Cybercrime and artificial intelligence in the management of sectional title schemes

Written By Kyle Sorensen

A legal and technological risk analysis

30 June 2025 | Razeen Khan

Cybercrime taking place in community schemes

Abstract

As technology becomes increasingly embedded in the administration of sectional title schemes, the rise in cybercrime poses unprecedented risks. Managing agents, as custodians of sensitive personal and financial information, are required to navigate a complex landscape of data protection obligations and cybersecurity threats.

This article explores the intersection of cybercrime, artificial intelligence (AI), and property management, with particular reference to South African sectional title schemes. It evaluates current legislative protections, technological vulnerabilities, and the ethical responsibilities of managing agents in safeguarding data. Furthermore, it considers how AI tools can both mitigate and exacerbate cybersecurity risks. The article concludes with recommendations for policy and practice reforms grounded in both domestic legal developments and international standards.

1. Introduction

The administration of sectional title schemes in South Africa is undergoing rapid digital transformation. Managing agents now rely on cloud-based platforms, automated accounting systems, and digital communication tools to manage records, levy collections, and owner correspondence. While these innovations increase efficiency, they also expose schemes to cybercrime risks, including hacking, phishing, ransomware, and unauthorized data access. The stakes are high i.e., owners’ identities, banking details, levy statements, and trustee communications are all vulnerable to breaches.

AI introduces further complexity. On one hand, AI-powered tools can enhance cybersecurity through anomaly detection, behavioural analysis, and automated threat response. On the other, these same technologies, if poorly managed, can amplify vulnerabilities or be exploited by malicious actors. Managing agents must therefore adopt robust information security practices, guided by both legal obligations under the Protection of Personal Information Act 4 of 2013 (POPIA) and ethical considerations concerning trust and fiduciary duty.

2. Legal framework for cybersecurity in sectional title schemes

2.1 POPIA and the responsible party principle

POPIA, which came into full effect on 1 July 2021, imposes a duty on the “responsible party,” in this context, often the managing agent or the body corporate, to safeguard personal information. Section 19 of POPIA requires responsible parties to implement appropriate, reasonable technical and organisational measures to prevent loss, damage, or unlawful access to personal data.

The information processed by managing agents typically includes the names and contact details of owners and tenants, banking details, levy payment history, internal correspondence including trustee minutes, and access control records such as biometric data or entry logs. Non-compliance may attract administrative fines or civil liability, particularly where data breaches result in financial or reputational harm. This also highlights the need for a comprehensive POPI policy to show that the scheme is compliant in this regard.

2.2 CSOS Act and governance responsibilities

Under the Community Schemes Ombud Service Act 9 of 2011 (CSOS Act), schemes must ensure that administrative practices are transparent, efficient, and fair. The Prescribed Management Rules (Annexure 1 of the Sectional Title Schemes Management Act Regulations) requires that all scheme documents be kept safe and accessible. In the digital age, this includes secure electronic storage and protection against cyber intrusion. The CSOS itself has recognised in its “Guidelines on Good Governance in Community Schemes” that digital recordkeeping must comply with cybersecurity best practices, although enforcement remains limited.

3. Cybercrime threats facing managing agents

Common forms of cybercrime

Managing agents are susceptible to various forms of cybercrime. Phishing attacks typically involve fraudulent emails impersonating scheme executives or service providers, designed to gain access to accounts or trick recipients into transferring funds. Ransomware attacks involve the installation of malware that locks access to scheme records until a ransom is paid. Data breaches can lead to the unauthorized access or publication of levy statements, identity documents, or trustee communications. Insider threats also remain a concern, where staff within managing agencies misuse privileged access to compromise data integrity. 

4. The role of AI: Risk and remedy

4.1 AI as a protective tool

AI-enhanced cybersecurity can help managing agents detect suspicious access patterns, flag phishing emails, and automate intrusion detection.

Some of the most effective tools include behavioural biometric verification (such as typing patterns), AI-assisted anomaly detection in financial records, and intelligent spam filters for trustee and owner communication. These tools offer the potential to increase digital safety and operational responsiveness in managing scheme data.

4.2 Risks of AI misuse and bias

AI systems themselves can be vulnerable to attack or misuse. Poorly configured systems may grant excessive access, misclassify legitimate user behaviour as suspicious, or be subject to adversarial manipulation. Furthermore, if AI is used in managing access control systems, such as facial recognition at gates, it raises privacy concerns under POPIA, especially where biometric data may be collected without fully informed consent or stored without encryption. Overreliance on AI also risks dehumanising dispute resolution and communication processes within schemes.

5. Ethical and fiduciary responsibilities of managing agents

Managing agents occupy a fiduciary role, acting on behalf of schemes and owners in trust. This role encompasses a duty of care and good faith, including ensuring that data is stored and processed ethically. The South African Board for People Practices (SABPP) Code of Ethics recommends that professionals in administrative roles prioritise confidentiality and transparency, and ensure consent-based processing of personal information.

The principle of data minimisation—collecting only information that is strictly necessary, must guide AI deployment. Excessive data harvesting, such as around-the-clock surveillance or location tracking of residents, may undermine privacy and generate legal liability, especially if not adequately disclosed.

6. Recommendations and conclusion/s | AI and data management tools can be beneficial

In order to navigate the risks associated with cybercrime and AI, sectional title schemes must evolve their governance and compliance models. Managing agents should consider implementing formal cybersecurity audits conducted by third-party professionals on an annual basis. All schemes should adopt comprehensive data protection policies that are aligned with POPIA, specifying how data is collected, accessed, shared, and ultimately destroyed.

AI tools must be deployed with care and subject to transparent internal governance frameworks. Policies should be developed to define the limits of AI usage, the safeguards in place, and the data on which these tools are trained. Consent for data processing, especially for biometric and behavioural data, must be freely given, specific, and revocable.

It is also advisable that schemes and their agents invest in cyber liability insurance that can cover the costs of breach notification, legal claims, and forensic investigation. While POPIA provides a domestic legal foundation, aligning internal policies with international standards such as on information security management will provide an additional layer of protection and credibility.

Digital transformation offers enormous promise for the efficient management of community schemes, but must be undertaken responsibly. When approached with foresight and ethical awareness, AI and data management tools can enhance transparency, accountability, and efficiency. However, if mismanaged, they can erode trust, compromise privacy, and expose schemes to significant harm. The legal and moral imperative is clear: information must be protected with the same diligence as physical property, if not more.

If you have any questions on the above or would like any assistance with POPIA, please contact info@tvdmconsultants.com for more information.

References

  • Protection of Personal Information Act 4 of 2013 (POPIA)

  • Sectional Titles Schemes Management Act 8 of 2011 (STSMA)

  • Community Schemes Ombud Service Act 9 of 2011 (CSOSA)

  • The Prescribed Management Rules (Annexure 1 of the Regulations to the Sectional Title Schemes Management Act Regulations)

  • Guidelines issued by the Information Regulator (www.inforegulator.org.za)

  • International Standard for Information Security Management Systems (ISO/IEC 27001, referenced, not binding under SA law)

Razeen Khan, community scheme consultant from TVDM Consultant (Legal)

About Razeen Khan

Razeen is a Community Schemes Consultant at TVDM Consultants

Razeen grew up in Johannesburg and completed his LLB Degree at the University of Cape Town, achieving distinctions in multiple subjects. During his free time at university, he enjoyed archery and tennis, becoming a valued member of both clubs. Razeen worked with student outreach programs at UCT, and also excelled in his work with the UCT Law Clinic, assisting clients to ensure that their rights of access to justice were met swiftly. 

To find out more about Razeen, click here.

Kyle Sorensen
Previous

How to be an effective Trustee?
Next

Unpacking solar power in sectional title schemes