On the 24th November 2021, the National Assembly of Mauritius adopted the Cybersecurity and Cybercrime Act 2021. The document defines how Mauritius will fight against cybercrimes and explain how the country will reinforce its cybersecurity measures.
The act is divided in 8 parts as described below:
PART I – PRELIMINARY
PART II – THE NATIONAL CYBERSECURITY COMMITTEE
PART III – OFFENCES
PART IV – INVESTIGATION PROCEDURES
PART V – CRITICAL INFORMATION INFRASTRUCTURE PROTECTION
PART VI – COMPUTER EMERGENCY RESPONSE TEAM OF MAURITIUS (CERT-MU)
PART VII – INTERNATIONAL COOPERATION
PART VIII – GENERAL PROVISIONS
This article is an abridge of the act.
PART I – PRELIMINARY
This part of the Act is a preliminary that defines the terms used in the act.
PART II – THE NATIONAL CYBERSECURITY COMMITTEE
Here, the focus is on the establishment, role and responsibility of a national cybersecurity committee.
The committee should be constituted of 14 members as described below:
1. a Chairperson, to be appointed by the Prime Minister;
2. a representative of the Prime Minister’s Office;
3. a representative of the Ministry;
4. a representative of the Computer Emergency Response Team of Mauritius (CERT-MU);
5. a representative of the Data Protection Office;
6. a representative of the Mauritius Police Force;
7. a representative of the Attorney-General’s Office;
8. a representative of the Information and Communication Technologies Authority;
9. a representative of the Bank of Mauritius;
10. a representative of the Financial Services Commission;
11. a representative of the Counterterrorism Unit, Prime Minister’s Office;
12. a representative of the private sector, having experience in the field of cybersecurity and cybercrime, to be appointed by the Minister; and
13. a representative of civil society, having experience in the field of cybersecurity and cybercrime, to be appointed by the Minister.
The committee should meet at least once every 2 months and report to the minister at least once every quarter. The committee will have the responsibility to identify critical information infrastructures and implement a protection framework. In other words, they will have to implement cybersecurity measures for institutions such as the Bank of Mauritius, the Airport of Mauritius, The port of Mauritius, etc.
PART III – OFFENCES
This part of the Act is fully dedicated to actions that are considered offences and sanctionable. Here below is the list of the 19 offences.
1. Unauthorised access to computer data
2. Unauthorised interception of computer service
3. Unauthorised interference
4. Access with intent to commit offences
5. Unauthorised modification of computer data
6. Unauthorised disclosure of password
7. Unlawful possession of devices and computer data
8. Electronic fraud
9. Computer-related forgery
10. Misuse of fake profile
11. Cyberbullying
12. Cyber extortion
13. Revenge pornography
14. Cyberterrorism
15. Infringement of copyright and related rights
16. Increased penalty for offences involving critical information infrastructure
17. Failure to moderate undesirable content
18. Disclosure of details of an investigation
19. Obstruction of investigation
PART IV – INVESTIGATION PROCEDURES
This part of the act describes the procedures to follow in case of investigation. This section covers the following:
· Expedited preservation and partial disclosure of traffic data
· Production order
· Powers of access, search and seizure for purpose of investigation
· Real-time collection of traffic data
· Interception of content data
· Deletion order
· Limited use of disclosed computer data and information
PART V – CRITICAL INFORMATION INFRASTRUCTURE PROTECTION
This part of Act the provides a definition of critical information infrastructure and responsibilities of critical information infrastructures.
A system is selected as a critical information infrastructure if a disruption of the system or its data would result in:
1. the interruption of a life sustaining service such as the supply of water, health services and energy;
2. an important effect on the economy;
3. an event that would result in massive casualties or fatalities; or
4. failure or substantial disruption of the money market.
If an organisation has been identified as critical information infrastructure, Owners of the organisation will have to:
1. conduct an assessment of the threats, vulnerabilities, risks and probability of a cyber-attack of the critical information infrastructure;
2. measure the overall preparedness against damage or unauthorised access to a critical information infrastructure;
3. identify any other risk based factors appropriate and necessary to protect the critical information infrastructure;
4. implement information security policy;
5. conduct periodic IT Security Risk Assessment of a critical information infrastructure;
6. implement an incident reporting policy;
7. Develop a Security Awareness Programme.
Moreover, the owner of a critical information infrastructure shall, every year or where there is a major upgrade or change in the IT infrastructure, carry out an independent IT Security Audit.
Any owner of a critical information infrastructure who –
· fails to carry out an IT Security Audit under subsection (1);
· fails to submit to the Committee the report of the IT Security Audit;
· fails to provide to the Committee any additional information as may be required within a specified period in order to evaluate the report of the IT Security audit;
· hinders, obstructs or improperly attempts to influence any person or organisation authorised to carry out the IT Security audit; or
· hinders, obstructs or attempts to influence any member of the Committee, person or entity to monitor, evaluate and report on the adequacy and effectiveness of the findings of the IT Security audit,
shall commit an offence and shall, on conviction, be liable to a fine not exceeding 100,000 rupees and to imprisonment for a term not exceeding 5 years.
PART VI – COMPUTER EMERGENCY RESPONSE TEAM OF MAURITIUS (CERT-MU)
This part of the act defines the role of the CERT.
PART VII – INTERNATIONAL COOPERATION
Here, the act describes the various level of collaboration with other countries.
PART VIII – GENERAL PROVISIONS
The last part of the act is self explanatory. It covers the general provisions of the act.
If you think that your organization might be considered as a critical information infrastructure, you can contact us for a free consultation. If you would like to know more about Information security, data privacy and cybersecurity in general, you can enroll in our MQA approved courses. Do not hesitate to contact us.
Comments