Over the last few years of presenting, workshopping and consulting on cybercrimes and the Cybercrimes Act, we have frequently been asked the same questions. We thought we’d help you find answers by publishing the Cybercrime FAQs and answers to make them accessible. If you don’t find answers to your questions, please join our cybercrimes programme or seek our legal advice.
Yes. There is cyber risk insurance, for your own loss, and cyber liability cover.
The SOPs don’t need their own distinct policy. Learn the details about the SOPs and the Cybercrimes Act to integrate them into existing policies related to data management, investigations and security protocols.
You can incorporate cybersecurity and awareness into ongoing training workshops.
The initial difficulty that South Africa is facing is that it does not have a cybercrimes commission. At present, the Information Regulator works closely with the police and the Hawks but uses its own processes separate to those used by the police and the Hawks when receiving data breach notifications and providing adequate measures to safeguard against future data breaches.
The Information Regulator will have a similar role with the Cybersecurity Act as it does now when receiving data breach notifications. A data breach is usually occurring at the same time as when a cybercrime is happening. The difficulty with this is that you will be approaching the Information Regulator for a data breach and the police for a cybercrime at or around the same time. It would be beneficial for one agency to be conducting these investigations and handling these matters and that is why the proposal for a cybercrime commission has been raised by the Information Regulator for Parliament to address. The Information Regulator encourages people to write to relevant decision makers to push for the institution of a cybercrime agency.
The information regulator would like to clarify that it is not a cybercrime agency and does not investigate cybercrimes. They do concede that there is a need for a cybercrime agency to assist in the regulation of cybercrimes in the country. A cybercrimes agency was proposed in legislation last year but has not been discussed in greater detail by Parliament as yet.
While the Information Regulator (IR)’s plan is to keep an eye on international developments regarding AI regulation, AI is not an immediate priority for the Information Regulator right now. Their current focus lies on amending existing legislation like POPI and PAIA. Cybersecurity takes the top spot on their priority list due to the surge in data breaches and its significant impact on various industries. The IR is actively developing guidance for organisations on data breach notification procedures and available remedies. Additionally, they are exploring the practicalities of penalising cybercrimes and foresee upcoming legislative updates in this area. In essence, the IR prioritises adapting existing laws and addressing pressing concerns like cybersecurity before delving into complex issues like AI regulation.
Business email compromise is a phishing method where scammers and other threat actors use email as a tool to reach (usually key) members of an organisation and trick them into revealing sensitive information or sending money.
We have a list of cybercrime cases on our website, where we provide our practical insights on these cases. Visit our cybercrime judgments page for the latest case law.
The final SOPs have been published. We’ve written a post explaining what the final SOPs are all about and how they practically affect organisations. Read more about the final SOPs: www.michalsons.com/saps-standard-operating-procedures-final
Reporting a cybercrime really depends on the capacity of the police station you report a cybercrime at and their understanding of the law. In theory, you should be able to report a cybercrime to any police station, but practically, not every police station is equipped to deal with your case. We discuss these shortcomings as demonstrated in Buchler v Minister of SAPS, where the court emphasised that there is a knowledge gap within the police when dealing with cybercrime and that there is a need to train police officers around cybercrime and their responsibilities.
The answer to this is a bit complex. POPIA, for example, states that “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and data subject. There are many cybercrimes in the Cybercrime Act, including the crime of unlawful access, which is essentially the unlawful and intentional access to a computer or data. Therefore, if the data breach meets the requirements of a crime in a particular cybercrime law like the Cybercrimes Act, it would also be a cybercrime.