Only a handful of people have been convicted for cyber offences since the Cyber Crimes Act (Act 19 of 2020) officially came into effect in 2021.
This is primarily due to the lack of adequate skills and resources required to investigate the borderless and transactional nature of digital attacks, as well as the complexity of preserving digital evidence.
This was the word from Rosalind Lake, head of cyber security, data privacy and artificial intelligence (AI) at law firm Deneys, delivering a presentation titled: “Cyber security regulation in South Africa – why should we care?” yesterday at ITWeb Security Summit 2026.
While president Cyril Ramaphosa signed the Cyber Crimes Act into law in 2021 and activated core offences and investigation powers, enforcement remains low as a result of several barriers faced by law enforcement authorities, Lake pointed out.
This is despite regular media reports of cyber crime-related arrests.
“The reality is that the justice system moves very, very slowly. There’s a lot of process between the arrest and the prosecution. It takes a while from arrest − they might have a good case, and then when the prosecutor has got to take it forward, they often struggle to gather the technical evidence required to successfully prosecute cyber crime cases,” she noted.
Although there are capable investigation teams, particularly within the Hawks’ Serious Commercial Crime Investigation unit, which is supported closely by the internal Digital Forensic Investigation section, the lack of sufficient resources often becomes a major hindrance, she added.
“There’s a real skills shortage. There are certainly individuals who are very good, but there’s a shortage in being able to get the right sort of information and data to prosecute these types of crimes. They often only find evidence of the data leaving an organisation, never mind identifying who did it or what it was used for.”
One of the few convictions is that of Lucky Majangandile Erasmus (36), a former employee of Ecentric Payment Systems, who was sentenced to eight years in jail last June for contravening the Cyber Crimes Act.
Erasmus entered into a plea agreement with the State for cyber fraud, theft of data and attempted cyber extortion.
According to Lake, SA’s cyber security framework is underpinned by several important laws and standards that organisations often view as compliance burdens rather than resilience tools.
This framework entails three key pillars:
- The National Security Strategy 2024 – 2028
- The Cyber Crimes Act 19 of 2020
- The Joint Standard 2 of 2024
The Cyber Crimes Act creates cyber crimes as criminal offences under South African law.
Lake noted that together, these regulations are aimed at protecting the well-being of citizens, businesses and government institutions, while maintaining constitutional order, and defending SA’s territorial integrity and sovereignty.
Despite the existence of laws, many cyber crime incidents, often committed daily, go unnoticed, she asserted.
“We have employees all the time who on their last day of work, send out a whole database to their Gmail account. That’s a cyber crime, by the way. Unfortunately, our police stations are not very well-equipped for it. We’ve often tried to report cyber crime and they don’t really know how to deal with it.”
She added that many organisations fail to appreciate that a cyber attack is effectively a crime scene that requires specialist forensic investigation.
“It is a crime scene. Every cyber attack usually involves some type of crime. It requires a forensic investigation that is carefully managed. Sometimes there is so much pressure to restore operations that organisations destroy the very evidence they need by wiping systems and rebuilding immediately.”
Cyber resilience vs compliance
SA’s financial losses due to cyber attacks have been estimated at R2.2 billion a year, although the figure is likely to be “bigger now”, according to Dr Jabu Mtsweni, the CSIR’s head of the Information and Cyber Security Centre.
Further, data shows local businesses are especially vulnerable to cyber attacks due to internal threats such as infrastructure vulnerabilities and the skills shortage.
South African organisations should focus less on avoiding regulatory fines and more on building cyber resilience, Lake warned.
Cyber security failures are rarely the result of highly-sophisticated attacks alone. Instead, incidents often stem from basic control failures, human error and weak governance structures, she continued.
Lake argued that compliance should not be viewed as a box-ticking exercise, but rather as a practical framework for strengthening organisations against increasingly sophisticated cyber threats.
“Paying the fine is not compliance for compliance sake. Every single rand you spend on safeguarding your systems is going to save you an enormous amount when you have an incident. I have never seen an incident where there hasn't been a control failure, human error, something in the process that could have been caught earlier.
“I’m not saying that anyone's perfect because perfect security does not exist. But cyber resilient is what we need to aim for. Regulation is there to support you and help prevent incidents. When I look at these regulations, I see a manual on how to be resilient and maintain good resilience.”
Hidden cost of cyber attacks
The average cost of a data breach incident for a South African organisation is calculated at R44.1 million, based on the IBM 2025 Cost of a Data Breach Report.
According to Lake, many organisations underestimate the true cost of a cyber attack, often focusing solely on ransom payments, while overlooking the broader impact.
“The ransom payment is a drop in the ocean. It’s not even the beginning of the issues. What most people don’t realise is that even if you pay a ransom, it’s going to take you at least six weeks to recover. The damage that happens to the organisation extends far beyond the immediate incident.”
She warned that the broader impact of cyber crime is becoming increasingly severe. “I can’t overestimate the impact that the level of cyber attacks in South Africa and the lack of preparedness, particularly by government organisations, has had on increasing criminal syndicates and fraud. The amount of information available to criminals is unbelievable.”
Lake explained that cyber attacks trigger a complex process involving regulators, suppliers, customers, legal teams and public relations management, all while organisations attempt to restore their operations and IT systems.
“We spend a lot of time because everyone sees a crisis as a perfect opportunity to renegotiate contracts, manage stakeholders, suppliers, data subjects and regulators. It becomes a massive exercise while you are doing your very best to get everything up and running again. The more prepared you are, the better your response is going to be and the less damage there is going to be.”
Lake also warned organisations that they could face liability for the actions of employees involved in cyber crime.
“Companies have vicarious criminal liability for what their staff do. If you have an insider involved in a cyber attack and authorities cannot catch the employee, they may choose to go after the organisation instead. That means businesses need to ensure employees understand their obligations under the Cyber Crimes Act.”
Lake urged organisations to stop viewing cyber security investment as a regulatory burden and instead see it as a critical component of business resilience.
“Every time you spend a bit of money on compliance, which no one wants to do, it makes a very big difference at the end of the day. If organisations implemented, monitored and maintained these controls properly, many of the incidents we deal with every day simply would not happen,” she concluded.
Share
