April 4, 2023
Cybersecurity has increasingly become necessary to protect industries and governments from cyberattacks, theft, damage and to prevent disruption to businesses. Cybersecurity regulation delineates the type of control an organisation must deploy to protect itself and its customers, the persons responsible for ensuring security and the measures to take in the event of a cyberattack.
Cybersecurity in Ghana
The Cybersecurity Act, 2020 (Act 1038) (Cybersecurity Act) came into force on 29 December 2020. It regulates cybersecurity activities and promotes the development of cybersecurity in Ghana. Particularly, it provides for the regulation of critical information infrastructure, cybersecurity service providers, cybersecurity professionals and practitioners as well as cybersecurity products and technology solutions. It also provides a procedure for obtaining data for investigations and for the protection of children online. With the passing of the Cybersecurity Act, the National Cyber Security Centre has transitioned into the Cybersecurity Authority.
Licensing of Cybersecurity Industry Players
The framework for the licensing of cybersecurity industry players has been in the pipeline for a few years. Public consultation and other meetings culminated in the commencement of the licensing of cybersecurity industry players by the Cybersecurity Authority on 1 March 2023. This licensing regime applies to cybersecurity service providers which offer digital forensics services, cybersecurity training, vulnerability assessment and penetration testing and other similar services. Similarly, cybersecurity establishments with a digital forensics facility or a managed cybersecurity service facility must be accredited for this purpose from 8 March 2023. Finally, from 15 March 2023, professionals with qualification and experience in vulnerability assessment and penetration training, digital forensic services, managed cybersecurity services and cybersecurity governance, risk and compliance must be accredited by the Cybersecurity Authority. The Cybersecurity Authority is yet to establish a mechanism for the certification of cybersecurity products and technology solutions.
Defaults and Ensuing Penalties
Persons who undertake a cybersecurity service without a licence would be liable to a penalty equivalent to the cost of damage caused and value of the financial gain made. Licensed service providers who use a licence contrary to the purpose for which the licence was granted, would be liable to a fine of GHS600,000.
