#ITWebSS2025: Is cyber security overregulated?

Several recent cyber incidents in SA have prompted stakeholders in cyber security to question whether the industry requires more regulation or if it is already overregulated.

This question will be put to a group of seasoned cyber security experts at the 20th annual ITWeb Security Summit 2025 in Cape Town on 28 May at the CTICC.

The group includes Winston Hayden, independent management consultant and advisor; Charlie Hinde, head of cyber security engineering, The Foschini Group (TFG); Sharon Knowles, founder and CEO, Da Vinci Cybersecurity; Candice Wilson, cyber security leader, EY; and Sanjay Charavanapavan, MD and consultant, Excellenta.

The discussion will focus on the current levels of cyber security legislation and regulation, comparing the South African regulatory landscape to other regions, and debating the key factors to consider when it comes to compliance.

These issues are particularly relevant given the spate of recent cyber incidents targeting South African businesses and infrastructure.

In April, both MTN and Cell C were attacked. The MTN Group notified stakeholders that it encountered a cyber security incident that resulted in unauthorised access to customer data.

In the same month, hacking group RansomHouse disclosed private data that it had exfiltrated from Cell C.

Earlier this month, South African Airways (SAA) confirmed it had been impacted by a cyber incident, and this had disrupted access to its website, mobile application and internal operational systems.

Attention has now shifted to regulation and policy within the South African cyber security ecosystem.

In addition to the international standards such as ISO 27001, and legislation such as GDPR, where relevant, organisations must comply with local legislative and regulatory requirements. The Protection of Personal Information Act and the Cyber Crimes Act, 2020, impose strict regulations on organisations over the way they manage customer data. This comes on top of the National Cyber Security Policy Framework, which was launched in 2012.

Last year, the Financial Sector Conduct Authority and SA Reserve Bank issued the Joint Standard on Cybersecurity and Cyber Resilience regulation. Targeted at financial institutions, it provides minimum standards, and processes and procedures to implement to combat cyber security and cyber resilience risks.

Given this background and burden of compliance, this discussion will underline an increasingly important facet of SA’s evolving cyber security landscape.