Learning Objectives

By the end of this lesson, you will be able to:

Define cybersecurity and explain the CIA triad (Confidentiality, Integrity, Availability) in the context of a mortgage brokerage.

Describe why real estate and mortgage professionals are high-value targets for cybercriminals.

Identify the specific cyber threats most commonly directed at Nigerian property professionals.

Explain the key provisions of the Cybercrimes Act 2015 as amended in 2024, the Nigeria Data Protection Act 2023, and the CBN Cybersecurity Framework 2024.

Outline the data protection obligations of mortgage brokers under the NDPA 2023, including breach notification timelines and client rights.

Apply basic cybersecurity principles to your daily work.

Cybersecurity is the practice of protecting systems, networks, and data from digital attacks, unauthorized access, and damage.

Confidentiality means only authorised people can access information. Your client’s financial records should be visible to you, your compliance officer, and relevant regulators. Not to a cybercriminal in Bucharest.

Integrity means data stays accurate and complete. When a transfer instruction arrives in your inbox, integrity protections give you confidence the instruction hasn’t been altered. Compromised integrity is why Business Email Compromise attacks are so devastating.

Availability means systems and data are accessible when you need them. A ransomware attack that encrypts your transaction files doesn’t just steal data. It shuts you down.

You hold client BVNs, NINs, bank statements, income documentation, employment records, property valuations, and wire transfer instructions. Every piece is worth money to someone with bad intentions.

You’re also a connector. You sit between buyers, sellers, banks, solicitors, and developers. Compromising your email gives an attacker a foothold to impersonate you.

Most brokerage firms don’t have a dedicated IT security team. That gap is exactly what attackers exploit.

A residential property deal in Lagos can involve wire transfers of tens of millions of naira. A commercial deal can run into billions. When an attacker intercepts or redirects one of those transfers, the payoff is enormous.

A single property transaction can involve a buyer, a seller, two solicitors, a mortgage broker, a bank, a surveyor, and a developer. Each communication channel is a potential point of compromise. The attacker needs to find the weakest party.

The most common and costly attack in real estate is the wire transfer redirect. An attacker monitors email communications, then sends a spoofed email with revised bank details at the moment a payment is due.

BVNs and NINs can be used to open fraudulent accounts. Bank statements and income records enable identity fraud. Your client database is not just useful to you — it’s a product criminals will pay for or steal.

Nigeria’s financial sector has moved aggressively toward digital payments. More transactions happen digitally, more personal and financial data moves through networks, and more attack surface exists than five years ago.

In 2024, 1 in 3 Nigerians received phishing emails. Phishing emails targeting financial and real estate professionals have become increasingly sophisticated.

Between January 2023 and April 2025, Nigeria lost an estimated N320 billion to financial fraud. Of that total, 92% involved digital channels.

Nigerian banks lost the equivalent of GBP 20 million between April and June 2024 alone.

Reported fraud cases increased by 26% across the Nigerian financial sector in 2024.

Cybercrime costs Nigeria an estimated $500 million annually.

Property professionals are increasingly profiled in Nigerian cybercrime typologies because of high transaction values and weak security practices.

AI-generated voice cloning has been used to impersonate mortgage brokers in phone calls. Deepfake video calls have appeared in high-value deals.

The Cybercrimes Act criminalised computer-related fraud, identity theft, cyberstalking, and illegal system access.

The 2024 amendment, signed 28 February 2024, strengthened provisions, introduced enhanced penalties for cybercrime offences involving financial institutions, and expanded critical national infrastructure categories.

Relevant provisions: identity fraud (section 22), computer-related financial fraud (section 14), and the offence of knowingly facilitating or failing to prevent cybercrime.

The NDPA came into force in 2023, replacing the 2019 NDPR. It created the Nigeria Data Protection Commission (NDPC) as the regulatory authority.

As a mortgage broker, you are a data controller. The NDPA imposes binding obligations.

Lawful Basis for Processing

Every piece of personal data you collect must have a lawful basis. For most mortgage transactions: contractual necessity or legal obligation (AML/KYC requirements).

Collect what you need. Don’t collect what you don’t.

The 72-Hour Breach Notification Rule

If your systems suffer a personal data breach, you have 72 hours to notify the NDPC. That window starts when you become aware of the breach.

You must also notify affected individuals when the breach is likely to result in a high risk to their rights and freedoms.

Penalties

Up to N10 million or 2% of annual gross revenue, whichever is higher. Repeat or egregious violations attract higher penalties.

The framework applies directly to financial institutions and their regulated partners. Mortgage lenders are in scope.

The framework imposes a 24-hour incident reporting obligation for significant cybersecurity incidents.

It mandates minimum controls: multi-factor authentication for all financial system access, encryption of data in transit and at rest, regular penetration testing, and documented incident response plans.

Most brokers hold more personal data than they realise. Client application files. Email threads. WhatsApp messages with scanned documents. Cloud storage. Shared drives. Paper files.

A simple data register listing what data you hold, where, who has access, and your legal basis is the foundation of NDPA compliance.

A documented privacy notice telling clients what data you collect, why, how long you keep it, and how they can exercise their rights.

Appropriate security measures: end-to-end encrypted email for sensitive data, password protection on all devices, access controls.

Retention and deletion policies. Most transaction data should be retained for at least five years (AML), then deleted.

Staff training. Your NDPA obligations extend to everyone who handles personal data.

A basic incident response plan: who to call first, what to preserve as evidence, how to assess scope, how to draft the NDPC notification, how to notify affected clients.

The NDPC notification should state what data was affected, how many individuals are impacted, what the likely consequences are, and what measures you’ve taken.

Right of access, right to correction, right to deletion. You have one month to respond to a data subject access request.

Case Study: The Abuja Wire — How a Spoofed Email Cost a Client N47 Million

Emeka Okafor ran a mid-size mortgage brokerage in Abuja with three associates and a support staff of five. In April 2024, one of his clients was preparing to make a completion payment of N47 million.

Three days before the scheduled transfer, a cybercriminal who had been monitoring the email thread sent a message appearing to come from the solicitor’s address. The message said the solicitor had changed bank accounts and all completion funds should go to the new account.

The email arrived at 4:47 PM on a Friday. The client called Emeka’s office. The associate checked the email, confirmed it looked legitimate, and told the client the instruction seemed consistent. The client transferred N47 million.

By Monday morning, the solicitor called asking where the completion funds were. There were no funds. The account in the spoofed instruction had been opened using fabricated identity documents, received the transfer, and was drained within four hours.

The investigation established the attacker had gained access to the solicitor’s email account six weeks earlier through credential phishing. They had been silently reading correspondence ever since.

Emeka’s firm had never implemented a policy of verbally confirming bank details by phone before any transfer. They had no staff training on Business Email Compromise.

The client pursued civil claims. The case settled out of court. The brokerage’s professional indemnity insurer covered part of the loss but declined to renew at the same premium.

What would have stopped this? One phone call to a verified number confirming the account change. A firm policy requiring verbal confirmation for any banking detail that changes mid-transaction. Basic staff training.

KEY TAKEAWAYS

Cybersecurity protects the confidentiality, integrity, and availability of your data. As a mortgage broker, you hold high-value personal and financial information that criminals will actively target.

Real estate is targeted because of high transaction values, wire transfer instructions sent by email, multiple parties across a single deal, and historically weak security practices at smaller firms.

Nigeria lost N320 billion to financial fraud between January 2023 and April 2025, with 92% via digital channels. Fraud cases rose 26% in 2024. Cybercrime costs Nigeria $500 million annually.

The Cybercrimes Act 2015 (amended 28 February 2024), the NDPA 2023 (72-hour breach notification, penalties up to N10M or 2% revenue), and the CBN Cybersecurity Framework (effective 1 July 2024, 24-hour incident reporting) all impose direct obligations on you.

As a data controller under the NDPA 2023, you must have a lawful basis for all data collected, provide a privacy notice, implement appropriate security, maintain retention policies, and train your staff.

The most common and costly attack in real estate is wire transfer redirect via Business Email Compromise. One verified phone call confirming any changed bank detail can stop it.

Knowledge Check (10 Questions)

1. The CIA triad in cybersecurity stands for:

   1. Compliance, Investigation, Audit
   2. Confidentiality, Integrity, Availability
   3. Control, Identity, Access
   4. Cybercrime, Incident, Assessment

2. Which of the following best describes a Business Email Compromise (BEC) attack in real estate?

   1. Installing ransomware on a broker’s laptop to encrypt transaction files
   2. Intercepting email communications and sending spoofed payment instructions to redirect wire transfers
   3. Cloning a broker’s website to collect false mortgage applications
   4. Using a broker’s BVN to open fraudulent accounts

3. What percentage of Nigeria’s N320 billion in financial fraud losses between January 2023 and April 2025 involved digital channels?

   1. 62%
   2. 74%
   3. 88%
   4. 92%

4. The Cybercrimes Act 2015 amendment was signed into law on:

   1. 15 January 2024
   2. 28 February 2024
   3. 1 July 2024
   4. 13 December 2024

5. Under the Nigeria Data Protection Act 2023, within how many hours must you notify the NDPC of a personal data breach?

   1. 24 hours
   2. 48 hours
   3. 72 hours
   4. 7 days

6. The maximum penalty under the NDPA 2023 for data protection violations is:

   1. N5 million or 1% of annual gross revenue, whichever is lower
   2. N10 million or 2% of annual gross revenue, whichever is higher
   3. N20 million flat
   4. N2 million per individual affected

7. The CBN Cybersecurity Framework became effective on:

   1. 1 January 2024
   2. 28 February 2024
   3. 1 July 2024
   4. 1 October 2024

8. Under the CBN Cybersecurity Framework, significant cybersecurity incidents must be reported within:

   1. 6 hours
   2. 12 hours
   3. 24 hours
   4. 72 hours

9. In the case study, what single control would most likely have prevented the N47 million loss?

   1. Installing antivirus software on the brokerage’s computers
   2. Verbally confirming changed bank details by phone to a verified number before any transfer
   3. Filing an STR with the NFIU before the transfer was made
   4. Requiring the client to visit the office in person to authorise the transfer

10. Which of the following is NOT a client right under the NDPA 2023?

    1. Right to access personal data held about them
    2. Right to correction of inaccurate data
    3. Right to receive financial compensation automatically when a breach occurs
    4. Right to deletion of data where no ongoing legal basis for retention exists

Answers

Answers: 1. (b) 2. (b) 3. (d) 4. (b) 5. (c) 6. (b) 7. (c) 8. (c) 9. (b) 10. (c)

Further Reading

Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, as amended 2024

Nigeria Data Protection Act 2023 (NDPA) and NDPC Implementation Framework

CBN Risk-Based Cybersecurity Framework and Guidelines for Financial Institutions (effective 1 July 2024)

NDPC Data Breach Notification Guidelines 2023

FITC Fraud and Forgeries Report: Nigerian Financial Sector 2024

EFCC Annual Cybercrime Report 2024

INTERPOL African Cyberthreat Assessment Report 2024

FBI Internet Crime Complaint Center (IC3) Business Email Compromise Guidance

IMBLN Cybersecurity and Data Protection Guidance Note

ISO/IEC 27001:2022 Information Security Management Systems standard

IMBL Nigeria Certification