The Cybersecurity Bill, set to have massive implications for South Africacn companies and individuals, is open for public comment until Thursday 10 August 2017.
Deloitte urges interested parties to submit their comments ahead of the deadline, and has released its point of view on the pending bill:
Cybersecurity has been an international challenge has hindered the long-awaited digital transformation in South Africa. Globally as well as locally, cyber threats are growing in volume and intensity as well as sophistication. This was evident in with the recent “wanna-cry” and “petya” cyberattacks that caught businesses off guard.
The Cybercrimes and Cybersecurity Bill of 2017 has been introduced with the aim of providing South Africa a co-ordinated approach to fighting cybercrime, resulting in a more secure cyber universe. The Bill will also create a list of new cybercrime and cybersecurity offences that are related to data, messages, computers and networks.
For example, using personal or financial information to commit an offence, hacking and unlawful interception of data, as well as computer-related forgery and uttering, extortion or terrorist activity.
The Bill will further place a responsibility on organisations to report cybercrime within specific timeframes, as well as providing a mechanism to force financial service and telecommunications providers to supply specific information on offenders and their activities when using their infrastructure or services to commit cybercrimes within a period of 72 hours of becoming aware of the cyber threat.
The Bill is currently open for public comment, the deadline for submission of comments to Parliament being 10 August 2017. It is imperative for organisations to submit comments and request clarity where the provisions of the Bill as the Bill will have significant impact on the business’s processes and technology.
Once the bill is passed, Deloitte Legal professionals together with the Cybersecurity Subject Matter Experts will assist clients in understanding this legislature and ensure that they mitigate these cyber risks while complying with the law.
When hackers breach an organisation’s servers, most of the resulting consequences are related to identity theft, reputational and brand damage, or financial and intellectual property loss. As enterprises and government agencies increasingly adopt cloud, mobile, and social computing, IT environments are becoming more difficult to defend. Increasingly, organisations need to accept that security breaches are inevitable.
Security strategies need to go beyond defense to include detection, response, and recovery. All this gives rise to a need for new skills, approaches and specialised tools and services, including continuous monitoring and threat forensics powered by analytics because of the impact of the Bill on data governance processes.
Private and public sectors have rapidly adopted new technology to better serve constituents and reduce dependency on legacy systems that are difficult to maintain. Ironically, the very steps taken to embrace these new innovations add to the cyber risks. It has become important to begin viewing the management of cyber risk as a core function of running organisational operations particularly in the financial services sector and telecommunications service providers which carry sensitive consumer information.
According to a Norton by Symantec cybercrime report release 2016, technology experts saw cybercrime becoming more prevalent in South Africa costing the economy up to R35 billion in 2015 at an average cost of R 4000 per victim. The cybercrime report further noted that within the last year, 689-million people in 21 countries globally experienced cybercrime. Cybercrime has become so prevalent that many people equally fear online and real-world risks.
Security can no longer be classified as a grudge purchase but as an operational necessity, it is now about protecting people not just intangible IT assets. Further, there is value in updating organisations’ processes and technology to implement controls around cybercrime which will include improved data governance and compliance with other regulation such as the Protection of Personal Information Act 4 of 2013 and the Financial Intelligence Centre Act, as amended.
Technology has been at the core of the telecommunications and financial services sectors, with the last 10 years seeing growth in the use of devices such as smartphones that have changed the way financial services consumers and suppliers interact.
Business now needs cognitive analytics to understand the criminals’ phishing behaviours, replay the behaviours and block the attacks. Although the concept of the Bill is valuable, there are still concerns around the negative effects that it could have on the everyday person’s day-to-day online habits that could, in extreme cases, result in one being arrested.
South Africans have three days to provide their views on the proposed Bill and to provide a holistic view on its real implications.
Taking guidance from Europe, however, where data protection and cybercrime legislation is more mature and practicalities have been tested, will be imperative for South African lawmakers and organisations. For more information on Deloitte’s solutions to data protection and cybercrime, visit https://www2.deloitte.com/za/en/services/risk.html?icid=top_risk