Nigeria continues to evolve as a country with growing dependence on the cyberspace and its daily utilization in various sectors of the economy particularly, the banking industry, which has witnessed evolution from analog to digital transactions, consummated without setting foot in a banking hall.
Despite the ease and convenience of electronic banking, there is the risk of cyber-attacks on banks and/or banking networks with the attendant disruption of the banks’ services. As it is evident that all banks are heavily dependent on the cyberspace, it naturally becomes the responsibility of the Central Bank of Nigeria (CBN), as the regulatory body overseeing operation of banks in Nigeria, to ensure that a more secure cyberspace is established for banks to operate.
Pursuant to the powers of the CBN under the Central Bank of Nigeria Act, the CBN, by a circular in March 2018 titled, “Compliance with the Cybercrime (Prohibition, Prevention, Etc.), Act 2015: Collection and Remittance of Levy for the National Cybersecurity Fund”, directed all banks to immediately begin to collect and remit a levy of 0.005% of all electronic transactions to the National Cyber-security Fund Account opened and domiciled with the CBN.
By a subsequent circular of June 25, 2018, the CBN directed all mobile money operators and payment service providers to begin collection and remittance to the same account, of 0.005% of the service charge from all electronic financial transactions occurring in a bank, mobile money scheme or other payment platform, from 1st July, 2018.
Both circulars were issued in compliance with section 44 of the Cybercrime (Prohibition, Prevention Etc.) Act, 2015 (Cybercrime Act) which establishes a Cyber-security Fund Account to be domiciled with the CBN into which a levy is payable. The circulars refer to the businesses stated in the Second Schedule to the Cybercrime Act as those under obligation to pay the levy on their electronic transactions. These businesses are GSM service providers and all telecommunication companies, internet service providers, Insurance companies, the Nigerian Stock Exchange, Banks and other financial institutions.
While the CBN is well within its powers to direct compliance with the Cybercrime Act, questions arise as to whether the levy does not simply constitute an additional burden on the financial standing of the obligated companies which will ultimately be passed to the end users in the form of increased service charges.
Another point to note is that the directive of the CBN in question did not specifically mention or prescribe how the Fund will be applied to strengthen the Nigerian cyberspace. This is probably because the Cybercrime Act itself does not state how the funds remitted to the CBN will be applied other than to stipulate that a maximum of 40% of the fund “may be allocated for programmes relating to countering violent extremism”.
Clarity on the use of the monies remitted to the CBN for the National Cybersecurity Fund is thus required, as the Banks and other contributing companies should be able to obtain some form of relief for themselves in the event of a cyber attack.
The activities of the Nigerian Computer Emergency Response Team (NgCert), which is domiciled in the office of the National Security Adviser, and saddled with protection of the cyberspace in Nigeria are relevant in respect of the use to which the funds may be put. The NgCert receives reports of cyber-attacks vide cyber fraud, phishing and other cybercrime activities in the Nigerian Cyberspace and investigates them. It also conducts research into cyber-security initiatives for the purpose of securing the Nigerian cyberspace. It is hoped that the NgCert, being a major cyberspace protection Team in Nigeria, will also derive funding from the levy to be charged on the named companies towards ensuring that Nigeria’s cyberspace is secure.
While none of the categories companies in Nigeria may yet have witnessed cyber-attacks as distressing as those experienced by their foreign counterparts, it is certainly wiser to make financial provision and take other preemptive measures to secure a safe cyberspace.