Cyberattacks are no longer a distant threat to Nigerian businesses. They are a present and costly reality. From the ₦10 billion bank heist that triggered mass account freezes in 2024, to the landmark ₦555.8 million fine imposed on Fidelity Bank Plc for data protection failures, the legal consequences of cyber incidents are becoming impossible to ignore. But beyond the headlines lies a deeper unresolved question: when a cyberattack disrupts a contract or derails a transaction, who is legally responsible?

In this article, we examine the intersection of cybersecurity and contractual liability in Nigeria, exploring what the law currently says, where the gaps are, and what businesses and legal practitioners must do to stay protected. Drawing on the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 as amended, the Nigeria Data Protection Act 2023 (NDPA), key Nigerian case law, and comparative insights from the United Kingdom, the United States, and Singapore, this piece offers a comprehensive and practical guide to navigating cyber risk in commercial relationships.

Whether you are a business owner, legal practitioner, compliance professional, or policymaker, this article makes the case that cyber risk is not merely a technical problem. It is a legal one, and the time to address it is before an attack occurs, not after.