Legal Implications of Ransomware in Nigeria: Legal Risks, Regulatory Duties and Cybersecurity Compliance

INTRODUCTION

Ransomware has become a significant threat globally and in Nigeria. The burgeoning digital economy of Nigeria has seen a surge in cybercrime. With the rise of digital transactions, increased internet penetration, and reliance on online services, businesses, public & private institutions have become more vulnerable. According to the Nigerian Communications Commission (NCC), Nigeria has lost $500 million to cybercrime attacks^[1].  Deloitte likewise notes that 2024 saw an unprecedented increase in cyber threats, with no sector immune to ransomware^[2].  According to the International Criminal Police Organisation (INTERPOL)^[3], Nigeria was even ranked third in Africa (after Egypt and South Africa) for ransomware detections in 2024.

While ransomware poses technical and financial challenges, its implications extend into the legal and regulatory sphere. These trends underscore the urgency of understanding Nigeria’s legal and regulatory framework for ransomware. Nigerian laws impose duties on organisations to protect data, secure networks, and report breaches.

This article examines the legal risks, regulatory obligations, and compliance requirements that Nigerian businesses must address when confronted with ransomware.

UNDERSTANDING RANSOMWARE IN THE NIGERIAN CONTEXT

Ransomware is malicious software that either encrypts an organisation’s data or locks users out of systems and then demands payment to restore access^[4]. In Nigeria, the mechanics are the same as elsewhere, but the environment in which attacks succeed has particular features that shape how organisations should think about the threat.

Attackers commonly gain a foothold through human error or unpatched technical flaws: phishing emails that trick staff into opening malicious attachments or links, weak or reused passwords, and systems that have not received security updates^[5]. Increasingly, ransomware is offered as a service: criminal groups develop and lease ready-made ransomware toolkits to affiliates, lowering the technical barrier and widening the pool of attackers.

Beyond the technical fallout, ransomware poses legal and regulatory problems for victims: data breaches can trigger mandatory reporting duties, contractual liabilities to clients and partners, and scrutiny from sector regulators such as the Nigeria Data Protection Commission (NDPC/NITDA) and the Central Bank of Nigeria. For example, banks under CBN supervision must report cybersecurity incidents (including ransomware) to the CBN within 24 hours^[6].

LEGAL RISKS ASSOCIATED WITH RANSOMWARE

The legal consequences of ransomware attacks in Nigeria extend far beyond the immediate operational disruption. They expose organisations, executives, and even third-party service providers to criminal, civil, and regulatory liabilities under multiple legal instruments.

1. Criminal Liability:

The Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended) provides a comprehensive legal framework that criminalises a wide range of conduct linked to ransomware, from its creation and sale to its use in extortion or data destruction^[7]. The law makes it an offence to knowingly develop or distribute any malicious software, such as a virus, Trojan, or ransomware, that causes damage to computer systems or data. Conviction for such conduct attracts imprisonment or a monetary fine, underscoring the gravity with which Nigerian law views cyber threats^[8].

Beyond the direct act of spreading ransomware, related offences are also punishable. Unauthorised access to computer systems, commonly the first step in deploying ransomware, is a distinct crime under the Act^[9]. Similarly, interfering with or manipulating data, such as encrypting files to deny access, is prohibited and carries significant penalties.^[10] The law also criminalises extortionate communications made through computer systems (including ransom demands) that threaten to destroy or expose stolen data unless payment is made.^[11]

2.    Civil Liability:

Organisations targeted by ransomware may also face civil liability for the consequences of a breach. Under the principle of tort law, companies are obligated to exercise a general duty of care to safeguard the personal and financial data of their clients, employees, and business partners. When a ransomware attack occurs due to inadequate cybersecurity measures, affected individuals or entities may bring legal action for negligence, breach of contract, breach of fiduciary duty or breach of privacy^[12]. To succeed, a claimant must typically show that the organisation failed to implement reasonable safeguards and that this failure directly caused loss or damage.^[13]

Legal practitioners in Nigeria have observed that courts are increasingly receptive to such claims, particularly where “inadequate safeguards or reckless handling” of personal or sensitive data leads to identity theft, reputational damage, or financial harm^[14] For instance, a financial institution that fails to maintain adequate cybersecurity controls or to encrypt customer data may be held liable for negligence or for breaching contractual obligations of confidentiality. Although our body of case law on ransomware-related suits is still developing, traditional principles of tort and contract law remain applicable: a company can be held accountable for foreseeable harm resulting from its failure to secure its systems or uphold data protection commitments.

3. Regulatory Liability and Fines:

Beyond lawsuits, organisations in Nigeria also face statutory penalties for data security failures. Under the Nigeria Data Protection Act 2023 (NDPA) and the earlier Nigeria Data Protection Regulation 2019 (NDPR), data controllers and processors are required to implement appropriate technical and organisational measures to safeguard personal data. Failure to comply can attract significant fines.

Aside from the Cybercrime Act 2015, sector-specific regulations also impose sanctions on institutions under their supervision for failing to meet prescribed cybersecurity and reporting standards.

4. Corporate / Reputational Risk:

Even where litigation or regulatory fines do not occur, ransomware can cause serious business consequences. Public disclosure of a data breach can undermine customer confidence and severely damage brand reputation^[15]. In highly regulated industries, such incidents may attract heightened regulatory scrutiny. Authorities could mandate compliance audits, impose corrective orders, or, in extreme cases, suspend operating licences if security lapses persist^[16].

Also read: Online Safety & Cybercrimes: Navigating Nigeria’s Cybersecurity Compliance And Safety Laws

REGULATORY DUTIES IMPOSED ON ORGANIZATIONS

• Data Protection Obligation:

The Nigeria Data Protection Act 2023 (NDPA), together with its implementing instrument, the Nigeria Data Protection Regulation 2019 (NDPR), imposes strict obligations on all persons and entities that process personal data. Under the Act^[17], Data controllers and processors are required to implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data. This provision aligns with Article 32 of the European Union General Data Protection Regulation (GDPR) and establishes a positive duty on data controllers and processors to proactively maintain robust data security measures.

Where a ransomware incident results in unauthorised access, encryption, or loss of personal data, the affected data controller must notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, especially where it is likely to pose a risk to individuals’ rights and freedoms^[18]. If the breach presents a high risk, for instance, exposure of sensitive or financial information, the NDPA further requires that the affected individuals be informed without undue delay^[19].

Failure to comply with the Security and notification requirements of the NDPA may attract the statutory penalties outlined earlier, including fines of up to 2% of annual gross revenue or ₦10 million^[20]. Organisations that collect or process personal data in Nigeria must observe the NDPA and NDPR breach reporting and data security obligations, even where the breach stems from a criminal ransomware attack.

More broadly, the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, as amended by the Cybercrimes (Amendment) Act 2024, establishes national obligations for reporting cyber incidents. Under the amended Act, any person or organisation that becomes aware of a cyberattack or significant threat is required to notify the National Computer Emergency Response Team (ngCERT) immediately, and not later than 72 hours after detection.^[21]

In practice, affected businesses often also involve law enforcement or economic crime agencies (e.g the Nigerian Police Cybercrime Unit or the EFCC) to pursue attackers. Together, these rules mean that data breaches and ransomware attacks must be quickly escalated to regulators and law enforcement in Nigeria.

• Sector-Specific Cybersecurity Obligations:

Beyond general data protection laws, industry-specific regulations impose additional cybersecurity obligations on regulated entities. For instance, the Central Bank of Nigeria (CBN) issued the Risk-Based Cybersecurity Framework and Guidelines (2024) for Deposit Money Banks and Payment Service Banks^[22] mandates institutions to establish robust cybersecurity governance structures, conduct periodic risk assessments, and report cybersecurity incidents to the CBN. Notably, the guidelines require banks to report any cyber incident to the Central Bank within 24 hours of detection. Furthermore, banks are required to appoint qualified Chief Information Security Officers (CISOs) and ensure board-level oversight of cybersecurity risk management.

Similarly, the Nigerian Communications Commission (NCC) imposes cybersecurity obligations on telecommunications operators. Under its various regulatory instruments, Internet Service Providers (ISPs) are required to publish acceptable-use policies and cybercrime awareness notices to their subscribers. Failure to comply may attract regulatory or criminal sanctions^[23].

PRACTICAL CHALLENGES IN ENFORCEMENT AND COMPLIANCE

Nigeria faces several challenges in enforcing cybersecurity laws and achieving compliance:

• Limited enforcement capacity. Nigerian law enforcement and regulatory agencies are still building expertise. The cross-border and anonymous nature of ransomware gangs (often abroad) makes prosecution difficult. As a result, relatively few attackers are brought to justice, which can embolden criminals. Meanwhile, many victims hesitate to report attacks, fearing reputational harm, so incidents are likely undercounted.
• Regulatory overlap and uncertainty. Multiple agencies have mandates in cyberspace, and their roles sometimes overlap. The United Nations specialised agency for information and communication technologies (UN ITU) has noted that Nigeria should “streamline the regulatory functions” of bodies like the National Information Technology Development Agency (NITDA) and the National Communications Commission (NCC) to avoid duplication^[24]. In practice, organisations may find themselves subject to fragmented rules (for example, having to satisfy both data-protection and telecom regulations). This complexity can hinder clear compliance.
• Economic constraints. Budgetary pressures make it hard for some businesses to invest in top-tier security. According to Deloitte, cost sensitivity may drive firms to adopt untested “indigenous” security solutions that have not undergone rigorous vetting, introducing new vulnerabilities.^[25] In other words, in a strained economy, affordable fixes may prove insufficient or even risky.
• Rapidly evolving threats. Cybercriminals continually develop new techniques (for instance, using AI to automate attacks) faster than some regulations can adapt. Organisations may struggle to keep pace with both technology and compliance requirements. By the time new laws or guidelines are issued, attackers may already have found a workaround.
• Awareness and culture. Finally, many Nigerian businesses (especially smaller firms) still underappreciate the legal stakes of ransomware. There is a need for more education of boards and executives to treat cyber-risk as a board-level issue. The gap in cybersecurity expertise in Nigeria’s workforce can also hamper compliance. These human factors from top management down to employees, present ongoing enforcement challenges that technical rules alone cannot solve.

RECOMMENDATIONS FOR NIGERIAN BUSINESSES AND INSTITUTIONS

To mitigate ransomware risk and meet Nigeria’s legal requirements, organisations should adopt a comprehensive approach:

• Strengthen technical defences: Keep all systems and software patched promptly; apply security updates and patches as soon as they are available. Use reputable licensed software (avoiding “cracked” programs) and deploy anti-malware tools. Enable multi-factor authentication and strict access controls. Encrypted backups are crucial: maintain offline or off-site copies of critical data, so that systems can be restored without paying a ransom. As noted by experts, measures like prompt patching, intrusion detection systems, and avoiding unauthorised software are essential to blunt ransomware threats.
• Implement data protection practices: Classify and encrypt sensitive personal and corporate data. Ensure compliance with Nigeria’s data laws: register with NITDA if required, obtain lawful consent for data processing, and have clear privacy policies. Prepare to fulfil breach-notification obligations: assign a data protection officer or security officer to monitor for breaches. In the event of an attack, follow the mandated reporting timelines.
• Governance and culture: Embed cybersecurity into corporate governance. The board and senior management should own the cyber strategy (as required by CBN guidance -appoint a qualified Chief Information Security Officer and ensure employees at all levels receive regular training on phishing, social engineering, and incident response procedures. Establish an incident response plan and conduct drills so staff know exactly what to do if ransomware strikes.
• Incident preparedness and response: Develop a formal incident response framework. Coordinate with sectoral Computer Emergency Response Teams (e.g. NCC-CSIRT, FinCERT) and law enforcement in advance. Cyber-insurance can be considered to cover residual risks and recovery costs (some analyses specifically recommend adding insurance to the defence toolkit^[26]. In any attack, isolate infected systems immediately, engage forensic experts, and involve the National Computer Emergency Response Team (ngCERT) and relevant regulators without delay.

CONCLUSION

Ransomware poses both technological and legal challenges for Nigeria. The law treats ransomware creation and deployment as a crime and holds organisations to high standards of data protection and cybersecurity. Compliance requires a coordinated effort: companies must implement strong security measures, fulfil breach notification duties, and work with regulators. Nigerian institutions have made important strides – enacting the Cybercrimes Act and the Data Protection Act, issuing sectoral guidelines, and launching a National Cybersecurity Policy – but enforcement remains a work in progress. Going forward, strengthened enforcement, clear regulatory roles, and corporate vigilance will be key to managing ransomware risk. As one legal analysis observes, data breaches “are not merely technological challenges but legal risks with far-reaching consequences,” and addressing them demands both robust laws and proactive corporate governance. For businesses, compliance is not just a regulatory burden but a necessary component of trust, continuity and sound governance in Nigeria’s digital economy.

References

^[1]  Temitayo Jaiyeola, ‘Hackers’ attacks surge against Nigerian tech companies’ business day newspaper (Lagos July 10 2024)4

^[2] Deloitte Nigeria, Nigeria Cybersecurity Outlook 2025 (2025) (“Outlook Report”). https://www.deloitte.com/ng/en/services/consulting-risk/perspectives/Nigerias-cybersecurity-landscape-in-2025.html

^[3] Nigeria ranks third in Africa for ransomware threat detections in 2024 – INTERPOL”, Extensia (30 June 2025) — https://extensia.tech/nigeria-ranks-third-in-africa-for-ransomware-threat-detections-in-2024-interpol/

^[4] Ayinla TA, Oyelakin OO and Olomu A, ‘A Comprehensive Review on Machine Learning Techniques for the Identification of Ransomware Attacks in Computer Networks’ (2024) LAUTECH Journal of Computing and Informatics.

^[5] ngCERT, “Escalation of Ransomware Attack in Nigeria” (Advisory, 8 July 2024). https://cert.gov.ng/index.php/advisories/escalation-of-ransomware-attack-in-nigeria

^[6] Central Bank of Nigeria (CBN), Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks (Issued 31 May 2024). Available: hIndividualsttps://www.cbn.gov.ng/Out/2024/BSD/CBN%20Risk-Based%20Cybersecurity%20Framework%20for%20DMBs%20and%20PSBs_2024.pdf.

^[7] See section 32(3) Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended), see also ICLG – Cybersecurity Laws and Regulations: Nigeria (2024) https://iclg.com

^[8] Ibid.

^[9] See section 6, Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended).

^[10] Ibid, section 12, Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (as amended).

^[11] Ibid, section. 24; Nigerian Financial Intelligence Unit (NFIU), Cybercrime and Extortion Reporting Framework (2023), available at https://nfiu.gov.ng.

^[12] See also, Incorporated   Trustees   of   Digital   Rights   Lawyers   Initiative   v   LT Solutions  &  Multimedia  Limited, Unreported Judgement of the High Court of Ogun State, Abeokuta Judicial Division, Coram Hon. Justice O. Ogunfowora, delivered on the 9th day of November 2020 in Suit No. HCT/262/2020. The court held that right to privacy extends to protection of a citizen’s personal data.

^[13] A.O.C. Solicitors, “Cybersecurity Risks and Corporate Liability in Nigeria” (2024), available at https://aocsolicitors.com.ng, See also, Incorporated   Trustees   of   Digital   Rights   Lawyers   Initiative   v   LT Solutions  &  Multimedia  Limited, Unreported Judgement of the High Court of Ogun State, Abeokuta Judicial Division, Coram Hon. Justice O. Ogunfowora, delivered on the 9th day of November 2020 in Suit No. HCT/262/2020.

^[14] See also Section 40–42,  Nigeria Data Protection Act 2023, (imposing duties on data controllers to protect data and report breaches).

^[15] Ibid, n 17.

^[16] Ibid, n 17.

^[17] See section 39 (1), Nigeria Data Protection Act 2023.

^[18] See Section 40 (1), (2), Nigeria Data Protection Act 2023.

^[19] See Section 40 (3), Nigeria Data Protection Act 2023.

^[20] See Section 48, Nigeria Data Protection Act 2023.

^[21] See section 21(1), Cybercrimes (Prohibition, Prevention, etc.) Act 2015, as amended by the Cybercrimes (Amendment) Act 2024.

^[22] Ibid, N 9.

^[23] ICLG – Cybersecurity Laws and Regulations: Nigeria (2024) https://iclg.com

^[24] Techpoint Africa, “United Nations’ telecom union advises Nigeria to clarify NCC and NITDA roles”, (6 August 2024), available at: https://techpoint.africa/2024/08/06/un-telecom-nigeria-ncc-nitda.

^[25] Ibid, n 2.

^[26] Ohakwe, Chiamaka, The Rise of Ransomware Attacks in Nigeria (January 18, 2025). Available at SSRN: https://ssrn.com/abstract=5277510 or http://dx.doi.org/10.2139/ssrn.5277510

Contributors

Ifeoma Ezenwa

Executive Senior Associate

Stephanie Wodi

Associate