Legal Case Studies

The Risk of Cybercrime for your Business

What is a cybercrime?
Crimes carried out by means of computers, computer networks, or networked devices, like cell phones, are Cybercrimes. As businesses become increasingly digitised, the risk of falling victim to Cybercrime has increased.

Common terms used to describe different types of Cybercrime include malware, phishing, and ransomware.
  • Phishing is where a seemingly legitimate message is sent to your business, by email or otherwise, with the intention that the recipient will reveal information like bank details, passwords, or other similar sensitive information.
  • Ransomware aims to encrypt your business’ data, subject to release when payment of a ransom is made.
  • Malware aims to damage or gain access to your business’ computer system, to commit theft, fraud, or to undermine your business operations.

Cybercrime can result in significant loss of data, resources, and money, by the business, its employees, or its clients. Recent case law has shown that our Courts will hold businesses liable for their client’s financial loss due to cybercrime.

Recent Case Law
In the case of Judith Hawarden v Edward Nathan Sonnenbergs Inc [2023] ZAGPJHC 14, Hawarden purchased a property and appointed ENS as her conveyancer. Hawarden paid a deposit and then, to complete the transaction, she paid the balance of the purchase price (R5.5 million) by electronic payment (the Price).

ENS provided Hawarden with its trust account details by way of a PDF document which was emailed to her. Hawarden’s email was, however, hacked and the bank account details in the PDF were changed to the fraudster’s bank details. Hawarden made payment of the Price to these bank details.

When the fraud was discovered, ENS nevertheless required Hawarden to make payment of the Price into the trust account, resulting in Hawarden instituting a claim against ENS for pure economic loss in the amount of R5.5 million. ENS was aware of the threat of Business Email Compromises (“BEC”) but, despite this, did not warn Hawarden or ensure that the trust account details were protected from BEC through the use of, for example, multi-channel verification. ENS was therefore negligent and its actions wrongful.

The Court held that ENS was liable in delict for Hawarden’s loss, interest, costs of suit, expert fees, and costs on an attorney-client basis.

Similarly, in Jan Jacobus Gerber v PSG Wealth Financial Planning (Pty) Ltd [2023] ZAGPJHC 270 (23 March 2023), Gerber’s share portfolio was being managed by PSG (the Portfolio). The Portfolio amounted to R855,413.00 and was intended to assist Gerber in his retirement. Correspondence between PSG and Gerber was subject to BEC and the Portfolio was therefore paid into the fraudster’s account.
On discovery of the fraud, Gerber sued PSG to recover the Portfolio lost. PSG argued that, although there was a duty to prevent fraud on Gerber’s portfolio, Gerber was negligent because he did not protect his email from hacking. The Court disagreed with PSG and was of the view that it was PSG that had been negligent and ignored their own cybersecurity protocols. PSG was therefore ordered to pay Gerber R811 488,98 and all of Gerber’s legal costs.

How can you protect your business?
From recent case law, we can see that your business must take steps to prevent Cybercrime, otherwise you may be held liable for losses suffered by your clients and customers, or be subject to significant financial loss directly, as a result of Cybercrime. So, what can you do to protect your business?

Your first defense will be to ensure that your software and hardware is constantly updated to address new forms of malware and ransomware. Cybercriminals are constantly evolving. Your business must try to keep ahead of them.

Second, implement sound IT defences. These include encryption of documents, secure storage of information on a cloud, use of a VPN, password protection and two-step authentication for sensitive information, and a breach detection and prevention system. These defences will prevent your business from becoming a victim of Cybercrime by making it more challenging for criminals to acquire access to your information and systems.

Next, educate your people. Constantly train staff on cybercrimes, how to identify scams or suspicious links, and how to prevent cybercrimes by, for example, logging off when not using a device and not sharing sensitive information by email.

Finally, although often seen as a grudge purchase, seek cybercrime insurance to cover the risk of Cybercrime. This insurance will assist you to pay for financial loss arising from Cybercrime or data breaches. Your insurance may also provide you with assistance to restore your data or manage a ransom demand.

Cybercrime is a growing risk for businesses but the above simple and proactive steps can be taken to mitigate this risk. The best approach to cybercrime is to recognise the severity of the risk and take preventative measures to protect your business and its clients and customers.