South Africa is bleeding online, and the rest of the world cannot help but take notice. In 2024, nearly 100,000 cases of digital banking fraud were recorded, draining close to R1.9 billion from citizens and businesses, according to the South African Banking Risk Information Centre. Yet the South African Police Service logged only 544 cybercrime cases, with just 50 referred to the National Prosecuting Authority. This is not a small discrepancy. It is a gaping hole in national security that emboldens cybercriminals and signals to them that South Africa is an easy target.
The Democratic Alliance’s proposal for a Cyber Commissioner, structured as a Chapter 9 institution, is therefore more than a political gesture. It is a survival measure. An Office of the Cyber Commissioner, like the Public Protector or the Auditor-General, would stand apart from government inertia and partisan cycles, designed for one purpose alone: defending South Africans against the growing tide of cyberattacks.
Existing structures are buckling. SAPS is under-resourced and ill-equipped to track digital criminals operating at global speed. The Information Regulator, charged with enforcing data protection, is underfunded and overwhelmed. Neither body, separately or together, can mount an effective defence against an onslaught that grew by more than 80 percent in just one year. The costs are devastating: pensions wiped out, families drained of savings, businesses collapsing under fraud, and investors slipping away from what increasingly resembles a digital Wild West.
Globally, cybersecurity is treated as a pillar of national defence. The United States created a National Cyber Director in 2021 to coordinate strategy across agencies. The European Union empowered its Cybersecurity Agency (ENISA) to set standards and respond to cross-border threats. The United Kingdom’s National Cyber Security Centre has become a model of how government, industry, and academia can work in lockstep to shield critical infrastructure. These nations did not wait until cybercrime hollowed out their financial systems before acting. South Africa, by contrast, remains caught between denial and hesitation.
The financial stakes are staggering. IBM’s 2024 Cost of a Data Breach Report estimates the average cost of a major breach in South Africa at R44 million. In the financial sector, exposure can climb as high as R730 million per incident. These are not abstract numbers. They represent livelihoods erased, small enterprises bankrupted, and confidence in digital systems corroded. For an economy already under strain, such bleeding is unsustainable.
Critics argue that creating a new institution is expensive or duplicative. Yet the real duplication lies in watching SAPS chase outdated paper trails while hackers siphon funds in seconds. The true cost is in the billions already lost. Without a Cyber Commissioner, South Africa will continue to lurch from crisis to crisis, always a step behind adversaries who face no borders, no budgets, and no bureaucracy.
A Cyber Commissioner, independent and empowered, could bring order where there is only fragmentation. The role would centralise strategy, enforce national standards, compel reporting of breaches, hold negligent actors accountable, and give victims a clear line of recourse. It would also place South Africa at the global table, sharing intelligence with allies and learning from those who have already built the defences South Africa so urgently lacks.
From the outside, South Africa’s vulnerability is glaring. The country has the infrastructure, economy, and digital adoption rates of a modern state, but its defences remain those of a nation caught off guard. This contradiction cannot endure. Either institutions adapt, or the damage will deepen.
The lesson from abroad is clear: cyber resilience is not optional. South Africa cannot afford to treat cybersecurity as an afterthought when its citizens, its businesses, and its future prosperity are under daily attack. A Cyber Commissioner will not solve every problem, but it will finally put the issue at the centre of the national security agenda, where it belongs.
The question for policymakers is no longer whether to act. The question is how much more South Africa is willing to lose before it does.
The views expressed in this article are those of the writer and do not necessarily reflect those of this publication.
Kundai Darlington Vambe holds an LLB (Hons) from the University of London. He specialises in the intersection of law, technology, and digital rights, with a focus on cybersecurity.
