In a move to bolster cybersecurity and enhance the reporting of cybercrime incidents, it is expected that Section 54 of the Cybercrimes Act will be enacted soon.

The enactment of this provision will impact electronic communication service providers (ECSPs) such as Internet service providers, telecommunications companies and digital services businesses.

Financial institutions, including banks, insurers, fintechs and investment firms are also impacted.

According to law firm A&O Shearman counsel and director Widaad Ebrahim-Fakier, these entities will be required to report cybercrime incidents to the South African Police Service (SAPS) within 72 hours of becoming aware of such incidents.

Additionally, they must preserve any information that may assist the SAPS in investigating these offences.

However, she comments that the provisions outlined in Section 54 of the Cybercrimes Act, though welcomed, are reactive rather than proactive, as the obligation to report is triggered only when an ECSP or financial institution becomes aware of a cybercrime incident.

Consequently, Ebrahim-Fakier says these entities will be required to establish robust notification systems to identify and report incidents promptly, while simultaneously having data retention policies and systems that can securely store large volumes of data and protect it from tampering or deletion.

These entities also need to ensure that their staff are adequately trained to recognise cyberthreats and understand the reporting process.

However, the preparedness of ECSPs and financial institutions to meet these new obligations varies, Ebrahim-Fakier says, noting that larger companies with substantial financial resources have historically been, and are generally, better positioned to invest in comprehensive cybersecurity measures, including advanced technologies for robust detection and notification systems.

Smaller and medium-sized companies, however, often struggle with the necessary resources to implement similar strategies effectively.

Since the implementation of the Protection of Personal Information Act (Popia) in 2020, businesses have had to adopt new strategies to manage personal information.

“Companies that have already taken steps to comply with Popia may find themselves better prepared to meet the preservation requirements for SAPS,” Ebrahim-Fakier tells Engineering News.

However, she warns that the enactment of Section 54 is likely to lead to an increase in reported cybercrimes owing to the financial and potential reputational consequences of failing to report.

This increase will have several impacts on SAPS and other relevant authorities, including resource strain, as more reports will require additional resources for investigation and response, putting further pressure on already strained authorities.

Additionally, authorities will need to manage and analyse a larger volume of incident data, and increased reporting may raise public awareness of cybercrime and its prevalence.

Currently, however, Ebrahim-Fakier notes there is an ineffective relationship between private entities and law enforcement agencies in South Africa.

“The new reporting obligations are likely to foster greater collaboration and information sharing, leading to more effective responses to cyber incidents. However, concerns about confidentiality and handling sensitive information remain,” she comments.

AI in Cybersecurity

AI, meanwhile, is transforming both the cybersecurity and cyberthreat landscape globally, and South Africa is no exception, Ebrahim-Fakier says.

Cybercriminals are increasingly leveraging AI to develop malware that can learn from and adapt to countermeasures, creating dynamic threats that are harder to detect and mitigate.

She explains that AI can, among other things, also be used to execute phishing attacks through chatbots and manipulate data sets, leading to flawed decision-making.

“The rapid evolution of AI means many organisations may not fully understand or keep pace with emerging threats, leaving them vulnerable to novel forms of cyber exploitation that can bypass traditional security measures,” she says.

Moreover, Ebrahim-Fakier notes that the current Cybercrimes Act does not specifically address the unique challenges posed by AI, indicating a need for updates in the legislation to keep pace with technological advance- ments.

To address the emerging threats posed by AI, she suggests updates to the Cybercrimes Act’s existing definitions and to incorporate specific definitions related to AI, or otherwise, regulating adaptive frameworks that can adjust to new AI developments, and encouraging collaboration between lawmakers, technologists and cybersecurity experts.

Recent regulatory initiatives, such as the Financial Sector Conduct Authority and Prudential Authority’s Joint Standard 2 of 2024, set minimum cybersecurity and resilience requirements for financial institutions.

This standard, expected to be implemented in June 2025, serves as a model for broader legislative updates, Ebrahim-Fakier notes.

“Stricter IT security legislation is likely to improve South Africa’s overall cybersecurity landscape by raising standards, reducing incidents, and enhancing collaboration between the private sector and law enforcement,” she tells Engineering News.

However, she warns that the implementation of these regulations may pose significant challenges, particularly for smaller businesses. The effectiveness of these laws will depend on the government’s ability to enforce them and the willingness of organisations to comply, she avers.

“To ensure a coordinated approach to cybersecurity and resilience measures, it is essential to move beyond disparate regulations and adopt a comprehensive framework that addresses the complexities of modern cyberthreats,” she encourages.

As such, Ebrahim-Fakier notes that pro- active measures, including regular audits, staff training, and robust incident response plans, will be crucial in preparing for future legislative changes and enhancing the country’s cybersecurity infrastructure.