With environmental, social and governance (ESG) frameworks becoming a critical aspect of corporate evaluation, cybersecurity has become a key metric in assessing an organisation’s governance.

To bolster their ESG frameworks, South African organisations should fortify their cybersecurity governance processes by taking note of two key pieces of South African legislation: the Cybercrimes Act, 2018 and the Protection of Personal Information Act, 2013 (Popia).

South Africa is ranked as having the third-highest number of cybercrime victims worldwide – something that costs the country R2.2-billion a year. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by boosting their online presence.

The Cybercrimes Act was introduced to combat this increased threat, and several of its elements came into effect on 1 December 2021. Some of the objectives of the act include:

• The creation of cybercrime offences, penalties for committing cybercrimes;
• The regulation of the issue of jurisdiction; and
• The establishment of a designated point-of-contact centre. 

This new legislation grants law enforcement officers extensive powers to investigate, search, access and seize various things such as computers, databases and networks. It also creates many new offences, mostly relating to data, messages, computers and networks involving hacking, the unlawful interception of data, ransomware attacks, cyberforgery and uttering, and cyberextortion.

Certain cybercrimes also constitute reportable security compromises (data breaches). In terms of Popia, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must, as a general rule, notify the Information Regulator and the relevant data subjects as soon as possible. It is important to note that there is no threshold in respect of data-breach reporting in Popia.

For this reason, it is critical to have an incident management plan setting out the steps to determine whether a cybercrime constitutes a reportable data breach and vice versa. In addition, organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place.

A good cybergovernance strategy includes:

1. Clearly defining the organisation’s cybersecurity strategy and goals;
2. Developing and implementing standards to subscribe to, which may include international cybersecurity standards;
3. Establishing appropriate internal processes and procedures to manage cyber risks;
4. Determining protocols to enforce compliance with policies, standards, processes and procedures;
5. Identifying key personnel who may be held accountable and can hold others accountable;
6. Ensuring that senior management are cognisant of the cyberstrategy and take cyber-risk events seriously; and
7. Equipping all personnel with the relevant resources and guidance to carry out the organisation’s cyberstrategy. DM

Rakhee Dullabh is Executive in the Technology, Media and Telecommunications Department of law firm ENSafrica. Era Gunning is Executive in the firm’s Banking and Finance Department.