Read more about the article Five Things You Need to do After the CIPC Hack
May 31 written on a calendar to remind you an important appointment.

Five Things You Need to do After the CIPC Hack

“The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy” – (Lu Wei, the head of the General Office of the Central Leading Group for Internet Security and Informatization from August 2013 to June 2016)

On the 1st of March 2024, the CIPC admitted it had been hacked. The CIPC said in a statement that, “Our ICT technicians were alerted, due to extensive firewall and data protection systems in place at the CIPC, to a possible security compromise and as a result, certain CIPC systems were shut down immediately to mitigate any possible damage.”

While they referred to the incident as “an attempt” to hack their systems they also added, “Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”

A few days later said they had been contacted by the hackers who allegedly proved they had access to the site since 2021 and the CIPC could be understating the damage done. Whether the claims made to MyBroadband are accurate or not, the possibility this hack has leaked private information from many or all of South Africa’s registered businesses and presumably given outside access to company registrations which potentially allows the hackers to make alterations to core business areas.

Together with a long-standing issue at SARS that periodically sees clients receiving an email or SMS stating, “unauthorised changes were made to your personal details on eFiling”, it is clear that South African businesses need to be aware of the risks of online attacks at key government organisations and more importantly, know what to do about them.

These are the main concerns:

Private information leaked

According to reports, the hackers may have gained access to the private credit card information used to make payments to the CIPC. MyBroadband quotes the alleged hackers as saying the CIPC was “processing and storing credit cards in the clear.” While most banks require access to an app as verification, the exposure of CVVs and expiry dates of cards is a risky proposition. When combined with other information stored on the site, such as the names, addresses and signatures of directors there is a real risk that company clients and contacts may be open to being scammed through fake profiles or other contacts generated by malicious third parties.

Access to Company registrations

If, as is alleged, hackers have gained unfettered access to the company registrations section and the login details for multiple clients, companies risk potential changes in their core information. Directors can be changed, addresses altered and critically, key documentation can be downloaded.

The latter is of great concern as these documents could allow a fraudster to open bank accounts in a company’s name. After that it becomes simple to contact clients saying that bank account details have changed, and even offer them the proof that they are speaking to legitimate company representatives. From there money could easily be siphoned into these phoney accounts and it may take weeks or even months to uncover.

What should you do?

With every company vulnerable it’s critical to take a number of steps immediately to mitigate the risk and potential damage.

  1. Check bank accounts and cards
    Monitor your bank account and card transactions even more closely than before for any signs of suspicious activity. If any unusual activity does occur, report the incident to the bank immediately and consider cancelling any bank cards that may have been exposed on the CIPC website and ordering new ones.
  2. Warn your clients
    You may want to consider adding a warning to emails and client correspondence that asks them to treat any notices supposedly from your business of changes to bank account or personal details with caution due to the CIPC hack and SARS login leaks. The warning should carry the caveat that should they receive any bank detail change correspondence they should check with you directly before making alterations to payments.
  3. Change your usernames and passwords
    Change all login details. Assume your current passwords have been compromised and check whether you have used them on other sites as well. Even if this is not the case, it’s wise to change all your important passwords periodically, particularly those for bank accounts or other financial institutions.
  4. Warn your employees
    Alert all employees that any emails, calls or other communication from banks, insurers or fraud divisions should be treated as suspect. Instruct your employees to authenticate communications directly with those departments immediately (using contact details they know to be genuine) rather than give away any information to an unverified person. This is good practice anyway in light of surging cyberfraud generally, but the CIPC hack makes it essential.
  5. Remain vigilant
    We as your accountants are happy to help advise you on how to monitor the credit bureaus and banks to track any illegal accounts, which may be opened in your name and discover suspicious changes in the invoicing and payments. A client who usually pays regularly suddenly stopping is now cause for an immediate follow-up.

Don’t stop being cautious. These sorts of hacks can often come back to haunt a company months after they happen. Assume you will need to be careful for at least a year as the hackers work their way through their haul and try to make the most of it.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© CA(SA)DotNews

Comments Off on Five Things You Need to do After the CIPC Hack

New Trustee Duties: More Admin, Impossible Deadlines and Hefty Penalties

“A trustee has a responsibility to guard the assets of others with a higher degree of care than he does his own.” (John Ashcroft)

Onerous new duties have recently been imposed on all trustees of all trusts – by government through legislative amendments, and also by SARS – in addition to their existing fiduciary duty to act in the best interest of all the beneficiaries and “with the care, diligence and skill which can reasonably be expected of a person who manages the affairs of another”.

The legislative amendments follow South Africa’s grey listing by the global financial watchdog, the Financial Action Task Force, and the subsequent changes to the Trust Property Control Act (TPCA) and the Financial Intelligence Centre Act (FICA), among others.

The new trustee duties will require extensive and time-consuming additional administration, and have impossible deadlines, while non-compliance can result in hefty penalties. This makes professional trust administration assistance crucial for trustees, now and in the future.

Who is affected?

All trustees – not only independent trustees – are affected by the imposition of these new trustee duties.

In addition, all trusts are affected, regardless of the nature of the trust or the value of the assets in the trust, including family trusts, commercial and business trusts as well as public benefit trusts. Not even dormant trusts are specifically excluded.

The new regulations will also affect companies that provide services to trusts. Under FICA, the scope of ‘accountable institutions’ has recently been expanded to include trust service providers, company service providers, legal practitioners, crypto asset service providers, and clearing system participants, among others. These accountable institutions must conduct customer due diligence on their clients, including verifying identities, assessing the risk of illicit activities, and reporting suspicious activities. This will require significant resources, time and expertise from both trustees and accountable institutions.

What are the new duties and deadlines?

The legislative changes to the TPCA have given rise to trustee duties relating specifically to beneficial ownership registers and records of accountable institutions. In addition, SARS has issued new reporting requirements.

  1. Updated beneficial ownership registers – trustees are now required to collect, record and maintain detailed information and specific records of the beneficial owners of the trust – who are now far more broadly defined to include founders, trustees, beneficiaries, donors and protectors. In addition, trustees must lodge a register of the prescribed information with the Master’s Office, with only a trustee or a person with power of attorney allowed to use the Master’s portal to do so.
  2. Updated records of interactions with accountable institutions – trustees are now required to collect, record and maintain details pertaining to accountable institutions with which trustees have dealings, including, for example, accountable institutions acting as agents to perform trustee functions and accountable institutions providing any services to trustees. As noted, the definition of “accountable institutions” has also widened considerably.
  3. Submitting an IT3(t) for each beneficiary – SARS recently issued a draft notice requiring trustees to submit an IT3(t), which provides details of any amount vested in a beneficiary including income (net of expenditure), capital gains and capital amounts distributed by the end of September so that beneficiaries’ tax returns can be pre-populated.
What are the penalties?

Failure to comply with the obligations as contained in the TPCA is an offence and, on conviction, trustees are liable to a fine not exceeding R10 million, or imprisonment for a period of five years or both.

Trustees are already non-compliant with the TPCA, as the new regulations were published after business hours on Friday 31 March 2023 and became effective on the next day, Saturday 1 April 2023. This means that trustees were simply unable to comply with the regulations by the deadline, both due to the timing of the gazette and delays in establishing the requisite online electronic register on the Master’s ICMS Web Portal.

SARS’s IT3(t) deadline seems more doable, but in reality, the 30th of September is not that far away. Various stakeholders are submitting comments regarding the implementation of this requirement to submit an IT3(t) for each beneficiary, but probably no more than a delay could be expected.

Considering the extent of the new duties, the deadlines, and the hefty penalties involved, trustees are certainly well-advised to seek professional assistance to comply with these additional obligations and to ensure compliance.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© CA(SA)DotNews

Comments Off on New Trustee Duties: More Admin, Impossible Deadlines and Hefty Penalties

End of content

No more pages to load