Cybercrime and the Role of Directors

Key Takeaways

• What: Cybercrime is any illegal activity that involves a computer, a digital device, or a computer network. It can cause financial losses, reputational damage, legal liability, and operational disruption for businesses and their directors.
• Why: Cybercrime is a growing threat in South Africa, with an estimated cost of R2.2 billion in 2020. Directors have a duty to protect their company’s data and information from cyber threats, as well as to comply with the relevant laws and regulations.
• How: Directors can combat cybercrime by implementing effective cybersecurity policies and procedures, educating and training staff and stakeholders, investing in appropriate technology and tools, monitoring and testing cybersecurity performance, and collaborating with external partners and experts.
• Who: This guide is for directors of any type of business in South Africa who want to learn more about cybercrime and how to prevent it.
• Where: This guide provides practical and relevant information for the South African context, including the legal and regulatory framework, the common types of cybercrime, and the best practices and strategies for cyber resilience.

Understanding Cybercrime and the Role of Directors

What is Cybercrime?

Cybercrime is any illegal activity that involves a computer, a digital device, or a computer network. Cybercrime can take many forms, such as data breaches, ransomware, denial-of-service attacks, phishing, identity theft, and cyber fraud. Cybercrime can target individuals, businesses, or governments, and can have various motives, such as financial gain, espionage, sabotage, or activism.

Why is Cybercrime a Concern for Directors?

Cybercrime is a growing threat in South Africa, with an estimated cost of R2.2 billion in 2020, according to a report by IBM and the Ponemon Institute. Cybercrime can cause significant harm to businesses and their directors, such as:

• Financial Losses: Cybercrime can result in direct losses, such as theft of funds or assets, or indirect losses, such as loss of productivity, revenue, or customers.
• Reputational Damage: Cybercrime can damage the reputation and trust of a business, affecting its brand image, customer loyalty, and market share.
• Legal Liability: Cybercrime can expose a business and its directors to legal liability, such as fines, penalties, lawsuits, or criminal charges, for failing to protect personal information or comply with the relevant laws and regulations.
• Operational Disruption: Cybercrime can disrupt the normal functioning of a business, affecting its availability, performance, or quality of service.

Directors have a duty to act in good faith, in the best interests of the company, and with due care, skill, and diligence. This includes taking reasonable steps to protect the company’s data and information from cyber threats, as well as to comply with the relevant laws and regulations. Failure to do so can result in personal liability for directors, as well as damage to the company’s reputation and performance.

The Legal and Regulatory Framework for Cybercrime in South Africa

South Africa has a number of laws and regulations that govern cybercrime and cybersecurity, such as:

• The Protection of Personal Information Act (POPIA): This act aims to protect the privacy and security of personal information, and requires businesses to implement appropriate measures to safeguard personal information from unauthorised access, use, or disclosure. Businesses must also appoint and register an Information Officer, who is responsible for ensuring compliance with POPIA, and report any data breaches to the Information Regulator within 72 hours.
• The Promotion of Access to Information Act (PAIA): This act aims to promote transparency and accountability, and requires businesses to provide access to information that is relevant to the exercise or protection of any rights. Businesses must also publish a PAIA manual, which outlines the procedures and fees for accessing information, and the types of information that are available or exempted³.
• The Companies Act: This act regulates the formation, management, and dissolution of companies, and imposes various duties and responsibilities on directors, such as acting in the best interests of the company, avoiding conflicts of interest, and maintaining proper records. The act also provides for the establishment of the Companies Tribunal, which can adjudicate disputes and impose sanctions for non-compliance.
• The King IV Report on Corporate Governance: This report provides guidelines and principles for good corporate governance, and emphasises the role of the board of directors in overseeing the strategy, performance, and risk management of the company. The report also recommends that the board should establish a committee to oversee the governance of information and technology, and ensure that the company has a cyber resilience program in place.

Combating Cybercrime and Enhancing Cyber Resilience

The Duties and Responsibilities of Directors for Cybersecurity

Directors have a key role to play in ensuring the cybersecurity of their company, and should:

• Understand the Cyber Threat Landscape: Directors should be aware of the common types of cybercrime, the potential impact on their business, and the legal and regulatory implications. They should also monitor the emerging trends and developments in the cyber domain, and assess the level of exposure and vulnerability of their company.
• Develop and Update Cybersecurity Policies and Procedures: Directors should establish and maintain a clear and comprehensive cybersecurity framework, which outlines the roles and responsibilities, the objectives and strategies, and the policies and procedures for cybersecurity. The framework should be aligned with the company’s vision, mission, and values, and should be reviewed and updated regularly to reflect the changing cyber environment.
• Educate and Train Staff and Stakeholders: Directors should ensure that all staff and stakeholders are aware of and comply with the cybersecurity policies and procedures, and that they receive adequate training and education on cybersecurity. Directors should also foster a culture of cyber awareness and responsibility, and encourage reporting and feedback on cybersecurity issues.
• Invest in Appropriate Technology and Tools: Directors should allocate sufficient resources and budget for acquiring and maintaining appropriate technology and tools for cybersecurity, such as antivirus software, firewalls, encryption, backup, and recovery systems. Directors should also evaluate and select the best vendors and service providers for cybersecurity, and ensure that they meet the required standards and specifications.
• Monitor and Test Cybersecurity Performance: Directors should measure and monitor the effectiveness and efficiency of the cybersecurity policies and procedures, and the technology and tools, and identify and address any gaps or weaknesses. Directors should also conduct regular audits and tests to assess the security and resilience of the company’s data and information, and to simulate and respond to potential cyber incidents.
• Collaborate with External Partners and Experts: Directors should establish and maintain good relationships and communication with external partners and experts, such as government agencies, industry associations, law enforcement, cybersecurity consultants, and researchers. Directors should also share and exchange information and best practices on cybersecurity, and seek advice and assistance when needed.

The Challenges and Risks of Cybercrime for Directors and Businesses

Despite the efforts and initiatives of directors and businesses to combat cybercrime, there are still some challenges and risks that need to be addressed, such as:

• Lack of Awareness and Skills: Many directors and businesses lack the necessary awareness and skills to understand and manage cybercrime, and may underestimate or ignore the cyber threats and their impact. They may also lack the capacity and capability to implement and maintain effective cybersecurity measures, and to respond and recover from cyber incidents.
• Lack of Resources and Budget: Many directors and businesses lack the sufficient resources and budget to invest in and sustain appropriate technology and tools for cybersecurity, and to access and afford the best vendors and service providers for cybersecurity. They may also face difficulties in allocating and prioritising the resources and budget for cybersecurity, and in justifying the return on investment for cybersecurity.
• Lack of Coordination and Collaboration: Many directors and businesses lack the coordination and collaboration among themselves and with external partners and experts on cybersecurity, and may have conflicting or inconsistent views and approaches on cybersecurity. They may also face challenges in sharing and exchanging information and best practices on cybersecurity, and in seeking and obtaining advice and assistance on cybersecurity.
• Lack of Compliance and Enforcement: Many directors and businesses lack the compliance and enforcement of the relevant laws and regulations on cybercrime and cybersecurity, and may face legal liability or sanctions for non-compliance. They may also face difficulties in complying with the multiple and complex laws and regulations on cybercrime and cybersecurity, and in enforcing their rights and remedies against cybercriminals.

The Best Practices and Strategies for Cyber Resilience

Cyber resilience is the ability of a business to anticipate, withstand, recover, and adapt to cyber threats, and to continue operating effectively and efficiently. Cyber resilience is more than just cybersecurity, as it involves not only preventing and protecting against cyber threats, but also detecting and responding to cyber incidents, and learning and improving from cyber experiences. Cyber resilience is essential for directors and businesses to survive and thrive in the digital age, and can be achieved by following some best practices and strategies, such as:

• Adopt a Risk-Based Approach: Directors and businesses should adopt a risk-based approach to cyber resilience, which involves identifying and assessing the cyber risks, prioritising and mitigating the cyber risks, and monitoring and reviewing the cyber risks. A risk-based approach can help directors and businesses to allocate and optimise their resources and budget for cyber resilience, and to balance the trade-offs between security and performance.
• Implement a Cyber Resilience Program: Directors and businesses should implement a cyber resilience program, which is a comprehensive and systematic plan that outlines the objectives and strategies, the roles and responsibilities, and the policies and procedures for cyber resilience.
• Leverage the Latest Technology and Tools: Directors and businesses should leverage the latest technology and tools to enhance their cyber resilience, such as artificial intelligence, cloud computing, blockchain, and biometrics. These technologies and tools can provide advanced capabilities and solutions for cybersecurity, such as threat detection, data protection, identity verification, and incident response.
• Foster a Culture of Cyber Awareness and Responsibility: Directors and businesses should foster a culture of cyber awareness and responsibility, which involves creating and communicating a clear and consistent vision and message on cyber resilience, and engaging and empowering all staff and stakeholders to participate and contribute to cyber resilience. A culture of cyber awareness and responsibility can help directors and businesses to instill and reinforce the values and behaviors that support cyber resilience, such as trust, transparency, accountability, and collaboration.
• Collaborate and Cooperate with External Partners and Experts: Directors and businesses should collaborate and cooperate with external partners and experts, such as government agencies, industry associations, law enforcement, cybersecurity consultants, and researchers. These partners and experts can provide valuable information and insights, guidance and support, and resources and capabilities for cyber resilience. Collaboration and cooperation can also help directors and businesses to share and exchange best practices, learn from each other’s experiences, and coordinate and align their efforts and actions on cyber resilience.

Conclusion

Cybercrime is a serious and growing threat for directors and businesses in South Africa, and requires urgent and proactive action to prevent and protect against cyber threats, and to detect and respond to cyber incidents. Cyber resilience is the key to achieving this, and involves anticipating, withstanding, recovering, and adapting to cyber threats, and continuing to operate effectively and efficiently. Cyber resilience can be achieved by following some best practices and strategies, such as adopting a risk-based approach, implementing a cyber resilience program, educating and training staff and stakeholders, investing in appropriate technology and tools, monitoring and testing cybersecurity performance, and collaborating with external partners and experts.

FAQ Section

Q: What are the main types of cybercrime that directors should be aware of?
A: Some of the common types of cybercrime that directors should be aware of are data breaches, ransomware, denial-of-service attacks, phishing, identity theft, and cyber fraud.

Q: What are the main laws and regulations that govern cybercrime and cybersecurity in South Africa?
A: Some of the main laws and regulations that govern cybercrime and cybersecurity in South Africa are the Protection of Personal Information Act (POPIA), the Promotion of Access to Information Act (PAIA), the Companies Act, and the King IV Report on Corporate Governance.

Q: What are the duties and responsibilities of directors for cybersecurity?
A: Directors have a duty to act in good faith, in the best interests of the company, and with due care, skill, and diligence. This includes taking reasonable steps to protect the company’s data and information from cyber threats, appointing and registering an Information Officer, implementing a cyber resilience program, and reporting any data breaches to the Information Regulator.

Q: What are the best practices and strategies for cyber resilience?
A: Some of the best practices and strategies for cyber resilience are adopting a risk-based approach, implementing a cyber resilience program, educating and training staff and stakeholders, investing in appropriate technology and tools, monitoring and testing cybersecurity performance, and collaborating with external partners and experts.