The reality of supply chain attacks
Modern Nigerian fintechs are highly interconnected. A typical neobank might use AWS for infrastructure, Paystack for payments, VerifyMe for KYC, and Intercom for support. While this architecture accelerates development, it inherently expands your attack surface. A breach at any of these vendors can become a breach of your data.
The SolarWinds and Okta incidents demonstrated globally that attackers prefer targeting a single vendor to compromise thousands of downstream clients. Locally, the Flutterwave insider incident highlighted how supply chain vulnerabilities and weak internal controls at a payment processor can directly impact the financial stability of the startups that rely on them.
Data Exposure
If a third-party analytics provider or support tool is breached, the PII or transaction data you share with them is exposed, triggering NDPA breach notification requirements.
API Key Compromise
If an attacker compromises your vendor, they may extract your API keys, allowing them to impersonate your infrastructure and initiate fraudulent transactions.
Service Disruption
A ransomware attack on a critical KYC provider can halt your onboarding pipeline, directly impacting your core business operations and revenue.
CBN requirements for third-party risk
The CBN Risk-Based Cybersecurity Framework does not allow you to outsource your security responsibility. The framework requires licensed entities to:
- Conduct comprehensive cybersecurity due diligence before onboarding any third-party service provider.
- Ensure contracts include specific cybersecurity requirements, SLAs, and mandatory breach notification clauses.
- Maintain an inventory of all third-party connections and data shared.
- Continuously monitor the cybersecurity posture of critical vendors.
Need help evaluating the security posture of your integrations?
Book an Architecture ReviewHow to assess vendor security
Start by categorizing your vendors based on the risk they pose (e.g., Critical: Cloud providers and payment gateways; Medium: Analytics; Low: Marketing sites). For critical and medium-risk vendors, enforce a rigorous evaluation process:
Security questionnaires
Require the vendor to complete a standardized questionnaire, such as the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ) or the VSA. This forces them to document their controls formally.
Independent audit reports
Never take a vendor's word for it. Request their SOC 2 Type 2 report or ISO 27001 certificate. Most importantly, ask for the executive summary of their latest independent penetration test. If they haven't had a pentest in the last 12 months, treat that as a critical risk flag.
API key and credential management
When integrating with vendors, managing the API keys is your responsibility. Compromised API keys are a leading cause of fintech API abuse.
- Never hardcode keys: Use a secrets manager (like AWS Secrets Manager or HashiCorp Vault) to inject keys at runtime.
- Enforce least privilege: Generate API keys with the minimum necessary permissions. If the integration only needs to read data, do not provide a key with write or delete permissions.
- Implement key rotation: Establish an automated process to rotate vendor API keys every 90 days.
- Monitor usage: Implement anomaly detection to alert on unusual spikes in API calls to a vendor, which could indicate a compromised key.
The contractual safety net
Your contract with the vendor must include a strict SLA for breach notification. If they are breached, they must be legally obligated to notify you within 24 to 48 hours, not when it hits the news. This gives you time to rotate keys and assess exposure before attackers exploit the connection.
Related reading
Blog: Fintech API Security: 10 Steps
Guides: CBN Compliance Guide · Fintech Security Checklist
Services: API Security
Frequently asked questions
{faq.q}
{faq.a}