and have legal counsel approve them before an incident occurs. During a breach, you will not have time to write and review communications from scratch.

An IR plan is only as good as the security posture underneath it. Start with a penetration test to identify the vulnerabilities an attacker would exploit.

Start With a Pentest

Frequently asked questions

Does my fintech need an incident response plan?

Yes. Both the CBN's Risk-Based Cybersecurity Framework and the NDPA's requirement for 'appropriate organisational measures' effectively mandate that financial institutions and data controllers maintain a documented incident response plan. Beyond regulatory compliance, companies without an IR plan take 2-3x longer to contain breaches, resulting in significantly higher financial losses.

How often should we test our incident response plan?

At minimum, conduct a tabletop exercise every six months and a full simulation annually. Plus, test immediately after any significant infrastructure change (new cloud provider, major architecture migration, or acquisition). Plans that are not tested are plans that do not work.

Who should be on the incident response team?

At minimum: an Incident Commander (typically CTO or Head of Engineering), a technical lead (senior backend or infrastructure engineer), a communications lead, legal counsel, and the Data Protection Officer (DPO). For fintechs with CBN licences, include a regulatory liaison who understands CBN reporting requirements.

What is the difference between an incident response plan and a business continuity plan?

An incident response plan focuses on detecting, containing, and recovering from a specific security incident. A business continuity plan (BCP) focuses on maintaining critical business operations during and after any disruptive event (including but not limited to cyber incidents). Your IR plan should integrate with your BCP but they serve different purposes.

Related reading

Blog: Hacked: First 72 Hours · Reporting to NDPC · Security Culture

Guides: After a Breach · CBN Compliance Guide

Services: Penetration Testing · Secure Architecture Review