Nigeria is rapidly progressing into the digital age, using computers and the internet in different facets of life. Amidst this technological growth, the digital landscape has become a fertile ground for traditional and emergent forms of crime, thereby necessitating urgent solutions.

In response to the threats imposed by cybercriminality, the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 (“The 2015 Act”), was enacted to combat the growing danger of cyber insecurity. The Act sought to establish the regulatory and institutional framework to best achieve its aim. The Act also safeguards the Critical National Information Infrastructure (CNII), enhances cybersecurity measures, and protects various digital assets.

Recently, the Federal Government resolved to undertake a comprehensive review of the Cybercrimes Act to enhance its effectiveness and address emerging threats. This review birthed the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act, 2024 (“The Amendment Act”). This article will examine the key provisions and implications of the Amendment Act.

Key Provisions of the Cybercrimes (Prohibition, Prevention, Etc) (Amendment) Act, 2024

The Amendment Act introduces several significant changes to strengthen Nigeria’s cybersecurity framework and address gaps in the previous legislation. Key provisions include:

1. Revised Timeline for Reporting of Cyber Threats

Under the Amendment Act, individuals or institutions facing cyber threats must notify the National Computer Emergency Response Team (CERT) within seventy-two hours of detection. This is a departure from the old provision of the Act, which mandated that a report must be made within seven days of such incidence of cyber threat or cybercrime. This rapid escalation to the National CERT is intended to address cyber threats and swiftly avert the resulting cybercrimes. Failure to comply will lead to denying internet access and an obligatory fine of ₦2,000,000 (Two Million Naira) payable to the National Cybersecurity Fund (NCF).

2. Widening the Applicability of the Act

The 2015 Act stipulated that any individual employed by a financial institution who, leveraging their specialised knowledge, engages in identity theft of their employer, staff, service providers, or consultants intending to defraud is deemed to have committed an offence. However, the Amendment Act has broadened the scope of this provision to encompass all individuals employed by any public or private organisation The Amendment Act also amended Section 27(2) of the 2015 Act to widen the net of those who are culpable for attempting, conspiring, aiding and abetting cybercrime.

3. Manipulation of ATM/POS Terminals

The 2015 Act limited payment systems to Automated Teller Machines (ATMs) and Point of Sales (POS) terminals, neglecting other payment technologies in Nigeria. The Amendment Act rectifies this omission by holding individuals accountable for manipulating ATMs, POS terminals, and other payment technology systems. This extension encompasses the diverse array of payment systems in Nigeria, ensuring comprehensive coverage and mitigating fraud risks associated with unconventional payment methods.

4. Requirement of National Identification Number

By Section 8 of the Amendment Act, customers engaging in electronic financial transactions at financial institutions are now required to furnish their National Identification Number (NIN) issued by the National Identity Management Commission (NIMC) for identity verification. There was no such requirement in the corresponding section of the 2015 Act. This mandate seeks to streamline the identification and tracking of defaulters or perpetrators, leveraging NIN, which encompasses individual data.

5. Protection of Specific Traffic Data and Subscriber Information

The Amendment Act revised Section 38(1) of the 2015 Act in line with the Nigeria Data Protection Act (NDPA). Consequently, service providers are now obligated to retain specified traffic data and subscriber information and guarantee their protection.

6. Establishment of Sectoral Computer Emergency Response Teams (CERT) and Sectoral Security Operation Centres (SOC)

The Amendment Act establishes Sectoral CERTs and SOCs, to collaborate with the National Computer Emergency Response Teams (CERT) as stipulated in the 2015 Act. These Sectoral CERTs and SOCs are designated to receive information from individuals or institutions operating computer systems or networks, whether public or private, during cyberattacks or disruptions. Their core duty is to respond to such incidents swiftly. They will also supervise the integration and routing of internet and data traffic from all public and private organisations, aiming to safeguard the national cyberspace.

7. Implementation of the Cybersecurity Levy

The Amendment Act rectifies the ambiguity surrounding the cybersecurity levy imposed in Section 44(1)(a) of the 2015 Act by clarifying the levy percentage of 0.005 to include 0.5%. Additionally, the Amendment Act establishes that the office of the National Security Adviser administers the records of accounts of the Cybersecurity remittances and ensure that the account is audited per the Directives of the Auditor-General.

The Amendment Act further provides that the penalty for failure to comply with the Act is a conviction for a fine of not less than 2% of the annual turnover of the defaulting business and/or the closure or withdrawal of the business’ operational license.

Conclusion

The Amendment Act heralds a significant stride in Nigeria’s battle against cybercrimes and the fortification of its digital domain through the key provisions under the Act However, a pressing need still exists for effective collaboration between government agencies, private enterprises, and individual Nigerians to ensure the successful implementation of the Act and to further safeguard Nigeria’s digital future.