Abstract
In an era of rapid digital transformation, public pension funds have become increasingly reliant on technology to manage sensitive personal and financial data. This shift enhances operational efficiency and member engagement but also exposes these institutions to growing cyber threats, including data breaches, ransomware attacks, and phishing scams. Such risks jeopardise data integrity, service delivery, and public trust, and pose serious challenges to fiduciary accountability.
This research critically analyses the adequacy of South Africa’s cybersecurity legal framework in safeguarding public pension funds, focusing on the Government Employees Pension Fund (GEPF) as a case study. It reviews key legislative tools, including the Protection of Personal Information Act (POPIA), the Cybercrimes Act, the National Cybersecurity Policy Framework (NCPF), and Joint Standard 2 of 2024 issued by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority. The importance of the Critical Infrastructure Protection Act 8 of 2019 is also examined, particularly with respect to pension-related infrastructure.
Despite a multi-layered legal framework, several challenges persist. These include fragmented regulatory oversight, limited technical capacity, inadequate third-party risk management, and low cybersecurity awareness among trustees. Through legal analysis and policy evaluation, the study finds that while South Africa’s cybersecurity framework offers a strong foundation, its effectiveness depends on strategic implementation, regulatory coordination, and institutional accountability.
To safeguard the integrity of South Africa’s public pension system, legal instruments must be reinforced by proactive governance, technical capacity, and cross-sector collaboration. Strengthening trustee accountability, third-party oversight, and cyber risk management will be essential.