The new digital landscape: Managing risk and building resilience
The Cybercrimes Act 19 of 2020 (the Act) was assented to as early as 26 May 2021 but had not yet commenced. From 1 December 2021, the President, announced in terms of section 60 of the Act that certain sections of the Act have commenced (the proclamation).
We enclose a copy of the proclamation here.
We summarise below the key sections of the Act that commence from 1 December 2021:
Under Chapter 2 of the Act, the following activities are enforceable and would constitute cybercrimes:
The Act recognises certain cybercrimes in section 11 as an aggravated offence (which is not defined) where a “restricted computer system” is unlawfully accessed and where such data, computer program, computer data storage medium or computer system is under the control of, or exclusively used by, a financial institution (such as a licensed bank or insurer) or an organ of state and which is protected against unauthorised access or use by security measures.
The sections relating to jurisdiction set out under Chapter 3 have commenced, which empower a court in South Africa to try any offence listed under Part I and II of Chapter 2 of the Act.
Notably, South African courts have extra-territorial jurisdiction to try any cybercrime if it was committed outside South Africa if that act was against or affects any person, public body, business residing or incorporated in South Africa or a restricted computer system within South Africa as contemplated in section 11(1)(b) of the Act.
Most sections under Chapter 4 are now effective and grant the South African Police Service (and its members and investigators) extensive powers to investigate, search, access and seize any computer, computer program, database or network or part thereof.
Under section 34 of the Act, electronic communications service providers, financial institutions or any person in control of any data, computer program, computer data storage medium or computer system which is subject to a search authorised by a court in terms of section 29 are obligated to assist police officials and investigators with the provision of technical assistance such as data collection. A contravention of this section can render the offender liable for a period of imprisonment not exceeding two years and/or a fine.
Section 39 prohibits the disclosure of information by any person, financial institution, electronic service provider, police official or investigator if obtained during the exercise of any duties in terms of Chapter 4 or 5 of the Act which relate to the investigation of any cybercrimes or mutual assistance with foreign states. Chapter 5 has, however, yet to come into force.
No duty to establish a designated Point of Contact - yet
The Act requires the National Police Commissioner to establish a Point of Contact within the existing structures of the South African Police Service (SAPS) with the mandate to assist with proceedings and investigations relating to cybercrimes. Chapter 6, which imposes this obligation on the SAPS, has not yet entered into force and the reporting of offences will, until its commencement, have to go through ordinary reporting channels provided by the SAPS.
No reporting obligations under the Cybercrimes Act for financial Institutions and electronic communications service providers - yet
A notable absence from the proclamation was the express exclusion of section 54 of the Act, which prescribes certain reporting obligations and capacity building under Chapter 8.
This means that electronic service providers and financial institutions are not yet obligated to report cybercrimes set out in Part I of Chapter 2 of the Act within 72 hours to the SAPS after having become aware of the offence and to preserve any information that may assist the SAPS in their investigation of the alleged offence.
However, given that this provision will come into force at a later stage, it would be sensible for both electronic communications service providers and financial institutions to start implementing appropriate reporting procedures as failure to comply with this section after its commencement could result in an offence and a fine not exceeding R50 000.
Reporting procedures should align with existing reporting procedures adopted in terms of (amongst others) the Prevention of Organised Crime Act, 1998 (PoCA), the Financial Intelligence Centre Act, 2001, and the Prevention and Combating of Corrupt Activities Act, 2004 (PRECCA).
The proclamation is a welcome step in providing certainty that the commission of cybercrimes are offences in South African law.
Should you require assistance in developing an incident response management framework or guidance on the legislative landscape for cybercrime and mitigating its impact on your business, please reach out to Clyde & Co’s Cyber and Regulatory teams.