South African businesses are operating in one of the most dangerous digital landscapes in the world. Cybercrime is no longer an emerging risk—it is the number one threat facing companies in South Africa, across Africa, and globally. The 2025 Allianz Risk Barometer ranks cyber incidents, including ransomware, data breaches, and IT disruptions, as the leading risk in industries from financial services to technology and telecommunications. The World Economic Forum’s 2025 Global Risks Report and the Institute of Risk Management South Africa’s 2025 Risk Report echo these findings, placing cybercrime as one of their top risks.

Yet for many businesses, the scale of the threat is only becoming clear when it is too late.

The new face of Cybercrime in South Africa

While global headlines often focus on ransomware, South African companies are being quietly bled by business email compromise (BEC) and payroll fraud. These schemes exploit weak internal controls and human error, with attackers intercepting payment instructions or manipulating payroll systems.

In payroll fraud cases, salaries are diverted into fraudulent accounts through altered banking details or the creation of 'ghost employees.' Because payroll systems are typically trusted and processed at scale, a single compromise can cost millions. We recently acted for a company that uncovered a sophisticated ghost employee scheme. Through swift legal action, including an anti-dissipation order, we were able to preserve assets and secure recovery of funds.

BEC has become so common that South African courts are now repeatedly asked to decide who bears the loss when payments are made to fraudsters. A landmark case, Intengo Imoto v Zoutpansberg Motor Wholesalers, made it clear: businesses have a legal duty of care to verify electronic communications and banking details. Failure to do so may leave them carrying the full loss.

Ransomware: A legal minefield

Ransomware remains a headline threat, paralysing businesses by encrypting systems and demanding payment. The immediate costs are staggering, but the legal consequences can be just as devastating.

A business hit by ransomware risks claims for breach of contract if services are disrupted, sanctions under the Protection of Personal Information Act (POPIA) if personal data is compromised, and civil liability from clients or partners. Healthcare providers, law firms, and financial institutions are particularly vulnerable because of their fiduciary and confidentiality duties.

South African law requires regulators and affected individuals to be notified of certain breaches. Failing to do so not only exposes companies to fines but also damages reputations already shaken by the attack.

The insurance safety net – and its limits

Cyber insurance has become an essential part of corporate resilience strategies, covering financial loss, liability, regulatory fines, and crisis response. Well-drafted policies provide for: forensic investigations and IT recovery, ransom payments, where legally permissible, third-party liability from data breaches or negligence and breach notifications and crisis communications.

But businesses cannot rely on insurance alone. Courts are increasingly holding organisations liable where they have failed to meet a reasonable standard of care in protecting data. Insurers may also limit claims if policyholders did not maintain minimum security standards.

In other words, insurance provides a safety net, but it does not replace the need for robust cybersecurity, legal compliance, and board-level oversight.

Building resilience through partnerships

Cybercrime is not just an IT issue, it is a systemic business risk. To fight it effectively, businesses, insurers, brokers and other players must work together.

• Businesses must strengthen governance: dual authorisations, banking verification, system access reviews, and employee training. Incident response plans and secure backups are no longer optional.
• Insurers must move beyond compensation and become partners in resilience, offering tools, training, and incentives for improved cyber hygiene.
• Legal advisors must integrate compliance frameworks into cyber strategies, ensuring businesses meet obligations under laws such as POPIA, Financial Intelligence Centre Act (FICA), Prevention and Combating of Corrupt Activities Act (PRECCA), the Cybercrimes Act, and Prevention of Organised Crime Act (POCA).

At Cox Yeats, we act for some of South Africa’s largest insurers and corporates on cyber-related matters. We help clients scrutinise policy wording, manage coverage disputes, and defend claims. We also guide companies through regulatory compliance and incident response, ensuring that when—not if—a cyber event occurs, they can act swiftly and decisively.

The Bottom Line

Cybercrime is South Africa’s silent business killer—draining resources, eroding trust, and exposing companies to legal liability. October’s Cyber Awareness Month is a reminder that awareness is not enough. South African businesses must treat cybersecurity as a strategic priority, not a compliance exercise.

Those who fail to adapt risk financial losses, regulatory sanctions, reputational collapse—and, increasingly, legal judgments that put the burden squarely on their shoulders.

In a world where cybercrime is the number one global risk, resilience is not negotiable. It is the foundation of survival.