Published Date: 11/06/2023
Source: By Karl Blom, Partner & Laone Setshedi, Candidate Attorney from Webber Wentzel
Karl Blom
Laone Setshedi
Cyber security has taken centre stage in South African commerce, and it's no surprise, given the prevalence of ransomware attacks on businesses in Africa.
South African law sets out specific obligations to address these risks if they arise.
The obligation to secure your data
The Protection of Personal Information Act (POPIA) imposes specific obligations on businesses to maintain the integrity and confidentiality of the information that they process. This includes taking technical and organisational measures to prevent unlawful access to information in their possession or under their control.
These steps include:
As bad actors continue to update their techniques (and ransomware becomes more advanced), businesses are similarly required to update their safeguards to address these new risks. These practices may differ depending on whether a business is, for example, part of the telecommunications, insurance, or financial services industry.
The legal status of ransomware attacks
When a business is the victim of a ransomware attack, the attackers typically:
A typical ransomware attack would, likely constitute cyber extortion and cyber fraud, and would be considered an 'aggravated offence' if the ransomware targets a 'restricted system' (which includes the systems of financial institutions). The South African courts have, however, yet to convict a cybercriminal under the Cybercrimes Act, 2013 for committing a ransomware attack.
Obligations after a ransomware attack
A victim of a ransomware attack is placed in a very difficult position:
Businesses will typically be required to make several notifications arising from a ransomware attack, including notifications to:
If a business wishes to pay the ransom (or negotiate with the attackers), it must ensure that it does not inadvertently contravene any applicable laws when doing so. This includes:
Following notification to the SAPS, it is important to note that the SAPS may (in terms of the Cybercrimes Act) require a business to preserve all information which may assist SAPS in their investigation of the ransomware attack, and potentially to provide police officials and investigators with reasonable technical and other support that they may need to conduct their investigation.
Other things to consider:
When responding to a ransomware attack, it is often prudent to brief (through your attorneys if required) a number of experts, who may include:
It is also important to ensure that, where a business holds insurance for losses arising from ransomware attacks, there is strict compliance with the terms of the insurance policy (which may regulate, for example, whether a business can make payment of a ransom).
The prevalence of ransomware attacks and other forms of cybercrime is an ongoing concern that businesses must contend with. Taking reasonable proactive measures against these attacks and obtaining proactive legal advice is vital to ensure that these incidents do not become an existential threat to your business.
Made with
Easy Website Builder
SHARE THIS PAGE!