In today’s digital age, the importance of cybersecurity cannot be overstated. As businesses increasingly rely on digital infrastructure, the risks associated with cyber threats have escalated, placing directors and executives at the forefront of an organisation’s technology and information governance as well as its risk governance. In South Africa, the regulatory environment regarding cybersecurity is rapidly evolving. Directors therefore need to comprehend their responsibilities in protecting their organisations from these emerging threats.

Impact of Cybersecurity Breaches: Recent Case Studies

Cybersecurity incidents can lead to substantial financial losses, reputational damage, and legal repercussions. The case studies below illustrate two recent examples of the significant impact of cybersecurity breaches on South African businesses:

Recent Case Studies

Transnet Cyberattack (2021): In July 2021, Transnet, South Africa’s state-owned freight and logistics company, suffered a significant ransomware attack that disrupted operations across its rail and port networks. The attack led to severe reputational harm as clients questioned the company’s ability to safeguard sensitive information. Financially, Transnet faced losses estimated in the millions, not only from the immediate operational disruptions but also from the costs associated with recovery and incident response. This incident serves as a clear reminder of the vulnerabilities that large organisations face and the cascading effects of a cyber breach.

Experian Data Breach (2020): In 2020, Experian South Africa, experienced a data breach that exposed the personal information of approximately 24 million South Africans. The breach raised significant concerns regarding the handling of personal data under the Protection of Personal Information Act No. 4 of 2013 (“POPIA”). The reputational damage was profound, as the breach eroded consumer trust and raised questions about the adequacy of Experian’s data protection measures. Financially, the company faced potential penalties under POPIA, which could reach up to R10 million or 1% of the annual turnover, as well as the costs associated with remediation and public relations efforts to restore its image.

Legal Framework:

The South African Cybercrimes Act No. 19 of 2020 (“the Cybercrimes Act”) establishes a legal framework for combating cybercrime, imposing various obligations on businesses to protect against data breaches and cyber threats. In particular, Section 3 of the Act outlines the offences related to unlawful access, interception, and data interference, which can lead to severe penalties.

The King IV Report on Corporate Governance for South Africa, 2016 (“King IV”) further underscores the need for effective cybersecurity governance. Principle 11 highlights the governing body’s role in managing risks to align with the organisation’s strategic objectives. For cybersecurity, directors must identify and prioritise cyber risks that could hinder success. This includes establishing risk management frameworks, conducting regular assessments, and allocating resources to mitigate threats, thereby protecting the organisation, and fostering a security-conscious culture.

Principle 12 focuses on overseeing the governance of technology and information to support strategic goals. Accordingly, directors should ensure the organisation adopts effective cybersecurity measures and data protection protocols. This involves investing in technology, promoting employee training, and ensuring compliance with relevant laws and regulations. By doing so, they enhance resilience against cyber threats and enable the organisation to leverage technology as a strategic asset.

Directors’ Responsibilities

Directors are responsible for overseeing their organisations’ strategic direction and ensuring adequate measures are in place to mitigate cybersecurity risks. This includes:

1.  Risk Management: Directors must ensure that organisations have robust risk management frameworks that identify, assess, and mitigate cybersecurity risks. This aligns with the Companies Act No. 71 of 2008 (“the Companies Act”), specifically Section 76, which mandates that directors act in the company’s best interests and exercise care, skill, and diligence in their decisions.

2. Compliance with Legislation: Directors should be aware of and comply with relevant laws, such as POPIA, which regulates the processing of personal information. Sections 8 and 9 of POPIA impose obligations on responsible parties to implement appropriate security measures to safeguard personal information by complying with lawful processing conditions for personal information, including defining the purpose and means of processing. The board of directors is therefore required to ensure legal compliance with POPIA while mitigating cybersecurity risks and protecting individual privacy. Failure to comply can result in heavy fines and potential reputational damage.

3. Incident Response Planning: Directors need to establish and review incident response plans to ensure their organisations can respond effectively to cybersecurity breaches. This includes outlining the roles and responsibilities of the board in the event of a breach.

The Role of the Information Officer and the Information Regulator

Under POPIA, each company must appoint an Information Officer, responsible for ensuring compliance with the Act. The Information Officer plays a crucial role in managing data protection strategies and responding to data breaches. If a data subject’s personal information is believed to have been accessed by an unauthorised person, the Information Officer must notify the Information Regulator and the data subject in writing as soon as reasonably possible, unless the data subject’s identity cannot be established. Notification may only be delayed if it would hinder a criminal investigation. Timely notification is essential for mitigating the impact of the breach and demonstrating the organisation’s commitment to compliance.

The Information Regulator, established under POPIA, oversees the enforcement of data protection laws and has the authority to investigate breaches and impose sanctions. This regulatory oversight serves as a critical reminder for directors to prioritise cybersecurity and ensure their organisations have the necessary frameworks in place.

Conclusion

As the digital landscape continues to evolve, so too does the responsibility of directors to safeguard their organisations against cybersecurity threats. By understanding the legal implications and implementing robust governance frameworks, directors can play a pivotal role in mitigating risks and protecting their businesses from potential harm.

At Rasiluma TD Attorneys Inc., we specialise in providing comprehensive legal services tailored to the unique needs of our clients. Our team is well-versed in corporate governance, cybersecurity law, and compliance issues, ensuring that your organisation is equipped to navigate the complexities of the digital age. Contact us today to learn more about how we can assist you in safeguarding your business against cyber risks.

Please follow and like us:
Pin Share