The eight components of a complete response plan
Detection + classification
How incidents are detected (SOC, EDR, customer reports), the severity classification framework (P1–P4), and the criteria for triggering the response plan.
Internal escalation chain
Named roles and back-ups: Incident Commander, Information Officer (POPIA), Legal Lead, Communications Lead, IT/Engineering Lead. RACI matrix for each phase of response.
External notification matrix
When to notify the Information Regulator (POPIA s 22, 72-hour target), SAPS (Cybercrimes Act s 54 for ECSPs and financial institutions), and affected data subjects (POPIA s 22(1)(b)).
Evidence preservation
Forensic-imaging protocols, chain-of-custody for logs and artefacts, instructions to staff on what not to do (delete, modify) during initial response. Critical for both regulatory cooperation and potential litigation.
Communications strategy
Pre-drafted notification templates (Regulator, data subjects, customers, media, employees, board), spokesperson designation, holding statements for the 24-hour initial period.
Customer + supplier notification
Contractual obligations to notify customers under MSAs and DPAs, timing (often shorter than POPIA), and content requirements. Supplier notification where the incident affects up-chain or down-chain parties.
Legal review checkpoints
Trigger points where legal counsel must be engaged: at incident classification, before any external notification, before any data subject communication, before any media engagement.
Post-incident review
Root-cause analysis, remediation tracking, plan-update process, board reporting. The Information Regulator increasingly looks for post-incident learning as a mitigating factor in penalty determinations.
Frequently asked
What is a Cybersecurity Incident Response Agreement?
A pre-incident contractual framework that defines roles, responsibilities, and procedures between an organisation and its cybersecurity vendors (SOC providers, IR firms, forensic specialists, legal counsel) for responding to a cybersecurity incident. It typically includes pre-engaged retainers, agreed response timeframes, agreed billing structures, and pre-authorised access to systems and data. It is distinct from the internal Incident Response Plan, which is the playbook executed by the organisation's own teams.
Is a written incident response plan legally required in South Africa?
POPIA section 19 requires "appropriate, reasonable technical and organisational measures" to secure the integrity and confidentiality of personal information. The Information Regulator has interpreted this to include documented incident-response procedures. Sector-specific regulators (SARB for banks, FSCA for financial services providers) increasingly require formal incident-response programmes. A written plan is not statutorily mandated by name but is practically essential for compliance.
How quickly must I notify the Information Regulator of a breach?
Section 22 of POPIA requires notification "as soon as reasonably possible" after becoming aware of a security compromise. The Information Regulator has stated 72 hours as the target, aligning with the GDPR standard. Notifications must be submitted via the Regulator's eServices portal and must include description of the compromise, possible consequences, mitigation measures, and (if known) the identity of the unauthorised party. Unjustified delays are themselves a contravention.
When must I notify SAPS under the Cybercrimes Act?
Section 54 of the Cybercrimes Act 19 of 2020 requires electronic communications service providers and financial institutions to report cybercrimes they are aware of to SAPS within 72 hours of becoming aware. Non-ECSP businesses are not statutorily required to report cybercrimes themselves but commonly do so as part of incident response. The POPIA s 22 notification to the Information Regulator and the Cybercrimes Act s 54 notification to SAPS are parallel obligations that can be triggered by the same incident.
Should I notify customers before or after notifying the Information Regulator?
POPIA imposes parallel obligations to notify both. The Regulator may direct that notification to data subjects be delayed where it would impede a criminal investigation — but the notification to the Regulator itself cannot be delayed. In practice, most organisations notify the Regulator first (because the channel is well-defined and the obligation is unambiguous), then notify affected data subjects in a coordinated wave once the scope is confirmed.
How does pre-engagement of an IR firm work commercially?
Most enterprise organisations now pre-engage one or more incident-response firms via retainer arrangements. Typical structure: an annual retainer (R50,000–R250,000+ depending on scope) buys defined response-time commitments (often 4 hours to deployment), pre-agreed hourly rates, pre-cleared NDAs and access procedures, and (often) prepaid response hours. Without a retainer, response engagement happens at premium rates with delays for contract negotiation — which is the worst time to negotiate.
What is the typical cost of incident-response agreement drafting?
From R9,500 for an Incident Response Plan drafted for a single organisation. From R12,500 for a vendor incident-response retainer agreement. Bundled programme (IR Plan + vendor retainer + customer-notification templates + board-reporting templates) typically R20,000–R30,000.