Boards and cyber liability
Social posts and legal threads are pushing the idea that directors can face personal liability under laws like Nigeria’s Cybercrimes Act and NDPA if cybersecurity is ignored, prompting calls to put cyber squarely into governance. (x.com) Commenters also flagged a lack of board confidence in cyber‑spend and noted high‑visibility breaches where warnings were reportedly ignored. (x.com) (x.com)
Directors in Nigeria are being warned that cyber failures can move from an information-technology problem to a personal-liability problem when regulators or prosecutors can show consent, connivance, or neglect. (cert.gov.ng) Nigeria’s Cybercrimes Act says the law is meant to protect critical national information infrastructure and allows minimum standards, security requirements, and recovery plans for designated systems after a breach or loss. The Nigeria Data Protection Act, signed in June 2023 and published in the official gazette on July 1, 2023, adds separate duties around personal-data security and enforcement. (cert.gov.ng 1) (cert.gov.ng 2) The Nigeria Data Protection Act lays out the core compliance architecture in black and white: Section 29 covers obligations of data controllers and processors, Section 32 requires a Data Protection Officer for controllers of major importance, Section 39 covers security, integrity, and confidentiality, Section 40 covers personal-data breaches, and Section 53 covers joint and vicarious liability. (cert.gov.ng) That is why the current debate has shifted from “should the board hear cyber updates” to “what did directors know, and when did they act.” Under the Cybercrimes Act, liability arguments get sharper when a company offence is tied to a director’s consent, connivance, or attributable neglect. (cert.gov.ng) (templars-law.com) Nigeria’s securities regulator already places risk oversight inside board governance. The Securities and Exchange Commission says public companies must comply with the Nigerian Code of Corporate Governance 2018 and the Securities and Exchange Commission Corporate Governance Guidelines. (home.sec.gov.ng) The spending argument is part of the same fight. Gartner said on November 24, 2025 that 90% of non-executive directors lacked confidence in the value of cybersecurity investments, and only 10% said they had the right balance of protection and cost. (gartner.com) At the same time, companies are budgeting more for cyber, not less. Gartner forecast global end-user security spending would reach $212 billion in 2025, up 15.1% from 2024, while PwC said 77% of organisations expected their cyber budget to rise and only 2% reported firm-wide cyber resilience. (gartner.com) (pwc.com) Lawyers are now translating those governance and budget questions into litigation risk. A TEMPLARS note published in April 2026 said Nigerian executives can face liability for cybersecurity failures where the facts show negligence, complicity, or failure in legal duties, while also stressing that liability depends on how the failure occurred. (templars-law.com) The counterargument is narrower than many social posts suggest. Neither the Cybercrimes Act nor the Nigeria Data Protection Act creates automatic personal liability every time a company is breached; the legal question turns on the statute involved, the company’s role, the evidence of oversight failure, and whether regulators can tie the lapse to a specific duty or decision. (cert.gov.ng 1) (cert.gov.ng 2) (templars-law.com) The practical effect is that cyber is being pulled into the same boardroom bucket as audit, safety, and financial controls. In Nigeria, the legal text now gives directors fewer excuses for treating cybersecurity as a back-office expense instead of a governance record. (home.sec.gov.ng) (cert.gov.ng)
