-1323.png){kind=logo}
In2015, Nigeria took a crucial step towards combating cybercrime by introducing the Cybercrime (Prohibition and Prevention) Act (the ‘Principal Act’). But, despite its intentions, some parts of the law faced criticism for their misuse and ineffectiveness.[1] Particularly troubling are instances of law enforcement agencies using the Act to target young individuals, human rights activists, and journalists.[2] Meanwhile, cybercrime continued to thrive, with Nigeria's global ranking for complaints soaring to 16th in 2020[3] and ranking 5th in the global cybercrime index in a recent study.[4] The stakes are high, as cyberattacks increasingly target government and critical infrastructure, putting sensitive data and national security at risk.[5] Stronger legislation and enforcement are needed to keep pace with the evolving threat landscape as part of wider measures to combat cybercrime.
In response, the Senate Joint Committee held a public hearing in November 2023 to solicit feedback on amending the Cybercrimes Act.[6]After deliberations and stakeholder input, the Cybercrime (Prohibition and Prevention) (Amendment) Act 2024 (the ‘Amendment Act’) was signed into law on February 28, 2024. But will these changes be enough to turn the tide against cybercrime in Nigeria?
This review explores the changes and their potential impact, asking whether they effectively address the previous concerns and provide a stronger framework for cybersecurity in Nigeria.
A few semantics and terms in the Principal Act have been revised in the Amendment Act, aiming to clarify provisions and enhance their effectiveness. In Section 17(a) of the Principal Act, the word "genuineness" was initially misspelt as "geniuses," leading to a potential misunderstanding of the provision. This error has been rectified, restoring the intended meaning by correcting it to "genuineness."[7]
Additionally, Section 22 (1) of the Principal Act has been expanded to encompass a broader scope of protection by including the phrase "public or private organisation" after "any Financial Amendment of Institution."[8] This amendment ensures that identity theft is addressed within financial institutions and other organisational settings.[9]
Furthermore, Section 37 of the Principal Act has been amended to provide additional identification measures by specifying that the National Identity Management Commission must issue the "National Identification Number,[10]and this clarifies any ambiguity. These amendments enhance the clarity of the Cybercrimes Act.
Section 41 of the Principal Act has been amended to strengthen the role of the National Computer Emergency Response Team (ngCERT) in enhancing cybersecurity measures.[11]The amendments introduce provisions to establish sectoral Computer Emergency Response Teams (sCERT) and Security Operation Centres (SOC). The government is to establish a National Computer Forensic Laboratory, build capacity for relevant security agencies, establish public-private partnerships, coordinate international cybersecurity cooperation, and undertake other necessary functions. Before including the sector-specific CERT requirement, the Nigeria Communication Commission (NCC)[12]and the National Information Technology Development Agency (NITDA)[13] established and maintained sector-based emergency response teams. The addition provides wider sectoral oversight that can strengthen the national cybersecurity ecosystem.
One notable provision in the amended Section 41 requires that all public and private organisations integrate and route their internet and data traffic to the sectoral SOCs, thereby protecting national cyberspace. This centralisation of monitoring by SOCs offers several benefits. SOCs could improve national threat detection by providing a broader view of potential threats and attacks across various sectors while ensuring faster incident response by expediting the identification and mitigation of cyberattacks, thus minimising damage and downtime for organisations.[14] Furthermore, collaboration between SOCs and organisations can lead to improved cybersecurity practices and threat intelligence sharing. For example, if fintech companies share information about their fraud experiences, it enhances collective security efforts. When one company encounters a new type of attack and shares the details, such as malicious IP addresses and attack methods, other companies can quickly update their security measures to block similar attacks, leading to faster detection and response, reducing financial losses, and improving overall industry resilience against cyber threats.
Additionally, if not properly managed, the centralised monitoring could create a single point of failure, leaving the entire country vulnerable to cyberattacks in the event of a system failure or compromise at a SOC.[15] Routing all internet traffic through SOCs also raises privacy concerns, as data breaches or unauthorised access could expose sensitive information from individuals and organisations.[16] The transparency of data collection, storage, and usage by SOCs is another concern, as a lack of clear oversight could lead to misuse of centralised data.[17]Moreover, integrating diverse network infrastructures and ensuring seamless data flow across various sectors can be technically complex and require significant investment.[18] The cost of compliance, particularly for smaller organisations, could be burdensome and hinder economic activity. Lastly, mandatory routing of all internet traffic creates a significant potential for government surveillance, with unchecked access to this data potentially infringing on citizens' right to privacy and freedom of expression.[19]
Despite these positive changes, concerns remain regarding ngCERT's autonomy, as it still operates under the supervision of the Office of the National Security Adviser (ONSA), potentially hindering its effectiveness. Operating under the supervision of ONSA could lead to conflicts of interest or undue influence on the operations of ngCERT, limiting its ability to act independently and impartially in addressing cybersecurity threats. This lack of independence may impair ngCERT's capacity to respond to emerging cyber threats effectively, coordinate with other relevant agencies, or provide impartial advice and assistance to stakeholders. Full independence and impartiality are crucial for ngCERT to fulfil its mandate effectively and safeguard Nigeria's cyberspace.
Section 21 of the Principal Act underwent significant amendments, which have positive impacts. The revision strengthens coordination among cybersecurity entities by mandating immediate reporting of cyber incidents to the National Computer Emergency Response Team (ngCERT)Coordination Center through sectoral CERTs or Security Operations Centres(SOC).[20] This streamlined approach fosters better collaboration and enables a swift and coordinated response to cyber threats.
Furthermore,the amendment reduces the reporting timeframe for cyber incidents, includingattacks and intrusions, from “7 days of its occurrence” to “72 hours of itsdetection”, giving the provision a more operational effect. The provision hasbeen criticised for being inoperational, as cyberattacks could have occurredlong before detection.[21] This reduced response time is morepractical and critical in mitigating the impact of cyberattacks andsafeguarding computer systems and networks. Additionally, by emphasisingproactive reporting, the amendment promotes enhanced cybersecurity measures andbolsters cyber resilience across public and private sectors. Moreover, therequirement to report disruptions that may affect other systems or networkscontributes to protecting critical infrastructure and essential services fromcyber threats.
While commendable, the amendment could be more effective with the ngCERTs and SOCsinstituting clear reporting guidelines, thereby ensuring more standardised andcomprehensive reporting procedures. Such measures would improve incidentreporting accuracy, facilitate quicker responses to emerging threats, fosterincreased transparency and trust in cybersecurity efforts, and aid regulatorycompliance. Implementing these guidelines would create a roadmap of cyberincident reports and their corresponding resolutions, providing valuable insights into the efficacy of cybersecurity measures over time.
Section 24 of the Principal Act, long criticised for its vague language and potential for misuse, has undergone significant amendments.[22] This section is widely condemned forbeing used by public authorities and powerful individuals to regulate andclampdown on social media critics, resulting in the arrest and intimidation ofindividuals, journalists, bloggers, and human rights activists.[23] This provision has led to documented cases of the arrest of individualscritical of the government, including journalists and human rights defenders.[24]
Consequently, the provision has beenchallenged in Court for the problems highlighted above. In the case of Inc.Trustees of Laws and Rights Awareness Initiative v. the Federal Republic ofNigeria[25] the Economic Community of West AfricanStates (ECOWAS) Community Court of Justice declared the provision violates theNigerian constitution and recommended it should be amended. The court foundthat section 24 of the Act infringed on the right to freedom of expression.Specifically, the court found that the section does not define criminal conductsufficiently, leading to potential arbitrary enforcement and violations of therights to freedom of expression and privacy. The ruling emphasised that lawsrestricting expression must be precise and clear to allow individuals tounderstand the legal boundaries and enable law enforcement to distinguishbetween legitimate and illegitimate restrictions on speech. As a result, thecourt ruled that Nigeria amend or repeal Section 24 to align it withinternational human rights obligations under the African Charter on Human andPeoples' Rights and the International Covenant on Civil and Political Rights.
The amendment to the section addressedsome of these concerns by specifying that content deemed punishable includeswhen a person sends information that is pornographic and knowingly falseinformation aimed at inciting lawlessness, posing threats to life, or incitingsuch messages.[26] The language may still be broad enoughto allow for arbitrary enforcement, potentially leading to the suppression oflegitimate dissent or criticism under the guise of maintaining order.[27] This may lead individuals to self-censorto avoid legal repercussions. Journalists and activists may still facetargeting for their online activities, deterring them from reporting onsensitive issues or expressing dissenting views. Despite the Amendment, peopleare still being arrested under the provisions of the Principal Act without recourse to the updated legislation.[28]
The wording of Section 30 of thePrincipal Act may have been too specific in its application to paymenttechnologies like ATMs and Point-of-Sales machines, excluding paymenttechnologies not conceived when the law was drafted. This specificity limitsthe law's application and does not lend it the necessary flexibility. Theoriginal language seems restrictive and may leave gaps in prosecuting offenderswho use emerging payment methods not explicitly mentioned in the law. Theamendment[29] expands the scope of Section 30 byincluding the phrase "or any other payment technology means" insubsection (1) and substituting "or point of sales device" with"or any other payment technology means" in subsection (2). Thisrevision positively impacts the legal framework by broadening its applicabilityto encompass a wider range of payment technologies available now, which can beconceived beyond traditional ATMs and Point of Sales terminals. Future-proofingthe law with inclusive language ensures that perpetrators cannot exploit legalloopholes and evade prosecution when using new payment methods for criminalactivities. The gap in the provision highlights some of the challenges with arule-based drafting style over a principle-based one; the former isrestrictive, while the latter is flexible and amenable to new circumstances.[30]
Section 38 of the Principal Act wasinfluenced by the repealed European Union Data Retention Directive (Directive 2006/24/EC),[31] which mandated service providers toretain traffic data, including content and subscriber data, for two years. Thisprovision raised significant concerns due to the excessive retention period,lack of objective criteria for data access, insufficient safeguards againstabuse, and that it erodes anonymity.[32]The amendment to Section 38(1) of the Principal Act requires the alignment ofthe data retention practices with the Nigeria Data Protection Act (NDPA) andregulations prescribed by the authority responsible for regulatingcommunication services in Nigeria.[33]However, it is important to note that the NDPA does not specify a retentionperiod for any data category, nor is it within its scope to do so. Whilealigning with the NDPA is a positive step, it does not alter the status quo,the retention period remains 2 years.
For context, the Court of Justice of theEuropean Union (CJEU)[34] invalidated the Data Retention Directive(Directive 2006/24/EC) in 2014, a year before Nigeria enacted the CybercrimesAct. The court found that the directive required telecommunications companiesto retain users' data for up to two years and interfered with the fundamentalrights to respect for private life and personal data protection. The rulingemphasised that the directive did not provide sufficient safeguards to ensurethat the retained data was only accessed and used in serious crime cases andthat it lacked adequate protections against abuse and unlawful access.Nonetheless, we must consider whether Nigeria's unique circumstances justify asimilar retention period. Further amendments are necessary to establish clearcriteria, considering the categories of data, the persons involved, and thedata's relevance. Additionally, the amendment should specify that the retentionperiod commences from the date of communication to address ambiguity regardingwhen the retention period begins. These amendments are crucial to safeguardingprivacy rights and ensuring compliance with international standards whilebalancing the need for law enforcement access to data.
Section 44 of the Principal Actestablished the National Cyber Security Fund, which will be domiciled in theCentral Bank of Nigeria and funded through a 0.005% levy. While the NationalCybersecurity Fund is essential for significantly boosting financial resourcesto counter cyber threats and violent extremism, the amendment to Section 44,which introduces an increased levy of 0.5% on electronic transactions, mayimpose a substantial financial burden on businesses, particularly small andmedium-sized enterprises (SMEs). This higher cost could discourage electronictransactions, potentially stifling business growth and innovation in thedigital economy. The stringent penalties for non-compliance, includingsignificant fines and the potential closure or withdrawal of business licences,may be viewed as overly harsh and could lead to economic disruptions.Furthermore, the broad authority granted to the ONSA may raise concerns aboutexcessive government control and the potential misuse of the Fund's resources.Ensuring that these measures do not negatively impact the business environmentor lead to over-regulation is crucial for maintaining a balanced approach tocybersecurity funding.
To implement section 44 of the PrincipalAct, the Central Bank of Nigeria issued a circular mandating all banks andfinancial institutions to implement the 0.5% levy on electronic transactions tosupport the National Cybersecurity Fund.[35]The circular required that the levy must be applied at transaction origination,deducted, and remitted monthly. This caused a lot of public outcry and backlashfollowing this, the Nigerian House of Representatives directed the Central Bankof Nigeria (CBN) to suspend the implementation of the cybersecurity levy[36] emphasising the need for further publicawareness and clarification about the levy, noting that it should targetbusinesses profiting from cyberspace, not ordinary Nigerians. In response, theCBN issued a revised circular on May 17, 2024, retracting its earlier directiveto banks and payment service providers.
MarginalProgress but a Missed Opportunity
Despite amendments to the CybercrimesAct, significant gaps persist in addressing the evolving landscape ofcybercrimes in Nigeria. To effectively combat these challenges, strongerlegislation is needed to enhance enforcement, effectiveness, and relevance to currentcybersecurity threats. The amendment would have met a wider goal if it hadallowed for a better amendment process, giving adequate time for public inputand thorough stakeholder review. This approach would have ensured thatamendments are well-informed and reflect the dynamic cyber threat landscape.
To effectively combat these threats and ensure a robust legislative framework, the following recommendations are proposed for future amendments:
1. Address Emerging Threats: The Act should be updated to tackle emerging cybersecurity threats. For instance, he proliferation of POS and electronic transactions[37]has left many vulnerable to incidents resulting in significant financial losses, underscoring the urgent need for attention from both financial and cybersecurity authorities. The Act should also include legal frameworks for cryptocurrency-related crimes, such as unauthorised mining, fraud, and theft. In particular, section 32 (1) of the Principal Act should be amended to accommodate other manifestations of phishing and recognise that it could manifest in different forms. To ensure the legislation remains effective against future threats, it should allow for periodic reviews and updates by a cybersecurity regulatory authority that can issue secondary legislation, maintaining flexibility and adaptability to evolving technological advancements.
2. Enhancing the Resources of ngCERT and SOCs: The Act should include provisions to ensure that the National Computer Emergency Response Team (ngCERT), the sectoral CERTs, and Security Operations Centers (SOCs) are adequately resourced and scalable to handle the immense volume of data traffic from all organisations. In addition, there should be an effort to make ngCERT independent and function efficiently.
3. Clarifying Prohibition of SecurityResearch
Section6(2) of the Principal Act currently does not distinguish between malicioushacking and ethical hacking, potentially leading to unintended consequences forsecurity researchers. Ethical hackers play a crucial role in identifying andreporting system flaws and vulnerabilities, thereby preserving the integrity ofsystems through timely detection and remediation of potential threats.
Thebroad interpretation of this provision could result in the arrest andprosecution of security researchers, hindering efforts to enhancecybersecurity. To address this, it is recommended that Section 6(2) beredrafted to decriminalise security research and legitimise vulnerabilitydisclosure programs explicitly. This would encourage a collaborative approachto cybersecurity, allowing researchers to report vulnerabilities without fearof legal repercussions, ultimately strengthening the overall security postureof systems.
4. Preserving Encryption and EnhancingOversight
Section45(1)(f) of the Principal Act allows law enforcement to seek court orders fordecrypting data but ambiguously suggests they "may" bypass courtoversight. This risks undermining encryption, which is crucial for privacy andfreedom of expression and exposes systems to bad actors. We recommendpreserving encryption and ensuring its decryption is strictly supervised bycourts. Decryption should only occur for serious crimes under conditions ofnecessity and proportionality, with court orders specifying the scope andduration to prevent mass surveillance.
Inconclusion, while the amendments to the Cybercrimes Act represent a stepforward in addressing some of the longstanding issues and challenges withinNigeria's cybersecurity landscape, significant gaps and concerns still need tobe addressed. The future holds both promise and uncertainty as Nigeria grappleswith the evolving nature of cyber threats and the need for robust legislativeframeworks to combat them effectively.
Movingforward, it is imperative that Nigeria adopts a comprehensive approach tocybersecurity that addresses emerging threats, enhances enforcement mechanisms,and promotes collaboration among relevant stakeholders. This includes updatinglegislation to reflect technological advancements, improving data protectionmeasures, and fostering a culture of cybersecurity awareness and education.Conducting a comprehensive evaluation of the Act’s effectiveness since itsenactment in 2015 would provide valuable insights into its impact and informfuture policy decisions.
Additionally,enhancing reporting mechanisms for cybersecurity incidents is crucial foraccurately assessing the Act's effectiveness and addressing enforcement gaps.Establishing clear guidelines for what to report and incentivisingorganisations to report incidents would enhance data collection and analysis,facilitating more informed decision-making. Ultimately, the future ofcybersecurity in Nigeria will depend on the government's commitment to enactingand enforcing effective legislation and on the engagement and cooperation ofall stakeholders, including the private sector, civil society, andinternational partners.
[1] Marianna Tzabiras,‘Nigeria’s Cybercrime Law Being Selectively Applied’ (IFEX, 9 October 2020) <https://ifex.org/nigerias-cybercrime-law-being-selectively-applied/>accessed 23 June 2024.
[2] Babatunde Titilola, ‘HowNigerian Authorities Use Cybercrime Act to Silence Free Press’ (Punch Newspapers,22 June 2024)<https://punchng.com/how-nigerian-authorities-use-cybercrime-act-to-silence-free-press/>accessed 23 June 2024.
[3] Guardian Nigeria,‘Nigeria Ranks 16th in FBI’s Global Worst Affected by Internet Crimes’ (GuardianNigeria News, 18 March 2021)<https://guardian.ng/nigeria-ranks-16th-in-fbis-global-worst-affected-by-internet-crimes/>accessed 23 June 2024.
[4] Samson Akintaro,‘Nigeria Ranks 5th in Global Cybercrime Index’ (Nairametrics, 12 April 2024)<https://nairametrics.com/2024/04/12/nigeria-ranks-5th-in-global-cybercrime-index/>accessed 23 June 2024.
[5] Anne Byrne, ‘EscalatingThreats to Critical National Infrastructure’ (2T Security, 30 April 2024)<https://2t-security.com/?p=3943> accessed 23 June 2024.
[6] Abdulqudus Ogundapo,‘Senate Holds Public Hearing on Cybercrime Amendment Bill Wednesday’ (PremiumTimes Nigeria18 November 2023)<https://www.premiumtimesng.com/news/more-news/644427-senate-holds-public-hearing-on-cybercrime-amendment-bill-wednesday.html?tztc=1>accessed 23 June 2024.
[7]Section 2(a) of the Amendment Act.
[8]Section 4 of the Amendment Act.
[9] Similar amendment impact on Section 27 (2) ofthe Principal Act.
[10] Section 8 of the Amendment Act.
[11] Section 10 of the Amendment Act.
[12] ‘CyberSecurity’<https://www.ncc.gov.ng/technical-regulation/cybersecurity#ncc-csirt>accessed 23 June 2024.
[13] ‘NITDA | CERRT’<https://cerrt.ng/> accessed 23 June 2024.
[14] ‘SOCImplementation Challenges and Solutions’<https://www.kellton.com/kellton-tech-blog/implementing-soc-strategies>accessed 23 June 2024.
[15] ‘The Importance of the SecurityOperations Center (SOC)’ (Check Point Software) <https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-soc/the-importance-of-the-security-operations-center-soc/>accessed 23 June 2024.
[16] Ankit Kumar Jain, Somya Ranjan Sahoo andJyoti Kaubiyal, ‘Online Social Networks Security and Privacy: ComprehensiveReview and Analysis’ (2021) 7 Complex & Intelligent Systems 2157<https://doi.org/10.1007/s40747-021-00409-7> accessed 23 June 2024.
[17] Yinhao Jiang and others, ‘Pervasive UserData Collection from Cyberspace: Privacy Concerns and Countermeasures’ (2024) 8Cryptography 5 <https://www.mdpi.com/2410-387X/8/1/5> accessed 23 June2024.
[18] Eric Murrell, ‘What Is NetworkInfrastructure and Why Is It Important?’ (NYBSYS, 18 April 2024)<https://nybsys.com/what-is-network-infrastructure/> accessed 23 June2024.
[19] Peter Königs, ‘Government Surveillance,Privacy, and Legitimacy’ (2022) 35 Philosophy & Technology 8<https://doi.org/10.1007/s13347-022-00503-9> accessed 23 June 2024.
[20] Section 3 of the Amendment Act.
[21] Tech Hive Advisory ‘Assessing DataProtection in Nigeria: A Look at Biometric Identity, Surveillance, Encryptionand Anonymity, and Cybercrimes’<https://www.techhiveadvisory.africa/report/assessing-data-protection-in-nigeria-a-look-at-biometric-identity-surveillance-encryption-and-anonymity-and-cybercrimes>accessed 23 June 2024.
[22] The State of Media Freedom and Safety ofJournalists in Africa (CIPESA) November 2022 <https://cipesa.org/wp-content/files/The_State_of_Media_Freedom_and_Safety_of_Journalists_in_Africa_Report_1.pdf>accessed 23 June 2024
[23] ‘Nigeria Charges Weekly Source EditorJones Abiri under Cybercrimes, Terrorism Acts’ (Committee to Protect Journalists,22 May 2019)<https://cpj.org/2019/05/nigeria-charges-jones-abiri-weekly-source-terrorism/>accessed 23 June 2024.
[24] Urowayino Jeremiah, ‘Police ArrestSowore in Abuja over Alleged Fake News Peddling’ (Vanguard News24 February2022)<https://www.vanguardngr.com/2022/02/police-arrest-sowore-in-abuja-over-alleged-fake-news-peddling/>accessed 23 June 2024.
[25] ECW/CCJ/JUD/16/20Inc. Trustees of Laws and RightsAwareness Initiative v. Federal Republic of Nigeria <https://caselaw.ihrda.org/en/entity/s8gzucy29q>accessed 8 June 2024.
[26] Section 5 of the Amendment Act.
[27] Ben Ezeamalu (theAfricaReport) ‘Nigeria:Cybercrime Law still used to Harass Citizens Despite Amendment’
<https://www.theafricareport.com/348123/nigeria-cybercrime-law-still-used-to-harass-citizens-despite-amendment/>accessed 8 June 2024.
[28] OlayiwolaAjisafe (Punch Newspaper) ‘You Broke the Law by Detaining Journalist for Over48 Hours – Nigerians Dismiss Police Spokesperson’s Ig Defence’,
<https://punchng.com/you-broke-the-law-by-detaining-journalist-for-over-48-hours-nigerians-dismiss-police-spokespersons-ig-defence/> accessed 8 June 2024.
[29] Section 7 of the Amendment Act.
[30] ‘OSC Burden Reduction Initiative –Rules-Based versus Principle-Based Regulation’ (Osler, Hoskin & Harcourt LLP2019) <https://www.osler.com/en/blogs/risk/june-2019/osc-burden-reduction-initiative-rules-based-versus-principle-based-regulation>accessed 28 May 2024.
[31] The European Union Data RetentionDirective, also known as Directive 2006/24/EC, was a European Union (EU)directive that required telecommunications providers to retain metadata aboutall communications for a minimum of six months, in case the data was sought bylaw enforcement agencies.
[32] Temitayo Ogunmokun, Sandra Musa,‘Assessing Data protection in Nigeria: A look at Biometric Identity,Surveillance, Encryption, Anonymity and Cybercrimes’ <https://cdn.prod.website-files.com/641a2c1dcea0041f8d407596/644d26941c9116d1fa3b0e8e_Accessing-Data-Protection-1.pdf>accessed 24 June 2024.
[33] Section 8 of the Amendment Act.
[34] DigitalRights Ireland and Seitlinger and Others, Judgement in Joined Cases C-293/12and C-594/12
[35] Central Bank of Nigeria(CBN). Circular to All Commercial, Merchant, Non-Interest and Payment ServiceBanks; Other Financial Institutions, Mobile Money Operators and Payment ServiceProviders. Re: Cybercrimes (Prohibition, Prevention, Etc) (Amendment) Act 2024-Implementation Guidance on the Collection and Remittance of the NationalCybersecurity Levy<https://www.cbn.gov.ng/Out/2024/CCD/CIRCULAR%20REF%20PSMDIRPUBLAB017004%2006052024.pdf>accessed 7 June 2024.
[36] Dirisu Yakubu, Olayiwola Ajisafe, ‘RepsDirect CBN to Suspend Cybersecurity Levy’
https://punchng.com/breaking-reps-direct-cbn-to-suspend-cybersecurity-levy/>accessed 7 June 2024.
[37] FITC, ‘Quarter 4 (2023) Reports onFrauds and Forgeries in Nigeria ’ https://fitc-ng.com/wp-content/uploads/2024/04/Q4-2023-FF-Report.pdf> accessed 14 May 2024.
