What is the Cybercrimes Act? 

On the 26th of May 2021, South African president Cyril Ramaphosa signed the Cybercrimes Act 19 of 2020 into law. The Act commenced and became legally enforceable on December 1st, 2021.

The threat of cybercrime in South Africa is severe. Santho Mohapeloa, Digital Distribution Specialist at SHA Specialist Underwriters, notes that “cybercrime has become the top risk for small and medium-sized enterprises (SMEs).” A 2020 risk assessment by SHA noted that approximately 60% of South African SMEs suffered a financial loss of between R50,000 and R1 million.

In this rapidly evolving threat landscape, the Cybercrimes Act provides a much-needed definition for cybercrime and takes crucial steps to curb the alarming rise of cybercrime, and economic crime in general. The Institute for Security Studies praised South Africa’s Cybercrimes Act, saying that it “signals the country’s commitment to global cyber security.”

Cybercrime Definition

Broadly, cybercrime refers to criminal activity that uses a computer, a computer network or a networked deviceto commit, or a criminal activity that targets them to in order to commit crime (such as hacking). Cybercrime is typically carried out by individuals and organizations who want to make money. However, the exact definition of cybercrime is determined by national legislation and therefore varies from country to country.

Types of Cybercrime

National definitions of cybercrime determine what the different types of cybercrime are. South Africa’s Cybercrimes Act adopts a fairly broad definition, which includes, but is not limited to:

The unlawful access/interception of data (commonly known as hacking); the possession of illegal tools used in the commission of cybercrimes; illegal interference with software/hardware systems; cyber fraud; cyber forgery; and malicious communications (a broad term that includes the distribution of data messages with the intention to cause property damage, incite violence, or threaten a person or group of persons).

The Act’s broad definition of Cybercrime gives it a wide scope of action and allows it to encompass issues that range from online abuse to organized crime, such as forgery and theft of incorporeal property. Additionally, the Act’s definition of a ‘person’ as both natural and juristic means that the legislation can be applied to both ordinary citizens and organisations.

New Criminal Offences

The Cybercrimes Act intends to “create offences which have a bearing on cybercrime”. The Act outlines several specific criminal offences that all fall under the broad concept of cybercrime. These are summarized below.

• Unlawful Access: the illegal and intentional access to data, data storage mediums, and computer programs and systems – commonly referred to as ‘hacking’.
• Unlawful Interception: the illegal acquisition, viewing, capturing, or copying of data in a non-public nature via software tools. 
• Unlawful Acts (software and hardware tools): the illegal and intentional use or possession of software and hardware tools that are used in the commission of cyber crimes. 
• Unlawful Interference: the illegal interference with computer programs, data, data storage mediums or computer systems. 
• Cyber Fraud: any fraud committed by means of data or a computer program, or through interference with data or computer systems. 
• Cyber Forgery: the creation of false data or false computer programs with the intent to defraud. 
• Cyber Uttering: passing off false data or a false computer program with the intention to defraud. 
• Malicious Communications: the Cybercrimes Act criminalizes malicious communications by making it illegal to send “harmful messages”. According to the Cybercrimes Act, harmful messages are those that… 1.) Incite violence or damage to property; 2.) Threaten persons with violence or damage to property; or 3.) Contain an intimate message and/or photograph sent without the subject’s consent.

The criminalization of malicious communications empowers South African law enforcement to clamp down on various forms of blackmail.

Regulatory Compliance for Businesses: Reporting and Cooperation

Any businesses that fall victim to a cybercrime, or whose employee commits a cybercrime, are obligated to aidand cooperate with any investigation that may be conducted by law enforcement.

Additionally, any organisation or business that is hacked must also preserve any information related to the breach and will be punished for failing to do so. Businesses may also be called to comply with court orders regarding the provision and/or seizure of hardware, operational systems and data related to a cybercrime.

To promote the reporting, investigation and prosecution of cybercrime, the Cybercrimes Act establishes a 24/7 Point of Contact, a Cybersecurity Hub, and various nodal points – all overseen by the SAPS. With a search warrant, the Cybercrimes Act also empowers the SAPS to investigate, search, access and seize a broad range of devices and information, ranging from hardware such as computers and hard drives, to software such as databases and networks.

Although POPIA requires a responsible party to report any breach to just the Information Regulator, the Cybercrimes Act obligates ECSPs and financial institutions to report any breaches to both the Information Regulator and the South African Police Service.

Regulatory Compliance for ECSPs and Financial Institutions

Electronic Communications Service Providers (ECSPs) and Financial Institutions face additional compliance obligations under the Cybercrimes Act.

Firstly, ECSPs and financial institutions are required to report any cybercrime within a maximum of 72 hours after its detection. Secondly, in the event of a cyber-attack, ECSPs and financial institutions are legally required to preserve, for an indefinite amount of time, any information that could assist law enforcement in the investigation of a cyber-crime. Law enforcement can also order an ECSP to preserve data where there is reason to believe that there has been a cyber-crime.

Any ECSP or financial institution in violation of these obligations faces a maximum fine of R50’000.

Cybercrimes Act Punishments – Fines and Prison Sentences

Legal punishments for breaching the Cybercrimes Act are severe. Aside from the fine for ECSP and Financial Institutions, the Act does not specify the exact amounts individuals or businesses can be fined. However, prison sentences range from one to fifteen years depending on the cybercrime.

SA is a “Testing Ground” – Rising Fraud and Economic Crime

Cybercrime statistics worldwide have reached shocking new heights. According to a 2020 report by McAfee, cybercrime costs the global economy $945 billion every year – a 215% increase compared to 2013. If the additional costs of fighting cybercrime are considered, then cybercrime costs the global economy over $1 trillion a year.

South Africa is near the centre of this crisis. According to a 2020 report by Accenture, South Africa has the third-highest number of cybercrime victims in the world, due partly to South Africans being generally inexperienced internet users who fail to adequately protect themselves online and remain dangerously ignorant of cyber-related crime and threats. The country’s reputation as an easy target for cybercrime has gotten so bad that the South Africa has become a testing ground for malware before it is deployed in other nations.

However, this issue is not unique to South Africa. A survey by Kaspersky on global IT security found a worrying trend of ignorance and unpreparedness. Although 91% of respondents had been a victim of a cyber-attack in the last year, 45% were unprepared for dedicated cyber-attacks, while 30% had not implemented anti-malware software.

Why Regulatory Compliance, Risk Management and Due Diligence are so Important

This trend of unpreparedness and vulnerability is mirrored in the corporate response to economic crimes such as vendor fraud. Although fraud by business partners accounted for 46% of the most disruptive economic crimes against businesses, 24% of respondents had no third-party due diligence or risk monitoring program whatsoever, even though 20% of respondents cited vendors/suppliers as the perpetrator of their most disruptive financial crime incident. If businesses want to operate in an environment free from crippling economic crime, this discrepancy must be addressed with the adoption of comprehensive due diligence and risk management programs.

As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To experience our full suite of advanced due diligence services, contact our team here.