This is not a paywall.

Register for free to continue reading.

The news sucks. But your reading experience doesn't have to. Help us improve that for you by registering for free.

Please create a password or click to receive a login link.

Please enter your password or get a login link if you’ve forgotten

Open Sesame! Thanks for registering.

First Thing, Daily Maverick's flagship newsletter

Join the 230 000 South Africans who read First Thing newsletter.

Organisations must fortify online security governance a...

South Africa


Organisations need to fortify online security governance – cybercrime costs SA R2.2bn a year

(Photo: Unsplash)

South Africa has the third-highest number of cybercrime victims worldwide. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by boosting their online presence.

With environmental, social and governance (ESG) frameworks becoming a critical aspect of corporate evaluation, cybersecurity has become a key metric in assessing an organisation’s governance.

To bolster their ESG frameworks, South African organisations should fortify their cybersecurity governance processes by taking note of two key pieces of South African legislation: the Cybercrimes Act, 2018 and the Protection of Personal Information Act, 2013 (Popia).

South Africa is ranked as having the third-highest number of cybercrime victims worldwide – something that costs the country R2.2-billion a year. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by boosting their online presence.

The Cybercrimes Act was introduced to combat this increased threat, and several of its elements came into effect on 1 December 2021. Some of the objectives of the act include:

  • The creation of cybercrime offences, penalties for committing cybercrimes;
  • The regulation of the issue of jurisdiction; and
  • The establishment of a designated point-of-contact centre. 

This new legislation grants law enforcement officers extensive powers to investigate, search, access and seize various things such as computers, databases and networks. It also creates many new offences, mostly relating to data, messages, computers and networks involving hacking, the unlawful interception of data, ransomware attacks, cyberforgery and uttering, and cyberextortion.

Certain cybercrimes also constitute reportable security compromises (data breaches). In terms of Popia, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must, as a general rule, notify the Information Regulator and the relevant data subjects as soon as possible. It is important to note that there is no threshold in respect of data-breach reporting in Popia.

For this reason, it is critical to have an incident management plan setting out the steps to determine whether a cybercrime constitutes a reportable data breach and vice versa. In addition, organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place.

A good cybergovernance strategy includes:

  1. Clearly defining the organisation’s cybersecurity strategy and goals;
  2. Developing and implementing standards to subscribe to, which may include international cybersecurity standards;
  3. Establishing appropriate internal processes and procedures to manage cyber risks;
  4. Determining protocols to enforce compliance with policies, standards, processes and procedures;
  5. Identifying key personnel who may be held accountable and can hold others accountable;
  6. Ensuring that senior management are cognisant of the cyberstrategy and take cyber-risk events seriously; and
  7. Equipping all personnel with the relevant resources and guidance to carry out the organisation’s cyberstrategy. DM

Rakhee Dullabh is Executive in the Technology, Media and Telecommunications Department of law firm ENSafrica. Era Gunning is Executive in the firm’s Banking and Finance Department.


Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

No Comments, yet

Please peer review 3 community comments before your comment can be posted