CAC denies manipulation of DAAR Communications records

Nigeria's Corporate Affairs Commission (CAC) has moved to quash allegations that it manipulated corporate records belonging to DAAR Communications PLC in the aftermath of a recent cyberattack on its systems. The denial comes amid heightened scrutiny of the CAC's operational integrity and data security protocols, raising critical questions about the reliability of Nigeria's corporate registry—a foundational pillar for investor confidence and regulatory transparency.

The incident underscores a broader vulnerability in Nigeria's digital infrastructure. The CAC, which maintains the official registry of all incorporated companies and their filings, experienced unauthorized access to its systems. Rather than assume the worst, stakeholders across Nigeria's business ecosystem should understand what actually happened and why the CAC's swift public denial matters for corporate governance.

## What exactly happened during the CAC cyberattack?

The CAC's systems were compromised by unauthorized actors, creating a window of potential vulnerability to corporate records stored in its database. DAAR Communications, a publicly listed media and technology conglomerate, became the focal point of manipulation allegations when questions emerged about whether attackers had altered its corporate filings, shareholding structures, or compliance documents. The breach exposed the critical dependency Nigerian businesses place on the CAC's digital infrastructure without equivalent backup or verification mechanisms.

## Why are investor protections at stake?

Corporate records integrity is non-negotiable for capital markets. When investors, regulators, and creditors cannot trust that company filings—especially ownership structures and financial declarations—remain unaltered, deal-making stalls and valuations collapse. DAAR Communications, as a listed entity, saw its stakeholders immediately concerned about the authenticity of its regulatory position. Even a denial without forensic evidence leaves room for doubt in the market.

The CAC's quick response suggests internal audits confirmed no unauthorized alterations to DAAR's records specifically. However, the broader question persists: *were other company records compromised?* A cyberattack of sufficient sophistication to penetrate the CAC's defenses rarely targets a single entity. The commission's task now extends beyond denying one allegation to restoring systemic confidence.

## What does this mean for corporate governance going forward?

This incident exposes a critical gap in Nigeria's regulatory infrastructure. The CAC must implement real-time backup systems, multi-factor authentication, and third-party forensic audits of all penetrated systems. Nigerian regulators should consider establishing a decentralized or blockchain-backed registry mechanism to reduce single points of failure. Until then, investors face asymmetric information risk whenever the CAC's operational continuity is questioned.

For listed companies like DAAR Communications, the cyberattack becomes a governance test case. Transparency—sharing exactly what data was accessed, how long the breach persisted, and which records were verified—will determine whether stakeholder confidence recovers. The CAC's denial alone is insufficient; forensic evidence and remediation roadmaps are essential.

The Nigerian Stock Exchange and Securities and Exchange Commission should coordinate with the CAC to establish incident reporting protocols that prevent future ambiguity. Corporate Nigeria's foundation depends on it.