SA needs effective laws to curb cyber crime, say experts
Legal experts have bemoaned the lack of effective laws in SA to fight cyber crime and are calling for urgent regulatory reforms to address the deficiencies.
Zaakir Mohamed, director in the corporate investigations sector of the dispute resolution practice at commercial law firm Cliffe Dekker Hofmeyr, believes there is an urgent need to address this issue.
Mohamed says coupled with the increasing number of Internet users, one of the reasons for the rise in cyber crime is deficient cyber security controls.
“South Africans using digital banking platforms are an obvious (and growing) target for savvy cyber criminals.”
He notes that preventing cyber crime remains a significant priority for banks and other financial services providers. “Cyber crime was identified as the most disruptive economic crime likely to affect organisations by respondents to the 2018 PwC Global Economic Crime and Fraud Survey.
“As this wave grows, progressive banks are increasingly embarking on communication campaigns that educate and promote awareness of cyber crime, empowering clients to identify incidents in order to avoid falling victim to fraudsters.”
When a cyber crime is committed, victims often find themselves confused as to what to do, as well as what potential legal action is available to them, says Mohamed. “Cyber crime offences are currently specifically dealt with in the Electronic Communications and Transactions Act (ECTA) that contains several offences relating to the unauthorised access to, interception of or interference with data.
“In particular, section 86(4) of ECTA provides that ‘a person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence’.
“So, in essence, victims of digital banking fraud can register a criminal case with the South African Police Service. In addition to the ECTA, there may be recourse available by way of the South African common law offences of theft, extortion and fraud.”
Cyber crime across digital banking platforms alone increased by 75% in 2018 – resulting in losses of over R262 million – according to the South African Banking Risk Information Centre’s annual statistics.
SA has been criticised for its lack of decisive policy and control over cyber crime. To address this, the State Security Agency (SSA) moved to make cyber security a top priority and published a new draft of the Cyber Security Bill on 28 August 2015.
The Bill aims to give SA a co-ordinated approach to cyber security, according to the SSA.
It also creates new offences (about 50) that are related to data, messages, computers and networks. An example of a new offence would be if someone is using personal or financial information to commit an offence, hacking, unlawful interception of data, as well as computer-related forgery and uttering, extortion or terrorist activity.
In terms of the Bill, penalties for committing an offence can range from one year to 25 years imprisonment, or a fine of R1 million to R25 million.
Legal experts cite the South African Reserve Bank’s (SARB’s) directive on cloud computing and data offshoring as an exemplary regulatory effort to curb cyber crime.
The directive, which took effect from October 2018, details items banks must consider when electing to adopt cloud computing as a service or any offshoring of data.
The SARB requires that banks elect a risk-based and mitigation approach, giving consideration to the bank's risk profile, size and operations.
Critical provisions of the directive include that the bank must have a formal board-approved data strategy and governance framework; ensure the offshoring of data and use of cloud computing in no way inhibits any regulator's ability to fulfil their duties; and lastly, ensure any cloud computing arrangement does not prevent the bank's ability to conduct forensic audits or investigations.
Simone Dickson, director in Cliffe Dekker Hofmeyr’s technology, media and telecommunications practice, says SA has to focus on issues surrounding cyber crimes and data protection in order to regulate the risks inherent in a digital world.
“The South African Reserve Bank’s directive on cloud computing and data offshoring, effective from October 2018 and which applies to all banks, is a good example of regulatory efforts being made to govern and address issues in this sector.
“This directive imposes stringent obligations on banks, including the requirement to implement a formally defined and board-approved data strategy and data governance framework. This goes some way towards ensuring the risks are critically assessed and measures have been implemented to address data risk.”