In June 2024, the treatment of patients across South Africa’s public health facilities was compromised by cybercriminals who blocked all access to the central lab that processes blood tests. The ransomware attack on the National Health Laboratory Service affected about 1.2 TB of confidential data, causing nearly three weeks of delays and disruptions in the public health sector. And earlier in 2024, the Government Employees Pension Fund (the continent’s largest pension fund) and the South African Justice Department were also held ransom by cybercrime syndicates.

Ransomware – a malicious software that illegally encrypts files and demands a ransom in exchange for the decryption key – was identified as one of the most serious emerging cyberthreats in Africa by Interpol. It frequently targets essential infrastructure, not only public but also private as the attack on Safaricom illustrates. In August this year, Kenya’s largest mobile network provider was held ransom and suffered financial losses through the disruption of its mobile money transactions and customer support systems.

‘African companies are significantly exposed to cybercrime due to rapid digital adoption and often inadequate cybersecurity measures,’ says Ahmore Burger-Smidt, director and head of regulatory practice at Werksmans Attorneys. ‘Various reports indicate a high volume of cyber incidents, particularly in South Africa, including phishing, ransomware and data breaches. Key attack points currently include, in no particular order, phishing, ransomware attacks, the prevalence of weak passwords and often vulnerabilities in outdated systems that can be easily exploited.’

Cybercrime is a worldwide, borderless risk, with malware, deepfakes and misinformation threatening supply chains, financial stability and democracy, according to the WEF’s 2024 Global Risks report. It noted in 2022 that cyberattacks were becoming increasingly hostile and ruthless (targeting more vulnerable victims, for example via hospitals and pension funds) while the attack vectors were expanding in line with rapid tech advancements. Alarmingly, the WEF found that 95% of cybersecurity incidents are a result of human error, and 43% of breaches are insider threats.

So, if nearly all cyber risk comes down to the human factor, what role does the law play in reducing cybercrime in Africa? A critical one, according to Era Gunning, an executive at ENS’ banking and finance practice. ‘Legislation causes awareness due to training campaigns such as “think before you click” and the like,’ she says. ‘This will help to decrease human error.’

Clear legal compliance frameworks can also define cybersecurity responsibilities, making employees more aware of their role in protecting sensitive information, says Burger-Smidt. ‘Furthermore, legislation can encourage the adoption of industry standards and best practices, helping organisations mitigate cyber risks associated with human error.’

She describes the state of cybercrime legislation in Africa as ‘varied and evolving’, noting that countries are at different stages of developing their cybercrime laws.

‘Some, like South Africa, Nigeria and Kenya, have implemented comprehensive laws, while others lack specific legislation. Many countries are actively updating or creating cybercrime laws to address rising threats,’ she says. The AU has also advocated for a harmonised legal approach to enhance co-operation among member states, with its Convention on Cyber Security and Personal Data Protection (Malabo Convention) in effect since 2023.

Harmonisation is important. In South Africa, the Cybercrimes Act has streamlined laws that deal with cybercrime into a single law that criminalises conduct considered to be cybercrimes, explains Gunning. ‘The act also criminalises the disclosure of data messages which are harmful and provides for protection orders to protect victims against harm. And the act also regulates the powers to investigate cybercrimes,’ she says.

‘Cybercrime, being transnational in nature, requires collaboration with other countries, and the act regulates aspects relating to mutual assistance in respect of the investigation of cybercrimes. To ensure proper co-ordination of cases in South Africa, the act provides for the establishment of a point of contact within the South African Police Services [SAPS].

‘The act also imposes obligations on electronic communications service providers and financial institutions to report cybercrimes to the SAPS and provides for capacity building by the SAPS to detect, prevent and investigate cybercrimes,’ says Gunning.

Her Werksmans colleague adds that the act encourages organisations to adopt better cybersecurity practices by promoting awareness of cyberthreats and establishing penalties for non-compliance. ‘While the Cybercrimes Act is a significant step forward, its effectiveness depends on proper implementation, resources and ongoing education to cultivate a culture of cybersecurity across all sectors,’ says Burger-Smidt.

‘Strengthening cross-border collaboration can enhance responses to global cybercrime networks. By being adaptive and proactive, the act can better address the evolving landscape of cyberthreats.’

Gunning agrees, underlining that the effectiveness of the act will depend on many factors, including enforcement, international co-operation (given its extraterritorial application), public-private collaboration and adaptability to technological advancements. ‘As cybercrimes evolve due to technology and new ones are created, the act would need to be amended on a periodic basis.’

It’s important to understand the linkage between South Africa’s Cybercrimes Act and the Protection of Personal Information Act (POPIA), which safeguards personal and private information.

Data protection laws form a crucial element in legislating against cybercrime, according to Gunning, because they require entities ‘to implement reasonable technical and organisational measures to protect personal data, including against cybercrime’.

Businesses operating in South Africa need to know that POPIA applies to all data subjects – natural persons (human beings) as well as juristic persons (such as companies). This differs from Europe, the UK and African jurisdictions such as Ghana and Uganda, which only protect the privacy of actual people and not companies. Consequently, in South Africa a personal data breach in terms of a cyberattack is reportable under POPIA, even if it involves only juristic person data, says Gunning. ‘Overseas these are generally only reportable if the breach can cause substantial harm to human beings.’

POPIA also has implications for businesses that are held ransom by cybercriminals and wonder whether to pay the ransom (to recover their data and limit service interruptions, loss of revenue and reputational damage). Rakhee Bhoora, a partner at Fasken law firm, explains that because private entities or businesses have an obligation to notify data subjects of security compromises following a cybersecurity breach, they can’t simply pay a ransom demand with the intention that data is restored and operations merely resume as normal.

‘They are also faced with the consequences of any breach of the obligations arising out of POPIA notwithstanding any payment of ransomware,’ she says, adding that under South African law it’s not illegal per se to make ransomware payments.

Many companies end up paying. The 2024 State of Ransomware in South Africa report by cybersecurity firm Sophos revealed that it’s generally more expensive to recover than pay the ransom – the average ransom paid was ZAR17.9 million versus the average recovery cost of ZAR19.4 million (including costs of downtime, people time, network and lost opportunity, but excluding ransom).

However, while legally there’s no prohibition from paying ransomware, Bhoora warns that ‘consideration should be given to whether such an entity or person to whom the ransom payment is being made is sanctioned or a terrorist group. Ultimately, it is the very function of payment that begets more attacks and fuels the cyber organised crime “economy” and ecosystem’.

That’s why the South African government generally doesn’t pay ransom for cyberattacks, focusing instead on restoring systems and boosting cybersecurity. It’s a difficult decision, especially when people’s lives are at stake, as in the cyberattack on the National Health Laboratory Service. According to Fasken’s legal team, the overall consensus is to legally implement a ban or prohibition of ransomware payments in South Africa, with the goal of eradicating the basis for the existence of this cybercrime.

By Silke Colquhoun
Images: Freepik, Gallo/Getty Images