Legal recourse… don’t become a victim
Cyber related incidents (e.g. cybercrime, IT failure, data breaches) have been rated as the number one risk to South African businesses according to the 2018 Allianz Risk Barometer report.
Fatima Ameer-Mia, Senior Associate within the technology and sourcing practice at commercial law firm Cliffe Dekker Hofmeyr says, local companies need to better understand what legal recourse is available to them to mitigate these cyber risks - as well as how to assess whether or not their IT infrastructure and security provide sufficient protection against cyber incidents.
A crippling effect on business
“South Africa is a top target for cybercrime in Africa because of its high internet connectivity rates, attractive GDP per capita and poor levels of cyber security (especially in business). South African law enforcement authorities are generally also poorly equipped to prosecute cybercrimes. This makes South African companies, like banks and financial institutions, cybercrime targets,” says Ameer-Mia.
“With the rise in cyber extortion/ransomware (e.g. the recent "WannaCry" ransomware) and data breaches, companies face huge risk. Ransomware can have a crippling effect on business continuity and operations and the reputational and financial damage of a data breach can be devastating for an ill prepared company,” continues Ameer-Mia.
“It is therefore important for companies to understand the regulatory environment and what legal recourse is available to them so that they can adopt a pro-active management strategy rather than a crisis driven response,” emphasises Ameer-Mia.
Legal side of law enforcement
“From a legal perspective, the law has been slow in keeping up with technological advances, but things are starting to progress. The Electronic Communications and Transactions Act broadly includes ransomware attacks under "interception of data". However, the draft Cybercrimes and Cybersecurity Bill specifically deals with the intentional and unlawful interference of data and software and defines numerous new cybercrimes which were previously near impossible to prosecute. It also imposes extensive cybersecurity obligations on electronic communications service providers, financial institutions and any company or entity which is declared by the Minister of State Security to own or control a critical information structure. Non-compliance carries hefty penalties and/or imprisonment,” says Ameer-Mia.
“The Protection of Personal Information (POPI) Act (which has not yet commenced) also contains a notification procedure in the event of a data breach, which notice must be both to the Information Regulator and the data subjects affected. POPI also imposes administrative fines, penalties and/or sanctions. Furthermore, POPI will provide remedies and a complaint channel for those compromised by the unlawful processing of personal information,” continues Ameer-Mia.
“At present, in the absence of the legislative framework being in force, businesses who are cybercrime victims have limited recourse. Businesses would have to follow the standard procedure when a crime is committed – this will include reporting the cyber incident to SAPS for investigation. Companies should ensure that they tightly manage the evidence gathering and investigation process, to avoid tainted evidence and resultant low prosecution levels,” emphasises Ameer-Mia.
“Once the Cybercrimes Bill comes into force, law enforcement agencies and investigators will have extensive powers to investigate cybercrimes. Companies defined as "electronic communications service providers" will be obligated to assist the law enforcement agencies and investigators and failure to comply will constitute an offence under the Bill,” she says.
Standard procedure to follow
“The key question should not necessarily be focussed on what recourse is available to a business who is a cybercrime victim, but rather how prepared the business is against a potential cyber attack. In this regard it is critical for businesses to implement stringent security measures, including access controls, encryption methods, antivirus and spamware firewalls and proper back-up systems. Business should adopt a pro-active approach to compliance and implement a risk management framework to ensure it is adequately prepared in the event of a cyber attack. This includes prioritising the security of their data and IT systems,” continues Ameer-Mia.
“Companies need to understand the legal requirements which apply to the company (e.g. POPI, Cybercrimes Bill, RICA etc) in order to establish a compliance plan. This includes assessing the risk exposure in its supply chain – including third party suppliers and outsourced services,” she says.
“Companies should ensure that third parties with whom they deal with have similar adequate protections in place to prevent a cybercriminal from getting into the company’s infrastructure through one of its suppliers/partners. In this regard, assessing supplier contracts to ensure that suppliers are adequately protected is important. Increasingly, many companies are insisting that their suppliers implement a certain level of IT security practices as a pre-requisite to doing business. This adds to a layered approach to ensure that a company covers off as many risks as possible,” explains Ameer-Mia.
“A business should determine its level of exposure. This includes looking at its assets and critically examining the flow of data in the organisation to identify any weak spots. The business should also identify likely threats such as disgruntled employees, hackers, systems vulnerabilities etc. Next the business should formulate a cyber incident response plan. This includes establishing notification and escalation procedures when an attack occurs, formulating a PR strategy in the event of an incident, establishing evidence gathering guidelines, and a stakeholder notification procedure (including any regulatory authorities). As on-going steps, a business should consistently be training its employees and staff on data protection and cybersecurity, staying abreast of regulatory developments, and regularly testing and reviewing their incident response plans and security policies and procedures,” she says.
Editor’s Thoughts:
As Mia emphasises, the truism that the best offence is a great defence rings true for cybercrime. Businesses should focus their efforts on prioritising the security of their data and IT systems. Do you believe once the Cybercrimes Bill comes into force, we will see a change in cybercrime? If you have any questions please comment below, interact with us on Twitter at @fanews_online or email me - myra@fanews.co.za.
