Potential Risks and Benefits of the Proposed Cybersecurity Levy

Nigeria has seen a significant rise in cyberattacks in recent years, targeting individuals, businesses, and government institutions. These attacks take several forms such as financial fraud, phishing scams, malware infections, ransomware attacks, and data breaches amongst others. According to Forbes News on April 29, 2024, the cost of cybercrime in Nigeria is staggering, with estimates exceeding $500 million annually. These attacks do not only impact businesses directly but also erodes trust in the digital economy and hinders national development. In response, the government has introduced the National Cybersecurity Levy (NCL) – a fee on electronic transactions to bolster national cybersecurity efforts.

This levy, mandated by the amended Cybercrime (Prohibition, Prevention, etc.) Act 2024 aims to reinforce the country's defences against cyber threats. The Central Bank of Nigeria (CBN) has outlined the levy structure, with designated businesses responsible for its collection on specific electronic transactions. However, the proposed implementation of the levy has sparked a series of conversations about what it entails, its potential benefits, and inherent risks.

Following concerns raised by the House of Representatives and the public, President Bola Tinubu, as reported by the Punch newspaper on May 12, 2024, has directed the Central Bank of Nigeria (CBN) to suspend the levy's implementation and conduct a review. This pause allows for a thorough examination of the policy's effectiveness and potential impact.

Understanding the Cybersecurity Levy

In an effort to bolster national cybersecurity, a new levy of 0.5% was introduced on electronic transactions processed by designated businesses in Nigeria.

The Central Bank of Nigeria (CBN) issued a directive on May 6, 2024, outlining the levy's implementation for banks, mobile money operators, payment service providers, and other financial institutions. The initial directive called for deductions to begin within two (2) weeks, with monthly remittances to a dedicated National Cybersecurity Fund at the CBN. However, the implementation has been put on hold for further review.

It's important to clarify that the levy is not a direct cost to individual consumers. The Cybercrime (Prohibition, Prevention, etc.) (Amendment) Act 2024 designates specific businesses listed in its Second Schedule as responsible for paying the levy. This includes GSM service providers and all telecommunication companies; Internet service providers; banks and other financial institutions; insurance companies; and the Nigerian Stock Exchange.

Furthermore, appendix 1 of the CBN's circular, exempts sixteen (16) specific transactions from the levy, such as salary payments, cheque clearing and settlement, and transfers between banks and the CBN and vice-versa. Non-compliance with the levy carries a penalty of no less than 2% of the annual turnover of the defaulting business.

Potential Benefits of the new Cybersecurity Levy

The cybersecurity levy presents a potential opportunity to strengthen Nigeria's digital defences in several ways:

• Increased Funding for Critical Initiatives: The levy injects much-needed financial resources into bolstering the country's cybersecurity infrastructure. This includes investments in critical areas such as upgrading cybersecurity hardware and software to detect and further prevent sophisticated cyberattacks, gathering and analysing information about cyber threats, allowing proactive measures to be taken, and developing robust cyber defences to respond to and mitigate cyberattacks effectively.
• Investing in Human Capital: The levy can fund the development and training of skilled cybersecurity professionals. This is crucial for building a robust workforce capable of addressing the ever-evolving landscape of cyber threats. Educational programs can be established to create a talent pool of cybersecurity analysts, incident responders, and ethical hackers.
• Public Awareness: Funds can be allocated to develop and implement public awareness campaigns to educate Nigerians about online safety practices such as how to identify and avoid phishing scams, protect their personal information online, and use strong passwords. Empowering citizens to make informed decisions online, strengthens the overall cybersecurity posture of the nation.
• Shared Responsibility for National Security: By contributing financially, businesses become stakeholders in the national cybersecurity effort. This fosters a sense of shared responsibility, encouraging collaboration between the public and private sectors. This collaborative approach can lead to more effective and comprehensive cybersecurity strategies.

Risks Associated with the new Cybersecurity Levy

The cybersecurity levy can also be seen to present potential risks in several ways:

• Increased financial burden on businesses: While the levy aims to improve online security, it raises concerns on financial burden. The 0.5% cybersecurity levy on electronic transactions increases operational costs and reduces profit margins. Smaller businesses might be discouraged from adopting digital financial services due to the added burden as there are already existing compulsory taxes like the Company Income Tax, Withholding Tax, Value Added Tax, Education Tax, National Information Technology Development Levy, etc. This could hinder the growth of a cashless economy and digital innovation. Furthermore, the lack of clear implementation and the potential for higher consumer transaction fees, create further financial risks and could shrink customer bases. The success of the levy in strengthening cybersecurity rides on ensuring it does not overburden businesses and hinder the Nigerian economy in digital progress.
• Possibility of mismanagement of funds: Transparency is a significant concern due to the lack of clarity regarding the allocation and oversight of revenue generated from the levy. Various citizens have raised concerns regarding the prudent utilization, accountability, and communication surrounding the cybersecurity levy's funds.
• Administrative burden: Businesses will need to adapt their accounting systems for levy collection and reporting. This could be complex and costly for smaller businesses who must dedicate new resources to cater for meeting all the requirements for prompt compliance. Increased communication with businesses and banks could create more bureaucracy, reducing resources of their core business activities. There is a need for simplification of processes and providing clear guidelines to minimize disruption for businesses.
• Less Attraction to Digital Transactions: The proposed cybersecurity levy in Nigeria has the potential to diminish the appeal of digital transactions. A small fee applied to each transaction, potentially passed on to consumers by businesses, could make cash usage a more attractive option. Consequently, the implementation of such a levy could dissuade the unbanked population from embracing the digital ecosystem, perceiving it as a more costly alternative.   This shift away from digital transactions could push people towards informal channels, potentially increasing fraud and hindering Nigeria's cashless policy goals.

The Way Forward

To maximize the benefits of the cybersecurity levy and mitigate the risks, the following recommendation is crucial:

• Transparency and Accountability: Establishing clear and transparent reporting mechanisms is essential. This can include regularly published reports detailing how levy funds are utilised, with a breakdown of investments made in specific cybersecurity initiatives. This allows for public scrutiny and ensures the funds are directed towards their intended purpose. Also, periodic published data on the levy's impact could include metrics such as reductions in cyberattacks, improvements in national cybersecurity infrastructure, or the number of Nigerians educated through public awareness campaigns. This data allows for continuous improvement and demonstrates the levy's effectiveness. These measures foster public trust and hold stakeholders accountable for responsible use of the levy funds.
• Holistic strategy: The National Cybersecurity Levy should be seen as a component of a broader cybersecurity strategy. Collaboration with international partners, law enforcement efforts, and user education are all vital pieces of the puzzle.
• Periodic Revaluation:  Periodic assessments should be conducted to evaluate the levy's effectiveness and identify areas for improvement. The National Cybersecurity Levy is not a guaranteed solution, but it offers an opportunity to build a more secure digital future for Nigeria. Imagine a future where Nigerians can confidently conduct safe online transactions, and businesses can thrive, while the National Cybersecurity Levy can transform from a levy into a national shield, safeguarding Nigeria's digital space and fostering a thriving digital economy.

Conclusion

The proposed Nigerian cybersecurity levy, while facing potential hurdles, highlights the critical need for proactive measures in today's evolving digital threat landscape. If implemented effectively, the levy's funds could significantly improve Nigeria's cyber defenses by enhancing security infrastructure, training cybersecurity professionals, investing in advanced threat intelligence, and promoting public awareness campaigns.  These proactive measures are crucial to protect our data, finances, and even reputations from cyberattacks. Just as software updates, strong passwords, and well-defined IT policies play a vital role, the levy has the potential to be a valuable tool in securing Nigeria's digital space.

However, alongside these potential benefits lie inherent risks. Small businesses, in particular, might struggle with added financial burden, potentially stagnating innovation, and digital adoption. Additionally, concerns regarding transparency and potential mismanagement of the collected funds by the government require careful consideration.

The Nigerian cybersecurity levy presents a promising opportunity for a more secure digital future, but its success relies on responsible implementation. While funding and professional development are crucial, the levy should not become a burden for businesses, especially those in the critical startup phase. Furthermore, the levy should be part of a long-term plan that fosters collaboration between public and private sectors, raises public awareness, and cultivates a skilled cybersecurity workforce.  Ultimately, Nigeria must balance cybersecurity with a thriving digital economy.  Addressing the identified risks and ensuring effective execution will determine whether the levy unlocks a safer and more innovative digital future for Nigeria.