Abstract
Disclosure of cyberattacks is critical as it explores the most pertinent cyber risks organisations are exposed to and helps determine the controls that can be implemented to mitigate the cybersecurity gaps. As the digital landscape evolves, the risk of cyberattacks has also increased with these attacks becoming more sophisticated and widespread. In South Africa, cyberattacks are a growing threat to public sector organisations (PSOs), potentially disrupting service delivery, compromising confidential information and undermining public trust in government institutions. Stakeholders, including citizens and regulatory bodies, are increasingly insisting on enhanced transparency regarding the cyber incidents encountered by PSOs and the measures adopted to mitigate and avert such attacks. This study assesses the extent to which South African public sector organisations disclose cyberattacks in accordance with stakeholder expectations for transparency in reporting.
The methodology employed in this study was qualitative content analysis. The analysis was focused on the integrated annual reports and other publicly accessible information from a non-probability convenience sample of PSOs in South Africa. A disclosure checklist was constructed based on regulatory requirements, industry standards, other frameworks and international standards. The checklist provided a conceptual foundation to evaluate the quality of the PSOs’ cyber-related disclosures.
The results revealed that most PSOs demonstrated strong governance in this area. The PSOs provided detailed disclosures in their integrated reports about the cyberattacks they had experienced, as well as their oversight mechanisms and response measures. However, the results also revealed inconsistencies in disclosure practices among the PSOs. These inconsistencies indicate vulnerability and the need for a standardised and structured approach for cyber risk disclosure. In addition, there was a mismatch between stakeholders’ expectations and PSOs’ actual reporting practices. Overall, this research highlights the need for accountability and transparency in addressing emerging cyberattacks.