Search legal guides

Search MJ Kotze Inc legal guides and articles

Technology Law

Cybersecurity Incident Response Agreements

The pre-drafted plan that determines whether a breach becomes a controlled incident or a multi-million-rand exposure. POPIA s 22 (in force now), the Cybercrimes Act s 54 report (not yet in force), vendor retainers, communications templates, evidence preservation.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

Last reviewed:

Quick answer

The eight components of a complete response plan

1

Detection + classification

How incidents are detected (SOC, EDR, customer reports), the severity classification framework (P1–P4), and the criteria for triggering the response plan.

2

Internal escalation chain

Named roles and back-ups: Incident Commander, Information Officer (POPIA), Legal Lead, Communications Lead, IT/Engineering Lead. RACI matrix for each phase of response.

3

External notification matrix

When to notify the Information Regulator (POPIA s 22, "as soon as reasonably possible" — the only breach-notification duty currently in force; the Regulator indicates ~72 hours as guidance only) and affected data subjects (POPIA s 22(1)(b)). Section 54 of the Cybercrimes Act (the report to SAPS) was excluded from the Act's 1 December 2021 commencement and is not yet in force; once the President proclaims a commencement date it will require ECSPs and financial institutions whose own service or network is involved in a listed offence to report to SAPS within 72 hours, on pain of a fine of up to R50,000.

4

Evidence preservation

Forensic-imaging protocols, chain-of-custody for logs and artefacts, instructions to staff on what not to do (delete, modify) during initial response. Critical for both regulatory cooperation and potential litigation.

5

Communications strategy

Pre-drafted notification templates (Regulator, data subjects, customers, media, employees, board), spokesperson designation, holding statements for the 24-hour initial period.

6

Customer + supplier notification

Contractual obligations to notify customers under MSAs and DPAs, timing (often shorter than POPIA), and content requirements. Supplier notification where the incident affects up-chain or down-chain parties.

7

Legal review checkpoints

Trigger points where legal counsel must be engaged: at incident classification, before any external notification, before any data subject communication, before any media engagement.

8

Post-incident review

Root-cause analysis, remediation tracking, plan-update process, board reporting. The Information Regulator increasingly looks for post-incident learning as a mitigating factor in penalty determinations.

Frequently asked

What is a Cybersecurity Incident Response Agreement?

A pre-incident contractual framework that defines roles, responsibilities, and procedures between an organisation and its cybersecurity vendors (SOC providers, IR firms, forensic specialists, legal counsel) for responding to a cybersecurity incident. It typically includes pre-engaged retainers, agreed response timeframes, agreed billing structures, and pre-authorised access to systems and data. It is distinct from the internal Incident Response Plan, which is the playbook executed by the organisation's own teams.

Is a written incident response plan legally required in South Africa?

POPIA section 19 requires "appropriate, reasonable technical and organisational measures" to secure the integrity and confidentiality of personal information. The Information Regulator has interpreted this to include documented incident-response procedures. Sector-specific regulators (SARB for banks, FSCA for financial services providers) increasingly require formal incident-response programmes. A written plan is not statutorily mandated by name but is practically essential for compliance.

How quickly must I notify the Information Regulator of a breach?

Section 22 of POPIA requires notification "as soon as reasonably possible" after becoming aware of a security compromise. POPIA itself sets no fixed statutory deadline; the Information Regulator has indicated around 72 hours as a guideline only. (This is not the same as GDPR's 72-hour rule in Article 33, which is a separate regime.) Notifications must be submitted via the Regulator's eServices portal and must include description of the compromise, possible consequences, mitigation measures, and (if known) the identity of the unauthorised party. Unjustified delays are themselves a contravention.

When must I notify SAPS under the Cybercrimes Act?

Section 54 was excluded from the Act's 1 December 2021 commencement and is not yet in force; it will require ECSPs and financial institutions to report qualifying offences to the SAPS (within 72 hours, on pain of a fine of up to R50,000) only once the President proclaims a commencement date. So there is currently no s 54 duty to notify SAPS. Once proclaimed, section 54 will apply to electronic communications service providers and financial institutions: where such an institution becomes aware that its electronic communications service or network is involved in the commission of an offence in the categories determined under section 54(2), it will have to (a) report the matter to the South African Police Service without undue delay and, where feasible, not later than 72 hours after becoming aware, and (b) preserve any information that may assist in the investigation. Other businesses are not statutorily required to report cybercrimes themselves but commonly do so as part of incident response. In the meantime, POPIA s 22 applies now; the Cybercrimes Act s 54 report will become a parallel obligation once that section is proclaimed.

Should I notify customers before or after notifying the Information Regulator?

POPIA imposes parallel obligations to notify both. The Regulator may direct that notification to data subjects be delayed where it would impede a criminal investigation — but the notification to the Regulator itself cannot be delayed. In practice, most organisations notify the Regulator first (because the channel is well-defined and the obligation is unambiguous), then notify affected data subjects in a coordinated wave once the scope is confirmed.

How does pre-engagement of an IR firm work commercially?

Most enterprise organisations now pre-engage one or more incident-response firms via retainer arrangements. Typical structure: an annual retainer (R50,000–R250,000+ depending on scope) buys defined response-time commitments (often 4 hours to deployment), pre-agreed hourly rates, pre-cleared NDAs and access procedures, and (often) prepaid response hours. Without a retainer, response engagement happens at premium rates with delays for contract negotiation — which is the worst time to negotiate.

What is the typical cost of incident-response agreement drafting?

From R9,500 for an Incident Response Plan drafted for a single organisation. From R12,500 for a vendor incident-response retainer agreement. Bundled programme (IR Plan + vendor retainer + customer-notification templates + board-reporting templates) typically R20,000–R30,000.

For the businesses we act for

The Keystone Workspace

The attorney-designed platform the businesses we act for use to run their contracts, e-signatures and company secretarial work in one place.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration 17444.

This guide is general information, not legal advice for your specific matter.