Businesses across the spectrum are increasingly making use of the services of technology to manage their operations more efficiently. Unfortunately, this has led to a significant rise in cybercrime which is regarded by many as the fastest growing criminal activity around the world.
Types of cyber threats
The cyber threats faced by businesses are continuously evolving, making them extremely difficult to guard against. Common threats include but are by no means limited to:
- Malware: Malware is designed to disrupt, damage, or gain unauthorized access to a business’s computer systems.
- Phishing: Phishing purports to send legitimate emails / messages to people within a business, with the end goal of inducing the recipients to reveal personal or sensitive information, such as passwords, trade secrets, etc.
- Ransomware: Ransomware attempts to encrypt a business’s files, with the view of demanding a ransom before the files are released.
Cybercrime is very real and is costing businesses hundreds of thousands of rands, in the form of financial losses, legal liabilities, reputational damages, regulatory fines, etc. Businesses should look no further than the two judgements below which were recently granted in our courts to realise this.
Judith Hawarden v Edward Nathan Sonnenbergs Inc – Date of judgement: 16 January 2023
Ms. Hawarden (“the purchaser”) purchased a property from a third-party seller who appointed Edward Nathan Sonnenbergs Inc (“the attorneys”) as the conveyancer. The purchaser paid an initial deposit and thereafter elected to pay the balance of the purchase price of R5.5 million by EFT. The attorney’s trust account details were set out in a pdf attachment and emailed to the purchaser. Unbeknown to the purchaser, her email account had been hacked, which enabled a fraudster to intercept the email and alter the attorney’s trust account details. This resulted in the payment being made into the fraudster’s account. The attorneys had little sympathy for the purchaser and called on her to effect payment of the outstanding purchase price. The purchaser responded by instituting action against the attorneys to recover the damages she sustained as a result of the cyber fraud. The evidence at the trial confirmed that the attorneys were aware of the risks of Business Email Compromise (BEC) and had failed to warn the purchaser thereof. It was also not disputed by the attorneys that BEC was rife within the legal industry, especially in conveyancing. The attorneys were in charge of how their trust account details were transmitted to clients and had a duty of care to ensure that it was transmitted securely given the risks of cyber fraud. The court found that the attorneys actions were negligent, wrongful and the cause of the purchaser’s loss. The court ordered the attorneys to pay the purchaser the sum of R5.5 million and penalised them with a punitive cost order.
Jan Jacobus Gerber v PSG Wealth Financial Planning (Pty) Ltd – Date of judgement: 23 March 2023
PSG Wealth Financial Planning (Pty) Ltd (“the financial advisor”) was contractually responsible to manage Mr. Gerber’s share portfolio, consisting of liquid investments, in the total sum of R855,413.00. The purpose of the portfolio was to fund Mr. Gerber’s retirement. The financial advisor possessed the freedom to operate the portfolio as they saw fit, with no limitation or instruction regarding the reinvestment of dividends and the buying and selling of shares. Email communications between the parties were subject to BEC fraud, resulting in Mr. Gerber’s funds being paid into a fraudster’s account. Mr. Gerber thereafter sued the financial advisor to recover the losses he sustained. The financial advisor accepted that it had a contractual duty to prevent fraud of this nature but argued that it was not liable for Mr. Gerber’s loss because he was negligent in not taking reasonable steps to prevent his email account from being hacked. The court found the advisor’s argument that Mr. Gerber had a duty a duty to prevent the hacking to be counter intuitive. The evidence was clear that it was the advisor who ignored their own protocols which resulted in the fraud. The advisor was as such ordered to pay Mr. Gerber the sum of R811,488.98 and was held responsible for his legal costs.
Business should be taking proactive steps to mitigate the risks of cybercrime. Some of the steps which can be taken are:
➊ Making use of strong passwords and two factor authentication.
➋ Using a virtual private network (VPN).
➌ Keeping software up to date.
➍ Implementing cybercrime policies and procedures.
➎ Backing up data.
While adopting mitigating steps can significantly reduce the risk of cybercrime, no business can be completely guarded against it as cyber threats are constantly evolving, and hackers can find new ways to exploit vulnerabilities. Therefore, it is important for businesses to also possess comprehensive cyber insurance to protect itself from the financial losses and liabilities that can arise from a cyber attack.
In conclusion, cybercrime is a real and growing threat to businesses of all sizes, and the risks posed by cyber attacks can no longer be ignored. Businesses would as such be well advised to recognize the seriousness of cybercrime and take proactive steps to protect themselves and their customers in the digital age they are conducting business in.