Widaad Ebrahim-Faker Shares Five Cybercrime Warnings For South African Companies
Widaad Ebrahim-Faker Shares Five Cybercrime Warnings For South African Companies. South Africa is a global cybercrime hotspot, a dubious distinction that is ushering new warnings and likely inevitable regulatory changes which both companies and individuals need to take heed of. Legal expert Widaad Ebrahim-Fakier, a Johannesburg-based director at international law firm A&O Shearman, shares five points of concern about South Africa’s cybercrime situation and advice on how to address it.
1. Take note: Section 54 of the Cybercrimes Act of 2020 will likely be enacted soon
Section 54 of the Cybercrimes Act has been on the cards for more than four years and is finally about to be enacted. While the act was passed in 2020, sections of the act are being enacted piece by piece, in a phased approach, after two years of being partially operational.
Section 54 will impose cybercrime reporting obligations on electronic communications service providers (ECSPs), such as internet service providers, telecoms companies and digital services businesses, and financial institutions, such as banks, insurers, fintechs and investment firms. What does this mean? First, the Act stipulates that affected companies have 72 hours from becoming aware of any cybercrime on their networks to report it to the South African Police Service (SAPS). Second, ECSPs and financial institutions are also obligated to preserve any information which may be of assistance to the SAPS in investigating the offence. Importantly, and the Act specifies this, section 54 does not create a proactive monitoring obligation. It’s purely reactive. The trigger for reporting is when an ECSP or financial institution becomes aware of an incident. It’s becoming increasingly important that affected companies invest in adequate cybercrime prevention, detection and response resources to manage their obligations and overall risk relating to data protection and cybercrime. Under the Cybercrimes Act, Companies that fail to report serious cybercrime breaches could face fines of up to R50 000. Affected companies can no longer avoid reporting cybercrimes to the authorities, and they will need to ensure that they log all cyber activities and store it appropriately – a task that is more easily said than done.
2. The FATF’s greylisting of South Africa is driving change
The Financial Action Task Force (FATF), the global intergovernmental organisation tasked with combatting money laundering and terrorist financing (AML/CFT), lays down strict guidelines about the prevention of financial crimes, which may include online financial cybercrimes. South Africa is trying to exit this greylist by imposing stricter local crime prevention guidelines in line with the FATF’s existing guidelines and recommendations.
Companies need to be aware that local regulatory enforcement (if it has not already) is likely to become much stricter in South Africa as a result of the FATF’s greylisting and the country’s attempts to get off the greylist. In its update, published in February 2024, the FATF noted that South Africa must demonstrate that all AML/CFT supervisors (which includes the Prudential Authority and the Financial Sector Conduct Authority) apply effective, proportionate, and effective sanctions for noncompliance. What this means is that there’s likely to be stricter regulatory enforcement, higher fines and administrative penalties for cases of non-compliance.
3. South Africa must undo its status as a global cybercrime density hotspot
In 2023, SA ranked fifth globally on the global Data Vulnerability Thermometer, which combines open-source FBI information and research algorithms to determine how countries rank on its overall cybercrime prevalence status. South Africa’s dubious ranking is inviting more regulatory reforms to address this issue.
South Africa may see more legislation to enforce stricter IT security. European Union policy makers (who previously set the standard for data protection regulation, here in South Africa and elsewhere) have again surged ahead, with the recent increase of cybersecurity regulations, for example the Cyber Resilience Act. The act imposes risk management, reporting and oversight requirements across industries and supply chain in respect of the spectrum of hardware and software products “to strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike”. The Digital Operational Resilience Act (DORA) in turn regulates institutions in the financial sector. DORA and the Cyber Resilience Act follow the enactment of the NIS2 Directive, earlier in 2023 – which applies across different sectors, in broad terms providing legal measures to boost the overall level of cybersecurity in the EU.
Here in SA, and on 17 May, 2024, the Financial Sector Conduct Authority and Prudential Authority issued Joint Standard 2 of 2024 – “Cybersecurity And Cyber Resilience Requirements” applicable to financial institutions (including banks, insurers and market infrastructures, amongst others). The joint standard sets out the minimum requirements and principles for cybersecurity and cyber resilience for financial institutions here in SA (including reporting of “major” cyber incidents or information security compromises to designated authorities). It is expected to commence in June 2025, but the effective date has yet to be announced.
Companies need to prepare for increased regulation by implementing multi-pronged strategies that encompass legal compliance, operational oversight, strong technological protections and analytics, and employee and customer education, to address cybercrime vulnerabilities.
4. South African companies need to brace for new cybercrime rules
Banks’ commitment to regulatory compliance – so too new rules and regulations will likely emerge that will change how South African companies approach cybercrime prevention. The Prudential Authority of South Africa for instance has far-reaching anti-money laundering enforcement powers and is likely to become much tougher on financial cybercrimes in the coming years.
Aside from the potential “non-compliance penalty” under the Cybercrimes Act – and the new rules expected for financial institutions under the Joint Standard (referred to above) – there is also increasing regulatory oversight from the Information Regulator in respect of data breaches resulting from cybercrime incidents. Under the Protection of Personal Information Act, organisations are required to protect personal information they process and could face severe penalties if they fail to prevent a data breach. These penalties can include fines of up to R10 million or imprisonment for up to 10 years, depending on the severity of the breach.
5. AI is the next big threat in South Africa, we need to respond now
The Cybercrime Act of 2020 needs to be updated to cater for the dangers of artificial intelligence (AI) including AI Phishing and AI-powered DDOS attacks. These threats are not yet properly legally identified, regulated or policed in South Africa – and this leaves the country vulnerable to serious harm.
If the Cybercrimes Act is the high-water mark of cybercrime protection in South Africa and does not even specifically mention AI, or indeed impose any specific cybersecurity measures then our policymakers have some urgent work to do. A fact that they aren’t immune to or unaware of.
