The CAC Cyber Incident and Nigeria’s Digital Resilience
By Shuaib S. Agaka
On April 9, 2026, Nigeria made a confident pitch to the future. Standing before a global audience at GITEX Africa, the Director General of the National Information Technology Development Agency (NITDA), Kashifu Inuwa, outlined what he described as a strategic shift in the country’s cybersecurity posture. It was no longer enough, he argued, to think in terms of firewalls and software patches.
Nigeria was embracing something broader, a concept he described as Total Resilience, one that integrates technology, people, and policy into a unified approach to digital security.
Six days later, on April 15, reality intervened. The Corporate Affairs Commission (CAC), custodian of Nigeria’s corporate registry and one of the country’s most sensitive digital institutions, confirmed it had suffered a cybersecurity breach. Unauthorised actors had gained access to parts of its systems. The full scope remains unclear, but the symbolism is difficult to ignore. A nation articulating a forward-looking cybersecurity vision found itself, almost immediately, confronted with the kind of incident that vision is designed to address.
The proximity of these two events does not diminish the significance of Nigeria’s evolving cybersecurity strategy. If anything, it reinforces its urgency. What it reveals is not a contradiction, but a convergence between policy and reality. Cybersecurity is no longer an abstract policy domain discussed at conferences; it is an active, ongoing challenge that demands constant adaptation. The CAC incident brings that reality into sharp focus and underscores why the shift toward a broader resilience framework is both timely and necessary.
The idea behind Total Resilience reflects a growing global consensus that cybersecurity must move beyond purely technical solutions. Threats today exploit not only system vulnerabilities but mostly human behaviour and institutional gaps. Systems can be compromised through something as simple as a stolen credential or a moment of inattention, and even the most advanced infrastructure can be undermined if the people operating it are not adequately prepared. This reality is reinforced by a widely cited study by Stanford University and Tessian, titled The Psychology of Human Error, which found that 88 per cent of data breaches are caused by employee mistakes, often driven by psychological factors such as distraction, stress, and fatigue. By placing emphasis on human capacity, governance, and coordination, Nigeria’s approach acknowledges the full spectrum of risks that define the modern threat landscape.
Within this context, the breach at the Corporate Affairs Commission takes on added significance. The commission plays a central role in Nigeria’s economic architecture as the repository of corporate identities, ownership structures, and regulatory filings. Its systems underpin trust in the formal business environment, and any disruption, whether temporary or prolonged, naturally raises questions about data integrity and system resilience. Even when described as affecting limited aspects, such incidents draw attention to the importance of safeguarding institutions that serve as the backbone of economic activity.
At the same time, the incident reflects a broader reality that no system is entirely immune. Around the world, both public and private institutions continue to contend with breaches despite significant investments in cybersecurity. What distinguishes resilient systems is not the absence of incidents, but the strength of their response, their ability to contain risks, communicate effectively, and restore confidence. In this regard, the ongoing review involving the National Information Technology Development Agency and other relevant bodies points to an institutional framework that is actively engaged in managing such challenges.
The emphasis on human factors, as highlighted by Kashifu Inuwa, becomes particularly relevant here. If a large proportion of breaches globally can be traced to human error, then building resilience must necessarily involve equipping individuals with the knowledge and awareness needed to navigate digital systems safely. Initiatives such as the National Digital Literacy Programme and broader capacity building efforts are therefore not peripheral to cybersecurity; they are central to it. They represent an understanding that resilience is cultivated not only through technology, but through people who can recognise and respond to threats effectively.
The events of April 9 and April 15 also highlight the importance of coordination across institutions. Cybersecurity today operates within an interconnected ecosystem where agencies, private sector actors, and users all play a role. The involvement of multiple stakeholders in assessing and responding to the CAC incident reflects this interconnectedness and reinforces the idea that resilience must be collective rather than isolated. As digital infrastructure continues to expand across sectors and levels of government, this collaborative approach becomes even more critical.
Nigeria’s experience in this moment mirrors a broader global transition. As emerging technologies such as artificial intelligence reshape both opportunities and risks, countries are being compelled to rethink how they secure their digital environments. The shift toward resilience-based models, which emphasise adaptability and continuity, reflects an understanding that threats will continue to evolve and that preparedness must evolve with them. In this sense, the CAC breach is not an outlier but part of a wider pattern that underscores the need for continuous improvement.
What emerges from the juxtaposition of these events is a clearer picture of where Nigeria stands. The articulation of a comprehensive cybersecurity vision provides a strategic direction, while real-world incidents such as the CAC breach provide practical tests of that direction. Together, they form a feedback loop in which policy informs practice and practice, in turn, refines policy. This dynamic is essential for building systems that are not only secure in theory but resilient in operation.
In the end, the significance of this moment lies not in the contrast between ambition and incident, but in their alignment. The conversation about cybersecurity in Nigeria is no longer confined to technical circles or policy documents. It is unfolding in real time, shaped by both strategic thinking and lived experience. Timing, in this context, becomes less about coincidence and more about opportunity, a chance to translate vision into action and to strengthen the foundations of a digital future that is both secure and resilient.
Shuaib S. Agaka is a tech journalist and policy analyst based in Kano.
[email protected]
