Picture source: Getty/iStock
Since the dawn of democracy, South Africa has built for itself a solid reputation of being the most diversified and industrialised economy in Africa, making it the obvious destination for investors looking to do business in Africa.
This has led to the rapid development of a world-class information technology (IT) infrastructure, with the unintended consequences of making the South African economy vulnerable to cybercrime and a haven for cybercriminals, who have managed to set up some of the most sophisticated syndicates at a pace never seen before.
According to Interpol’s 2024 African Cyberthreat Assessment, ‘in 2023, … the average number of weekly cyberattacks impacting African businesses grew 23% compared to the prior years, the fastest increase worldwide’ (Robert Lemos ‘Africa’s economies feel pain of cybersecurity deficit’ (www.darkreading.com, accessed 19-1-2025)). South Africa has seen cybercrime cost the economy around R 2,2 billion per year. In this article, I unpack the legislative framework that offers key protection to South African citizens and international investors with reference to international benchmarks. I also consider some of the recent South African case law relating to cybercrime.
South Africa has the following pieces of legislation aimed at protecting victims of cybercrime.
The main objectives of the Cybercrimes Act are to –
The Cybercrimes Act criminalises a range of severe cybercrimes, including illegally accessing a computer system or intercepting data, cyber extortion, unlawfully acquiring a password, cyber fraud, and theft of incorporeal property. Any person who violates the Act could face a fine, imprisonment of up to 15 years or both. Members of the public have an obligation to report these crimes to relevant authorities in order to ensure enforcement.
The broad scope of jurisdiction created by this Act means that the South African courts will have the power to try non-SA citizens and persons who commit crimes in other countries where this affects persons or businesses in South Africa. South African enforcement agencies have been given extensive search and seizure powers under the Cybercrimes Act, including searching and seizing information held within a private database or network without a search warrant.
The Cybercrimes Act is supported by the following legislation:
These Acts all provide an excellent legislative framework for the combatting of cybercrime. However, while our legislative framework is comprehensive, we need to constantly adapt our legal system when it comes to enforcement, to align it with the current tactics that are being used by cyber criminals to commit fraud.
There has been a handful of cases that have come through the South African courts involving business e-mail compromise scams, when it comes to online banking. This normally occurs during a coordinated phishing attack. These hacking incidents have been prevalent in the legal profession, as highlighted below.
In the case of Fourie v Van der Spuy and De Jongh Inc and Others 2020 (1) SA 560 (GP), Mr Johan Fourie had appointed Van der Spuy and De Jongh Inc, a firm of attorneys, to act on his behalf in a certain transaction. Mr Fourie paid over a certain amount of money into the firm’s trust account to be held on his behalf pending further instructions on what to do with the funds.
At some point, the attorneys received instructions by e-mail to pay the money held in trust into an unknown bank account provided in the e-mail. It then transpired that the attorneys were victims of cybercrime, where someone had impersonated Mr Fourie through e-mail hacking, inducing the attorneys to pay the money into the wrong account.
The court pointed out that the relationship between an attorney and his client was based on a contract of mandate. This contract, inter alia, imposes fiduciary obligations on the attorney and an attorney has a duty of care to their client. This fiduciary duty rendered an attorney legally responsible for dealing with the money in their trust account without negligence. The court stated that the attorney was required to exercise the skill, adequate knowledge and diligence expected of an average practising attorney. A failure to do so would lead to an attorney being held liable for negligence even where they had committed an error of judgment.
The court concluded that the attorneys had failed to discharge their obligations to Mr Fourie in that, had they confirmed or verified the new bank details with him prior to making payment into that account, the fraud would not have occurred. The court concluded that it was abundantly clear from the facts that no verification process was followed and that the firm had to carry the loss, and not Mr Fourie.
In the case of Edward Nathan Sonnenberg Inc v Hawarden 2024 (5) SA 9 (SCA), Ms Judith Hawarden had entered into a sale agreement with the Davidge Pitts Family Trust for the purchase of their property for the sum of R 6 million. The seller had appointed Edward Nathan Sonnenberg (ENS) as its conveyancers to oversee the sale. In terms of the sale agreement, Ms Hawarden was required to pay a deposit of R 500 000 into the trust account of ENS or to put up a bank guarantee. Despite warnings about cybercrime, Ms Hawarden made a deposit into what she believed was a valid ENS banking account and received fraudulent e-mails with altered banking details.
The fraud was not discovered until later, and Ms Hawarden suffered a financial loss. She took legal action against ENS, claiming negligence on their part for not preventing the fraud, which caused the pure economic loss of R 5,5 million. The High Court ruled in favour of Ms Hawarden and ENS was ordered to compensate her for the loss.
However, the High Court decision was overturned by the Supreme Court of Appeal (SCA), which pointed out our law does not generally hold persons liable in delict resulting in damages caused by others through an omission. In any event, the court held that the interference that caused Ms Hawarden’s loss was as a result of her e-mail account having been compromised and not as a result of any failing in the ENS system. Given that Ms Hawarden was not a client to ENS, the SCA held that she should have confirmed the banking details of ENS before making the payment, having received ample warnings about the possibility of e-mail hacking.
Turning to other advanced jurisdictions, the United States (US) has always been viewed as one of the most advanced economies in the world, with its legal response to cyber risks being partisan when compared with other countries.
The European Union (EU) and the United Kingdom (UK) have a comprehensive response to cyber risks, through the General Data Protection Regulation (GDPR), which offers key protection when it comes to information privacy and other laws and directives that offer key protections.
In both jurisdictions, there are specialised enforcement agencies that have been established in order to monitor and combat cyber incidents. In the EU, member states need to report cybercrime to local authorities. Member states then receive additional support from the European Cybercrime Centre. Set up by Europol, the Centre acts as the focal point in the fight against cybercrime in the Union pooling European cybercrime expertise to support cybercrime investigations within member states and providing a collective voice of European cybercrime investigators across law enforcement and the judiciary. While in the UK, this support is provided through the National Cyber Security Centre (NCSC), which provides extensive support to industries on improving cybersecurity resilience.
In the US, law enforcement agencies are supported by the Federal Bureau of Investigation (FBI) which has a global presence when it comes to assessing cybercrime and cyber risks.
Signed into law in 2016, when the UK was still a part of the EU, the GDPR brought about significant data privacy laws and strictly regulates how data is collected, stored, handled and what data can be distributed. This was the forerunner to South Africa’s POPIA which offers similar protection to South African citizens.
Signed into law in 2018, the Directive on Security of Network and Information Systems (NIS Directive) was the first piece of EU-wide cyber security legislation. ‘It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure. The Directive applies to operators of essential services and digital service providers. These include energy, transport, water and healthcare, online marketplaces, search engines and Cloud computing services. The NIS Directive requires these operators to take appropriate security measures and report incidents that significantly impact the continuity of the services they provide. Digital service providers are also required to notify the authorities of incidents that significantly impact the availability of their services’ (IT Governance ‘The NIS Directive and NIS Regulations’ (www.itgovernance.co.uk, accessed 19-1-2025)).
In 2023, the NIS Directive was updated and replaced by the NIS2 Directive (Directive (EU) 2022/2555), which introduces stricter security requirements and expands the scope to include more sectors and services. This update aims to further strengthen the EU’s overall cybersecurity posture and ensure a more harmonised approach across the region.
As one can see; when compared with global legal systems, South Africa’s legislative framework is very comprehensive and offers key protection to affected parties. Additionally, our law is very clear about where the duty of care lies in cybercrime.
However, like many global economies, South Africa needs to become stricter in enforcing its cyber legislation. This global threat is continuously evolving as cybercriminals develop new tactics to scam and defraud people. While global jurisdictions receive support through dedicated enforcement agencies, South African victims can report data breaches to the Information Regulator and cybercrime to the South African Police Service who do not receive any support from other specialised enforcement agencies such the advanced jurisdictions mentioned above. This makes the enforcement of cybercrime significantly difficult for South Africa, given the fact that we often have to rely on foreign agencies like the FBI for support and intelligence.
Business e-mail compromise scams are one of the significant methods that cyber criminals use to commit cybercrime. Given the frequency at which business e-mail compromise scams occur globally on a daily basis, a victim cannot claim ignorance of the threat of these crimes as a legal defence. When money is involved, the person making the payment from one party to another needs to ensure that the banking details they are transferring money into is correct and has not been intercepted by scammers. From a corporate point of view, companies will have to prove that they have robust, and in some cases custom-built, cyber security platforms that would prevent them from becoming victim of cybercriminals. The law is clear on this.
Mongezi Mpahlwa BCom (Law) LLB (UWC) is a legal practitioner at Cox Yeats in Johannesburg.
This article was first published in De Rebus in 2025 (March) DR 20.
