Nigeria’s financial sector had a bad March. On March 27, a threat actor known as ByteToBreach claimed to have breached Sterling Bank’s systems, alleging exposure of approximately 900,000 customer accounts and over 3,000 employee records. Sterling Bank did not publicly confirm or deny the incident. Four days later, the same actor claimed a second breach — this time targeting Remita, one of Nigeria’s most widely used government payment platforms. On the same day that Remita breach claim was published, the Central Bank of Nigeria issued a circular directing all deposit money banks, fintechs, and financial institutions to complete a new cybersecurity self-assessment tool within three to five weeks.
The timeline is not a coincidence. It is a system under pressure revealing its gaps in real time.
On April 1, the Federal Government responded with the announcement that matters most structurally: the planned establishment of a National Cybersecurity Coordination Council, announced by Minister of Communications, Innovation and Digital Economy Bosun Tijani. Formal stakeholder consultations begin this month.
What the Council Is — and What It Isn’t
The proposed National Cybersecurity Coordination Council is, in Tijani’s framing, a non-statutory, multi-stakeholder coordination platform. That description contains an important caveat: non-statutory means the Council will have no independent legal authority, no power to compel compliance, and no regulatory enforcement mandate. It is an advisory and coordination body, not a regulator.
What it will do: bring together Chief Information Security Officers from major sectors, cybersecurity professional associations, the Nigerian Computer Society, international technology companies operating in Nigeria, digital security researchers, law enforcement agencies, civil society organisations, and relevant government bodies. Its operational priorities as outlined by the Ministry include developing trusted threat intelligence-sharing mechanisms, establishing sector-wide cyber defence protocols, building workforce capacity through training programmes, and creating coordinated frameworks for incident response and recovery.
A technical coordination secretariat will be established within NITDA — the National Information Technology Development Agency — reporting to the Minister’s office, with operational support from the Nigerian Communications Commission, Galaxy Backbone Limited, and the Nigeria Data Protection Commission. A national cybersecurity industry roundtable in April 2026 will mark the formal beginning of stakeholder consultations to define the Council’s operational framework.
“Cybersecurity is a shared national responsibility,” Tijani said in announcing the initiative. “Protecting Nigeria’s digital economy requires strong partnerships, trusted collaboration, and collective vigilance across government, industry, and civil society.”
Why This Matters Now
The council is not emerging from a vacuum. Nigeria’s cyber threat landscape has been deteriorating at a pace that has outrun its institutional response capacity for several years.
Check Point Software Technologies documented 4,718 weekly cyberattacks on Nigeria’s banking and financial sector in 2024 alone. The EFCC reported losses of $706 million to cybercrime in 2022. Nigerian banks lost N8 billion to cybercrime in the same year, according to the NCC. ByteToBreach — the actor behind the Sterling Bank and Remita claims — is not a low-level opportunist. Intelligence researchers at KELA Cyber have tracked the actor since at least June 2025, documenting prior confirmed or corroborated breaches at Uzbekistan Airways, Seychelles Commercial Bank, Viking Line, and organisations across Ukraine, Kazakhstan, Cyprus, Poland, Chile, and the United States. The method is consistent: exploiting cloud infrastructure vulnerabilities, using stolen credentials from malware-infected devices, and conducting large-scale data theft for sale on criminal marketplaces.
Nigeria’s existing cybersecurity governance architecture — centred on the Cybercrime Advisory Council under the Cybercrimes Act 2015 and the National Cybersecurity Coordination Centre under the Office of the National Security Adviser — was designed for an earlier threat environment. It was not built for the integrated, whole-of-nation coordination that the current landscape demands. The CAC was built around a narrow cybercrime context. The NCCC handles policy and strategy coordination. Neither was designed to function as a rapid, cross-sector incident response and threat intelligence sharing body in the way that the UK’s NCSC or the US CISA does.
The proposed Council is designed to fill that gap — specifically the coordination gap between the dozens of institutions that are individually responsible for cybersecurity but have no structured mechanism for sharing intelligence, aligning on response protocols, or learning from each other’s incidents in real time.
The Architecture Problem
The non-statutory character of the proposed Council is both its political advantage and its structural weakness.
The advantage: a voluntary, multi-stakeholder body can be stood up without legislation, which means it can begin operating this year rather than waiting for parliamentary cycles. It can iterate on its design, incorporate feedback from the April roundtable, and adapt without being locked into a statutory framework that becomes difficult to modify as the threat landscape changes.
The weakness: without statutory authority, the Council cannot compel institutions to share threat intelligence, adhere to its protocols, or report incidents within mandated timeframes. Voluntary participation creates uneven engagement. The institutions that show up consistently to a non-statutory coordination body are typically those already investing seriously in cybersecurity — the ones that least need the coordination structure. The institutions that most need to participate are the ones with the least internal capacity and the least incentive to expose their vulnerabilities to peers.
This is not a hypothetical concern. Nigeria’s existing cybersecurity governance bodies have struggled with exactly this dynamic — strong policy commitments at the top, inconsistent implementation across the ecosystem, and limited accountability for institutions that fail to meet minimum standards.
The CBN’s March 30 directive requiring banks to complete a cybersecurity self-assessment tool is a parallel signal that the regulatory side of the ecosystem is also moving — and that the regulator recognises the assessment gap. But the CBN’s jurisdiction covers financial institutions. The proposed Council’s remit is cross-sector, covering government systems, telecoms, fintechs, healthcare infrastructure, and critical national systems that sit outside any single regulator’s oversight.
What Success Looks Like
The Council’s credibility will be determined by three things that no press release can establish: the quality of the threat intelligence sharing that actually happens between participants; the speed and coordination of the incident response when the next major breach occurs; and the transparency of its outputs — whether it publishes annual national cyber risk assessments, anonymised incident statistics, and measurable progress metrics that citizens, investors, and international partners can evaluate.
Nigeria’s digital economy is growing at a pace that makes cybersecurity a strategic national issue rather than a technical one. M-PESA processes 6,000 transactions per second in Kenya; Nigeria’s own payment systems handle transaction volumes of comparable scale daily. The financial inclusion gains of the past decade — CBN’s cashless policy, fintech proliferation, mobile money expansion — have created an attack surface that did not exist five years ago. Every new user, every new integration, every new platform adds to the ecosystem’s exposure.
The Council cannot be a press release dressed up as an institution. It needs participants who share intelligence they would rather keep private. It needs protocols that get followed when an incident occurs at 2am on a Saturday. It needs a secretariat with the technical depth to synthesise threat data from dozens of institutions and turn it into actionable guidance.
The April roundtable will be the first real test of whether those components are being built, or whether the coordination body remains at the level of coordination about coordination. Given the scale of what Nigeria’s cyber ecosystem is facing right now, the country cannot afford the latter.
