South Africa


Organisations need to fortify online security governance – cybercrime costs SA R2.2bn a year

Organisations need to fortify online security governance – cybercrime costs SA R2.2bn a year
One of the biggest business risks to South Africa is cybercrime. (Photo: Unsplash)

South Africa has the third-highest number of cybercrime victims worldwide. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by boosting their online presence.

With environmental, social and governance (ESG) frameworks becoming a critical aspect of corporate evaluation, cybersecurity has become a key metric in assessing an organisation’s governance.

To bolster their ESG frameworks, South African organisations should fortify their cybersecurity governance processes by taking note of two key pieces of South African legislation: the Cybercrimes Act, 2018 and the Protection of Personal Information Act, 2013 (Popia).

South Africa is ranked as having the third-highest number of cybercrime victims worldwide – something that costs the country R2.2-billion a year. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by boosting their online presence.

The Cybercrimes Act was introduced to combat this increased threat, and several of its elements came into effect on 1 December 2021. Some of the objectives of the act include:

  • The creation of cybercrime offences, penalties for committing cybercrimes;
  • The regulation of the issue of jurisdiction; and
  • The establishment of a designated point-of-contact centre. 

This new legislation grants law enforcement officers extensive powers to investigate, search, access and seize various things such as computers, databases and networks. It also creates many new offences, mostly relating to data, messages, computers and networks involving hacking, the unlawful interception of data, ransomware attacks, cyberforgery and uttering, and cyberextortion.

Certain cybercrimes also constitute reportable security compromises (data breaches). In terms of Popia, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must, as a general rule, notify the Information Regulator and the relevant data subjects as soon as possible. It is important to note that there is no threshold in respect of data-breach reporting in Popia.

For this reason, it is critical to have an incident management plan setting out the steps to determine whether a cybercrime constitutes a reportable data breach and vice versa. In addition, organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place.

A good cybergovernance strategy includes:

  1. Clearly defining the organisation’s cybersecurity strategy and goals;
  2. Developing and implementing standards to subscribe to, which may include international cybersecurity standards;
  3. Establishing appropriate internal processes and procedures to manage cyber risks;
  4. Determining protocols to enforce compliance with policies, standards, processes and procedures;
  5. Identifying key personnel who may be held accountable and can hold others accountable;
  6. Ensuring that senior management are cognisant of the cyberstrategy and take cyber-risk events seriously; and
  7. Equipping all personnel with the relevant resources and guidance to carry out the organisation’s cyberstrategy. DM

Rakhee Dullabh is Executive in the Technology, Media and Telecommunications Department of law firm ENSafrica. Era Gunning is Executive in the firm’s Banking and Finance Department.


Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted


This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.

Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Daily Maverick Elections Toolbox

Feeling powerless in politics?

Equip yourself with the tools you need for an informed decision this election. Get the Elections Toolbox with shareable party manifesto guide.