Scenario Analysis – Delict in the Case of DMARC

How an omission in fundamental email protection might lead to delictual liability

In our previous blog, “Where Delict and Cyber Security Meet”, we explained the importance for businesses, policymakers and individuals alike to examine how delict principles apply in the digital realm. Here we provide a scenario analysis of how a delict may take shape:

Scenario Overview

Email remains one of the most exploited channels for cybercrime. In fact, it’s estimated that 91% of all cyber-attacks begin with an email. DMARC is a technical protocol designed to protect domains from being spoofed (hijacked/impersonated), preventing phishing, ransomware, BEC (Business Email Compromise), and other email-based attacks. DMARC is always used together with SPF (Sender-Policy Framework) and DKIM (Domain Keys Identified Mail). The absence of a fully compliant DMARC policy can lead to serious consequences, as illustrated in this scenario.

The Incident

1. The Email
   Jane receives an email that appears to be from ABC Insurance Brokers (a Category 1 Financial Service Provider (FSP)), a reputable business she knows and trusts. The sender’s domain looks authentic, with no spelling errors or inconsistencies. Confident that the email is legitimate, Jane opens it.
2. The Attachment
   The email contains an attachment to update the client’s details. By clicking and opening the document, malware is installed on her computer which exfiltrates her personal and client data, and also installs ransomware which locks all her files.
3. The Impersonation
   Unknown to Jane, the email was not sent by ABC Insurance Brokers but by a cybercriminal spoofing their domain. ABC Insurance Brokers did not have a fully compliant DMARC policy in place, allowing the attacker to forge emails from the company’s legitimate communications.

The Legal Perspective: Delictual Liability

Jane considers legal action against ABC Insurance Brokers, arguing that their failure to implement a compliant DMARC policy was negligent and directly contributed to her harm. Here’s how the elements of delictual liability may apply:

1. Conduct
   ABC Insurance Brokers’ failure to implement a fully compliant DMARC policy may constitute an omission – a failure to act responsibly in safeguarding its domain from being spoofed. This omission could satisfy the “conduct” element of delict.
2. Wrongfulness
   To establish wrongfulness, Jane must show that ABC Insurance Brokers’ omission violated a legal duty to protect its customers and stakeholders from foreseeable harm. In this case, Jane’s personal information and computer system was compromised. ABC Insurance Brokers had a duty to safeguard their digital communications channels, especially as email spoofing is a well-known risk.
   
   Potential regulations which might apply to this cyber incident include: Protection of Personal Information Act (POPIA), Financial Advisory and Intermediary Services (FAIS) Act, Joint Standard 2: Cybersecurity and Cyber Resilience Requirements For Financial Institutions, Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA), and the National Cybersecurity Policy Framework (NCPF).
3. Fault
   Fault would be assessed based on negligence. Jane’s legal team could argue that ABC Insurance Brokers failed to exercise reasonable care by neglecting to implement a fully compliant DMARC policy, despite its well-known and widespread use in preventing domain spoofing. When one Googles “tools to stop email spoofing”, the role of DMARC, along with SPF and DKIM are evident.
4. Harm
   Jane would suffer direct and measurable harm which may include financial losses such as:
   – Her business being disrupted, effectively rendering it crippled
   – Paying the ransom and/or recovering data and systems
   – Theft of funds
   – Personal data being used maliciously
   – Loss of existing clients and new business
5. Causation
   The link between ABC Insurance Brokers’ omission (conduct) and Jane’s harm must be established. Since a spoofed email would have been prevented by a properly configured DMARC policy, ABC Insurance Brokers’ negligence could be considered the direct cause of Jane’s losses.

Key Considerations for Businesses

This scenario highlights the legal (and reputational) risks businesses may face when they fail to secure their email domains adequately. Companies can mitigate such risks by implementing a fully compliant DMARC Policy (configured with “reject” as the enforcement level, or p=reject). This will prevent unauthorized entities from sending emails on behalf of the company’s domain. Certain core elements are essential to cybersecurity, and for domain owners, DMARC is a crucial one.

Conclusion

This scenario analysis underscores the growing intersection of delict and cyber security. While Jane was the immediate victim of the spoofing attack, ABC Insurance Brokers’ failure to adopt adequate preventive measures made it complicit in the harm caused. By understanding their legal obligations and proactively securing their digital infrastructure, businesses can avoid such liability, protect their stakeholders, and foster trust in their operations.

The cost of negligence in the digital age extends far beyond financial damages—it erodes credibility and exposes businesses to legal scrutiny. A fully implemented DMARC policy is not just a technical safeguard; it is a fundamental step in upholding the duty of care every organisation owes to its stakeholders.

Check your domain’s DMARC status with ARMD.digital’s “Know your score” tool and take the first step in protecting yourself and others.