KEY POINTS
A new report raises concerns about rising cybersecurity risks in Nigeria’s oil and gas sector, warning that poor data protection could threaten the country’s economic stability.
The report calls for sector-specific regulations to address gaps in the current data protection framework, particularly in relation to employee, contractor, and community data.
Recommendations include the development of industry guidelines, staff training, regular data audits, and the appointment of dedicated Data Protection Officers to ensure compliance.
Nigeria’s oil and gas sector, a cornerstone of the nation’s economy, is increasingly vulnerable to cybersecurity risks, with a new legal report highlighting significant concerns about data breaches.
According to Nairametrics, the report, authored by data protection lawyer Lynda Ugo Ezike, warns that the sector’s growing reliance on digital technologies exposes it to a range of cyber threats, including unauthorised access to sensitive operational and personal data.
The report, titled “The Significance of Data Protection and Information Security in Nigeria’s Oil and Gas Industry: Legal Considerations”, emphasizes that while emerging technologies like artificial intelligence (AI), cloud computing, and the Internet of Things (IoT) are transforming the industry, they also present new challenges for data governance.
Ezike argues that Nigeria’s oil and gas companies are failing to adequately protect the data they collect, process, and store, potentially jeopardizing both the sector and the broader economy.
Nigeria’s oil and gas companies are now classified as data controllers and processors under the Nigeria Data Protection Act (NDPA) 2023, meaning they are subject to stricter regulatory requirements. Failure to comply with these regulations can result in penalties of up to N10 million or 2% of the company’s annual revenue, Ezike writes in the report.
Cybersecurity incidents in oil and gas
The report points to several high-profile cybersecurity incidents that have affected the sector, including the 2021 attack on the Nigerian National Petroleum Corporation (NNPC), where hackers encrypted sensitive data and demanded a ransom. Ezike draws comparisons to other major attacks on energy companies worldwide, such as the Colonial Pipeline attack in the United States and the data breaches suffered by Saudi Aramco, which led to financial losses in the billions.
Despite the enactment of the NDPA and the establishment of the Nigeria Data Protection Commission (NDPC), the report highlights gaps in Nigeria’s oil and gas regulations. The Petroleum Industry Act (PIA) of 2021 only covers customer data, leaving other critical data categories such as employee, contractor, and community data unprotected. The report calls for more comprehensive, sector-specific data protection regulations to address these shortcomings.
Key Areas of Risk and Recommendations
Ezike identifies eight key areas where oil and gas companies are most vulnerable to data breaches:
- Human resources management, particularly biometric and health records
- Third-party contractors and cloud service providers
- Customer financial data, including payment details
- Health, Safety, and Environment (HSE) systems
- Transborder data transfers
- Surveillance systems (CCTV and drone footage)
- Visitor management systems
- Company websites and online tracking tools
The report emphasizes that all these activities involve the collection, storage, and processing of personal data, which are now governed by the NDPA. To mitigate these risks, Ezike recommends several key actions, including the development of industry-specific data protection guidelines, regular staff training on privacy rights and breach protocols, and the adoption of third-party agreements with vendors and contractors.
Additionally, the report advocates for the implementation of annual data audits, privacy impact assessments, and certification through globally recognized standards such as ISO 27701. Ezike also stresses the importance of having a dedicated Data Protection Officer in each company to ensure compliance and oversight.
As Nigeria seeks to increase its share of global energy markets, the protection of its oil and gas sector’s data has become a critical priority. With increasing digitization and global attention on the country’s energy infrastructure, safeguarding against cyber threats is essential not only to protect sensitive operational data but also to preserve investor confidence.
Ezike concludes that the Nigerian government must take a more proactive role in securing the oil and gas industry’s data, aligning with international best practices and investing in advanced cybersecurity solutions to safeguard its assets.
Increased data protection measures are not only vital for protecting critical infrastructure but also for securing Nigeria’s position as a leader in energy innovation, with secure data practices becoming as important as physical infrastructure.
