South Africa’s sophisticated corporate sector, but weak cyber law enforcement outcomes, have made it an attractive test bed for cyber criminals. As companies continue to be disrupted by data breaches, regulators are likely to enhance reporting obligations and increase enforcement action.
Regulatory enforcement powers under the Protection of Personal Information Act in South Africa became effective in July 2021. The Information Regulator (South Africa) has since been prioritising education around data subject rights and building capacity within its ranks to investigate data security compromises. We expect in 2023 to see the first demonstration of the Information Regulator’s enforcement powers in the form of administrative fines.
This trend is also apparent in other African countries such as Kenya, Uganda and Zambia, which have established data and privacy regulators but are yet to see significant enforcement action. The potential revenue from regulatory fines imposed for breach of cyber regulations is likely to be a driver of enforcement actions in South Africa and its neighbouring states.
South Africa has experienced a raft of high-profile ransomware attacks targeting companies in the sophisticated healthcare, retail, banking, manufacturing and logistics sectors, as well as an uptick in fraudulent funds transfer crime and business email compromise affecting companies of all sizes. Business leaders are faced with the pressing need to adopt proactive measure to mitigate these risks, given that weak law enforcement poses a low deterrent value.
Recent moves by South Africa’s financial regulators to regulate crypto assets as financial products may impact due diligence requirements where ransom payments are considered. The proposed cryptocurrency regulations are aimed at thwarting theft and money laundering, and it is hoped this may deter ransomware attacks by reducing victims’ ability to pay with crypto assets. Financial institutions in South Africa are also expected to comply with new proposed cyber regulations focused on internal controls and risk management procedures relating to cyber risk and resilience. These interventions pave the way for stronger regulatory oversight and enforcement action.
Given the pace at which cyber risks develop, it is important for companies to keep a keen eye on changing compliance and enforcement trends. A sound understanding of the developing cyber threat landscape, security posture enhancements and the evolution of data protection laws will be key to mitigating cyber-related losses.