Cybersecurity and legal experts are warning that an increase in cyberattacks and the pending implementation of the Protection of Personal Information Act (POPIA) expose South African companies to increased regulatory, reputational and financial risk.

Brian Pinnock, cybersecurity expert at Mimecast, says these days it’s a matter of when – not if – an organisation is going to be attacked.

“The issue is that we don’t currently understand the full extent of the problem and in many instances customers aren’t even aware that their information has been breached because they are never informed.

“Businesses need to be more transparent and there needs to be a more open culture around communicating security breaches. Sharing threat intelligence and best practices will improve the collective defences of South African businesses against cybercrime.”

According to findings in Mimecast’s 2019 State of Email Security Report, 45% of South African companies experienced an increase in targeted phishing attacks, while a third saw an increase in attackers impersonating the CEO or other executives over the past year.

“Toward the end of 2019, a global research team at Mimecast also uncovered an extensive and on-going cyberattack on South African banking and financial services institutions – the largest it observed globally during the period under review.

Extent of problem unknown

Pinnock says that the banking sector is certainly not the only one targeted by cybercriminals. Due to the growing sophistication of such attacks, organisations of all sizes and across all sectors are falling victim to data breaches.

“It’s not clear to what extent South African companies are experiencing data breaches, since they are not yet technically required by law to disclose such breaches,” says Pinnock. “Interestingly, in the European Union, one report showed an increase of 59 000 reported data breaches in just the first eight months following the implementation of the General Data Protection Regulation (GDPR).

“Once POPIA is fully implemented, we expect to see an increase in reported data breaches in South Africa also. Only then will the public truly have an understanding of just how severe these cyberattacks are.”

The Protection of Personal Information Act (No 4 of 2013) was signed into law on 19 November 2013 but faced initial challenges to full implementation. However, this has changed since the appointment of Advocate Pansy Tlakula and POPIA is anticipated to be fully effective soon.

According to Russel Luck, technology attorney at SwiftTechLaw, the delay is partly due to the fact that parts of POPIA are drafted unclearly.

“The Act makes reference to ‘personal information’, and defines ‘person’ as a natural ‘person’ such as a member of the public or juristic “person” such as a company. This creates legal uncertainty as it’s not clear how juristic persons will have rights over their “personal information”, or what “personal information” of a juristic entity actually entails.”

Companies can be held accountable under POPIA

While much of the POPI Act still remains in legislative limbo, Luck warns that the Information Regulator can retroactively investigate complaints when the President or a duly authorised representative signs the Act into law.

“Companies should not take their responsibilities under POPIA lightly, as they could still be audited – and penalised – for transgressions that are reported now. In cases where data has been mismanaged or used unethically or unlawfully, the Information Regulator can audit the transgressors for previous transgressions.”

Pinnock advises that organisations implement cyber resilience solutions that secure their data and ensure good governance. “Good governance and good security go hand-in-hand and email is a good place to start.

“Organisations should ensure they protect email from targeted threats, prevent confidential information from being leaked and have an archiving solution that offers immutable data storage and the ability to respond quickly to individual data subject access requests.

“Unfortunately given the constantly evolving threat landscape, no security solution is infallible so it is vital to have a cyber resilience strategy in place to prepare for the worst. Alarmingly, more than half of South African organisations in our 2019 research had no cyber resilience strategy in place, so there is clearly still a lot of work to do.”

Luck believes that information privacy regulation will only advance over time. “It is essential that organisations protect themselves with proven and effective cybersecurity solutions. Given the global nature of cybercrime, a solutions provider with an international footprint and knowledge of the local business culture will likely provide the best protection against data breaches.”