Nigeria Halts Cybersecurity Tax After Public Outrage

The Nigerian government halted its effort to fund national cybersecurity improvements through a 0.5% levy on domestic electronic transactions after the current administration faced widespread public criticism for increasing taxes during an economic crisis.

As recently as May 6, the Central Bank of Nigeria directed financial institutions to begin collecting the levy within two weeks. But following public outcry, President Bola Tinubu pledged to block the tax over the weekend, and on May 14, a senior cabinet member of the administration officially suspended implementation of the measure.

"The cybersecurity tax policy implementation has been directed by the government to be put on hold, so it has been suspended," Information Minister Mohammed Idris said, according to Reuters.

Nigeria is one of the three largest economies in Africa — various estimates rank South Africa, Egypt, and Nigeria as No. 1 — but the West African nation is currently weathering its most significant economic crisis in decades with annual inflation exceeding 30%, falling international investment, and soaring cost-of-living expenses. The combination has left average Nigerian citizens struggling to afford basic staples, and it's those citizens who would pay the cybersecurity tax.

The economic challenges have constrained Nigeria's growth, and the cost to advance the national cybersecurity agenda needs to recognize those challenges, Wale Ajayi, partner and head of the Tax, Regulatory & People Services in Nigeria for consultancy KPMG, wrote in an advisory on the cybersecurity levy.

"The key objective of the cybercrime levy is to ensure that there is dedicated and adequate funding available to address the growing threats of cyber-attacks," he stated. "This explains why some countries have implemented various forms of cyber security levies to fund cyber security initiatives. However, consideration must be given to the country's prevailing economic conditions. The current economic climate does not justify its implementation now."

Cyber Threats Could Rise

The rollback of the levy comes as Nigeria struggles to improve its cybersecurity prospects as well, aiming to increase the number of cybersecurity workers through such efforts as the Virtual Cyber Hub and the Cybersafe Foundation. Historically, Nigeria has been a hub of cybercrime, especially social engineering scams.

The poor economy could actually result in increasing cyber risks for citizens and businesses, according to the Nigeria Cybersecurity Outlook 2024 published by consultancy Deloitte.

"Insider-supported attacks may increase astronomically due to the quest to make money, leading to an increase in cyber-related financial crimes," the firm stated. "The increase in internal-external collusion will pose significant risks to both small and large enterprises, increasing the likelihood of data breaches, unauthorized access, and other malicious activities."

In its annual assessment of the threat landscape, the Cyber Security Experts Association of Nigeria (CSEAN) noted a surge in ransomware attacks in 2023, which the group expects to continue in 2024. In addition, government assets continue to be vulnerable to common exploits — a situation that will be harder to fix without funding.

"Last year, numerous public organizations in Nigeria were found to be operating Internet-facing servers with known vulnerabilities, particularly those with legacy systems," the report stated. "The availability of public exploit code for these vulnerabilities makes them attractive targets for threat actors, often serving as initial entry points for malicious attacks."

Long Road for Cybersecurity

Nigeria's cybersecurity levy was originally proposed in legislation passed in 2015 and was intended to provide funding for strengthening Nigeria's national cybersecurity capability. In May of this year, the Central Bank of Nigeria issued a circular that instructed banks to collect the 0.5% fee from any electronic payments and transfers.

"Following the enactment of the Cybercrime (Prohibition, Prevention, etc) (amendment) Act 2024 and pursuant to the provision of Section 44 (2)(a) of the Act, 'a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule of the Act,' is to be remitted to the National Cybersecurity Fund, which shall be administered by the Office of the National Security Adviser," the Central Bank of Nigeria stated in its circular issued on May 6.

While the levy was expected to raise about 3 trillion naira — or about US $1.9 billion — annually, the government has not provided any cost justification for the tax, according to KPMG's Ajayi. In addition, there are fears that implementing the tax could result in citizens instead using cash or checks for their transactions.

Before implementing the levy, the government should focus on transparency and accountability, and seek to avoid any unintended consequences, he said.

"Combining revenue-raising initiatives with responsible spending practices is essential for fiscal sustainability," Ajayi said. "It is also important that government consider phasing in tax reforms on a gradual basis to minimize potential shocks to the economy."