On 29 December 2020, the Cybersecurity Act, 2020 came into force with the assent of the President of the Republic of Ghana. The Act establishes the Cybersecurity Authority and regulates cybersecurity activities in Ghana. Below is a Q & A on some of the key aspects of the governance framework under the Cybersecurity Act.
a) What is the Cybersecurity Authority?
The Cybersecurity Authority is a body corporate established under the Cybersecurity Act, 2020 to regulate and promote developments within Ghana’s cybersecurity space. This mandate will see the Cybersecurity Authority play a key role in preventing, managing, and responding to cybersecurity incidents in Ghana. The Authority will also be regulating owners of critical information infrastructure in terms of cybersecurity activities, services and practices.
b) Which Ministries govern the Cybersecurity Authority?
The Cybersecurity Authority is multisectoral and falls under the control of the Ministries of Communication, Interior, Defence, and National Security.
c) What is the scope of the mandate of the Cybersecurity Authority?
The Cybersecurity Authority has a very wide mandate in ensuring that Ghana is protected from cyber-attacks and breaches. To this end, the Authority will be monitoring cybersecurity threats within and outside Ghana, taking measures in response to cybersecurity attacks and breaches especially those with the potential of threatening Ghana’s national security, economy, international relations, and public health. In addition to the above, the Authority serves as the regulator of cybersecurity practitioners and standards in Ghana.
d) Who/What does the Cybersecurity Act apply to?
The Cybersecurity Act applies to everyone who is involved or could potentially be affected by cybercrime or a cybersecurity incident. The Act defines cybercrime as the use of cyberspace, information technology or electronic facilities to commit a crime. A cybersecurity incident is defined as an act or attempt, regardless of whether it is successful or not, to gain unauthorised access to, disrupt or misuse an information system or information stored on an information system.
The Act, therefore, applies to a wide variety of persons including public sector actors, banking and financial institutions, telecommunications companies, energy and utility firms, and transport operators.
e) To what extent does the state have control over a computer system?
At the heart of the Cybersecurity Act is the protection of computer systems. A computer system includes a variety of technological devices with computing capabilities such as an operational technology system, or any device which has supervisory control and data acquisition and distribution capabilities.
The Act gives any of the Ministers responsible for Communication, Interior, Defence, and National Security the power to designate a computer system as a critical information infrastructure. By this classification, the infrastructure is considered essential for national security, or the economic well-being of citizens and therefore subject to the Authority’s supervision and regulation.
f) Is there a regime for regulating cybersecurity service providers?
Yes, there is. The Act gives the Authority the power to license cybersecurity service providers. The scope of activities that requires a licence from the authority includes: (a) assessing, testing, and evaluating the vulnerabilities of cybersecurity systems; (b) conducting forensic examination; (c) investigating and responding to a cybersecurity incident; and (d) conducting a thorough examination of a computer system to detect any cybersecurity threat or incident.
Licences are valid for two years from the date of issue and are not transferable under any circumstance. A licence granted to a person may be suspended or revoked for breach of the terms of issue.