Cybersecurity Compliance and Liability for Accounting Practices

Posted 22 April 2026 Written by Acts Online
Category Technology

Brought to you by SA Accounting Academy: Accounting practices must align their internal controls with the evolving enforcement landscape of data protection and cybercrime legislation to avoid significant administrative fines and personal liability.

In terms of the Protection of Personal Information Act, No. 4 of 2013 (POPIA), the Information Regulator has transitioned from an advisory role to active enforcement. Under this framework, entities that fail to comply with Enforcement Notices or neglect the lawful processing of personal information face administrative fines of up to R10 million or imprisonment. The Regulator has further streamlined compliance by mandating the use of a security compromise reporting tool on its eServices portal for all 2025 and 2026 reporting cycles.

The Cybercrimes Act, No. 19 of 2020, which became fully effective in late 2021, imposes specific obligations on businesses regarding the reporting of cyber offences. In the event of data interception or interference, firms are legally bound to notify the Information Regulator and affected data subjects “as soon as reasonably possible.” Failure to report or the absence of robust internal controls may lead to findings of gross negligence against the firm’s leadership.

Furthermore, the Electronic Communications and Transactions Act, No. 25 of 2002 (ECTA) continues to govern the retention and protection of electronic data, establishing the standards for how such information must be secured to maintain its integrity as evidence. The rise in AI-generated threats, including hyper-personalised phishing and deepfake voice cloning, has increased the risk profile for firms holding sensitive financial and corporate data.

Key Regulatory Requirements and Risks

  • Mandatory Reporting: Immediate notification of breaches to the Information Regulator via the eServices portal under POPIA and the Cybercrimes Act.
  • Internal Controls: Implementation of Multi-Factor Authentication (MFA) and dual-authentication protocols for financial transfers to mitigate negligence claims.
  • Evidentiary Standards: Compliance with ECTA requirements for the secure retention of electronic records.
  • Enforcement Penalties: Exposure to fines up to R10 million and potential criminal liability for non-compliance with Information Regulator directives.

What this means for you, your business, or your clients

  • For yourself: You must complete specialised training on identifying AI-driven social engineering, such as deepfakes and sophisticated phishing, to ensure your actions do not lead to a finding of professional negligence during a forensic audit.
  • For your business: Your firm must formalise an incident response plan and ensure Multi-Factor Authentication (MFA) is active across all client-facing systems to meet the ‘reasonable measures’ threshold required by the Information Regulator.
  • For your clients: Clients must be informed of the firm’s data protection protocols and should be required to use secure, encrypted channels for submitting SARS supporting documents and sensitive financial records.

Originally published at https://accountingacademy.co.za/news/read/cybersecurity-it-security-the-cost-of-complacency-in-accounting

The views expressed herein are those of the author and do not necessarily reflect those of Acts Online. Acts Online accepts no responsibility for the accuracy, completeness or fairness of the article, nor does the information contained herein constitute advice, legal or otherwise.