Ransomware attacks: how South African companies should respond

Cybersecurity has taken centre stage in South African commerce, and it’s no surprise given the prevalence of ransomware attacks.

South African law sets out specific obligations to address these risks if they arise.

The Protection of Personal Information Act (Popia) imposes specific obligations on businesses to maintain the integrity and confidentiality of the information that they process. This includes taking technical and organisational measures to prevent unlawful access to information in their possession or under their control.

These steps include:

Identifying internal and external risks to their information;
Implementing appropriate safeguards to address these risks (and continually updating these safeguards as new risks arise); and
Implementing generally accepted information security practices as well as security practices that are specific to their industry.

As bad actors continue to update their techniques (and ransomware becomes more advanced), businesses are similarly required to update their safeguards to address these new risks. These practices may differ depending on whether a business is, for example, part of the telecommunications, insurance or financial services industry.

The legal status of ransomware attacks

When a business is the victim of a ransomware attack, the attackers typically:

Gain access to the systems of the business;
Extract data from the business;
Upload malicious code to the business’s servers that encrypts its data and prevents the business from accessing the data; and
Issue a ransom note to the business, requiring the payment of a fee (typically in bitcoin) to enable the business to recover its encrypted data.

A typical ransomware attack constitutes cyber extortion and fraud, and is considered an “aggravated offence” if the ransomware targets a “restricted system” (this includes the systems of financial institutions). The South African courts have, however, yet to convict a cybercriminal under the Cybercrimes Act of 2013 for committing a ransomware attack.

Obligations after a ransomware attack

A victim of a ransomware attack is placed in a very difficult position. On one hand, businesses are mandated by Popia to protect data subjects, preventing any inadvertent disclosure of their sensitive information. On the other hand, the attackers wield a potent threat, vowing to either publish or irrevocably erase the data unless the ransom is paid.

Businesses will typically be required to make several notifications arising from a ransomware attack, including notifications to:

Data subjects (whose information was unlawfully accessed);
The Information Regulator;
The South African Police Service, which might be needed under the Cybercrimes Act, depending on the business’s sector or their insurance policies; and
Any third parties on whose behalf the business processes personal information; and/or its insurers.

If a business wishes to pay the ransom (or negotiate with the attackers), it must ensure that it does not inadvertently contravene any applicable laws when doing so. These include:

The Cybercrimes Act, which makes it illegal to aid, abet, induce, incite, instigate, instruct, command or procure another person to commit an offence such as cyber extortion; and
The Prevention and Combatting of Corrupt Activities Act (Precca), which requires a person with knowledge of the commission of the offences of theft, fraud or extortion to report the matter to the police when the offence involves an amount of R100 000 or more.

The authors, Karl Blom and Laone Setshedi

Following notification to the police, it is important to note that they may (in terms of the Cybercrimes Act) require a business to preserve all information which may assist them in their investigation of the ransomware attack, and potentially to provide police officials and investigators with reasonable technical and other support that they may need to conduct their investigation.

Other important considerations

When responding to a ransomware attack, it is often prudent to brief (through your attorneys if required) a number of experts, who may include:

Forensic investigators (to determine how the incident occurred and prevent future incidents); and
PR experts (to assist the business in managing any damage to the business’s reputation).

It is also important to ensure that, where a business holds insurance for losses arising from ransomware attacks, there is strict compliance with the terms of the insurance policy (which may regulate, for example, whether a business can make payment of a ransom).

The prevalence of ransomware attacks and other forms of cybercrime is an ongoing concern that businesses must contend with. Taking reasonable proactive measures against these attacks is vital to ensure that these incidents do not become an existential threat to your business.

The authors are Karl Blom, partner, and Laone Setshedi, candidate attorney, both at Webber Wentzel

How South Africa’s banks became bakgat

Putin’s daughter pursues digital plan in push to embrace Africa

MTN slashes prepaid data prices: 200GB for R399

Spar confident worst of ERP disaster now behind it

Icasa takes aim at ‘illegal’ Starlink sales in South Africa

‘Go f… yourself’: Musk lashes out at fleeing advertisers

Microsoft to take non-voting position on OpenAI board

Hackers stole customer support data in Okta breach

Orange withdraws from process to buy into Ethio Telecom

Musk’s X hit by advertiser exodus

Africa has a feature phone problem

Is your ISP monitoring your online activity?

The real Big Brother Africa

Compared: Starlink prices around the world – including Africa

Africa is booming

TCS+ | OneTrust’s Joseph Byrne: privacy risk management done right

TCS+ | Ricoh – safe and secure role in today’s digital ecosystems

TCS+ | NEC XON on going toe to toe with cybercriminals

TCS | How ShotSpotter is fighting gun crime in Cape Town

TCS+ | SOC-as-a-service: CYBER1 SOC and the future of cybersecurity

Could Cape Town become Africa’s Silicon Valley?

Chris Kruger: What I learnt in my decades in IT leadership