With environmental, social and governance (“ESG”) frameworks becoming a critical aspect of corporate evaluation, cybersecurity has become a key metric in assessing an organisation’s governance.
To bolster their ESG frameworks, South African organisations should look to fortify their cybersecurity governance processes by taking note of two key pieces of South African legislation: the Cybercrimes Act, 2018 (“Cyber Act”) and the Protection of Personal Information Act, 2013 (“POPIA”).
South Africa is ranked as having the third highest number of cybercrimes victims worldwide – an issue that costs the country ZAR2.2-billion a year. Over the past two years, many businesses have inadvertently opened the door to the murky world of cybercrime by accelerating their online presence.
The Cyber Act was introduced to combat this increased threat, and several of its elements came into effect on 1 December 2021. Some of the objectives of the Cybercrimes Act include:
- the creation of cybercrime offences, penalties for committing cybercrimes;
- the regulation of the issue of jurisdiction; and
- the establishment of a designated point of contact centre.
This new legislation grants law enforcement officers extensive powers to investigate, search, access and seize various articles, such as computers, databases, or networks. It also creates many new offences, mostly relating to data, messages, computers, and networks involving hacking, the unlawful interception of data, ransomware attacks, cyber forgery and uttering, and cyber extortion.
Certain cybercrimes also constitute reportable security compromises (data breaches). In terms of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must, as a general rule, notify the Information Regulator and the relevant data subjects as soon as reasonably possible. It is important to note that there is no threshold in respect of data-breach reporting in POPIA.
For this reason, it is critical to have an incident management plan setting out the steps to determine whether a cybercrime constitutes a reportable data breach and vice versa. In addition, organisations should ensure they have robust breach detection, investigation and internal reporting procedures in place.
A good cyber governance strategy includes:
- Clearly defining the organisation’s cybersecurity strategy and goals.
- Developing and implementing standards to subscribe to, which may include international cybersecurity standards.
- Establishing appropriate internal processes and procedures to manage cyber risks.
- Determining protocols to enforce compliance with policies, standards, processes and procedures.
- Identifying key personnel who may be held accountable and can hold others accountable.
- Ensuring that senior management are cognisant of the cyber strategy and take cyber risk events seriously.
- Equipping all personnel with the relevant resources and guidance to carry out the organisation’s cyber strategy.