South Africans are defrauded in excess of ZAR2.2 billion each year through online scams and cyber related crimes, according to the South African Banking Risk Information Centre (SABRIC).

SABRIC CEO Kalyani Pillay says, “South Africa is one of the top targets for cybercrime in Africa due to its comparatively high levels of internet connectivity, resulting in a larger attack surface than many other nations on the African continent.”

"Organised criminals have now entered this arena and the scale and sophistication of these scams has increased significantly in recent times," according to SABRIC General Manager Kevin Twiname.

What is cybercrime? It is defined as "any criminal or other offence that is facilitated by or involves the use of electronic communications or information systems, including any device or the internet or any one or more of them" in the Electronic Communications and Transactions Amendment Bill, 2012.

The threat posed by cybercrime to business is a potential data breach, and theft of data or an online leak of sensitive information.

In the 2016 Cost of Data Breach Study conducted by IBM and the Ponemon Institute, the costs incurred by 19 organisations from 9 different industry sectors are examined following the theft of protected personal data. On average, the total organisational cost of a data breach in South Africa is ZAR20.6 million. According to the study, cybersecurity incidents continue to grow in both volume and sophistication globally with 64% more security incidents reported in 2015 than in 2014.

Cybercrime in South Africa

On 12 February 2016 the Government Communications and Information Services (GCIS) database was hacked by "hactivist" group "Anonymous", resulting in a leak of the names, phone numbers, email addresses and passwords of approximately 1500 government employees.

On 16 February 2016 the South African Department of Water Affairs was hacked by the same group, resulting in the leak of sensitive data including usernames, passwords, full names, identity numbers, highly sensitive data and details of projects undertaken by that department.

At the 2015 Security Summit, held in Johannesburg, it was revealed that South Africa suffered more cybercrime attacks than any other country in Africa during a six-week period leading up to the summit.

In response to the elevated threat of cybercrime, the South African Reserve Bank announced, on 23 August 2016, the establishment of a special forum of "all South Africa's major financial institutions" to put together contingency measures to protect critical financial infrastructure from a prolonged cyber-attack.

According to Reserve Bank Governor Lesetja Kganyago, "As a central bank and a regulator in the financial sector, the bank would be remiss in its duty if it ignored the growing risks emerging from the financial services sector’s increasing reliance on cyberspace and the internet."

Legislation in South Africa

The escalation of cybercrime in South Africa has elicited legislative intervention from government in the form of the draft Cybercrimes and Cybersecurity Bill (the Bill). On 28 August 2015, the Department of Justice and Constitutional Development (DOJ & CD) invited public comment on the Bill.

According to the "Discussion document", the DOJ & CD was mandated to review the cyber- security laws of South Africa to ensure that these laws provide for a coherent and integrated cybersecurity legal framework.

The purpose of the Bill is, among others to:

  • Create offences and prescribe penalties.
  • Regulate the powers to investigate, search and gain access to or seize items.
  • Regulate aspects of international cooperation in respect of the investigation of cybercrime.
  • Provide for the establishment of a 24/7 point of contact.
  • Provide for the establishment of various structures to deal with cybersecurity.
  • Regulate the identification and declaration of national critical information infrastructures and provide measures to protect these.
  • Regulate aspects relating to evidence.
  • Impose obligations on electronic communications service providers regarding aspects that may impact cybersecurity.
  • Provide that the President may enter into agreements with foreign states to promote cybersecurity.

Subsequent to the closing date for public comment on 30 November 2015, there have been no recent events associated with the Bill.

The Protection of Personal Information Act 4 of 2013, which specifies the legislative requirements for protection of data in South Africa, has not yet been implemented.

In light of the preventative measures implemented in both the public and private sector, relating to cybersecurity and guarding against cyber-attack, it is evident that cybercrime poses an immediate and costly danger to business in South Africa.