Skip to main content
Insights
Foundations3 July 2026 · 5 min read

What is cybersecurity compliance, and why does it matter for your business?

By Matt Owen, Auto Alpha Security

Indigo topographic contour lines rising from a dark grid toward a lit horizon.

Cybersecurity compliance is the set of security measures a law, standard, or contract requires you to have in place — and, more importantly, your ability to show that those measures actually exist and work. For most South African small and medium businesses, the law that matters is POPIA, and the specific clause is section 19.

If you handle personal information — customer names, ID numbers, payment details, employee records, anything that identifies a living person — POPIA applies to you. It doesn’t matter if you’re a five-person e-commerce shop or a 200-person logistics firm. Section 19 requires every “responsible party” (that’s you, if you decide what data to collect and why) to take “appropriate, reasonable technical and organisational measures” to protect that information from loss, damage, unauthorised destruction, and unlawful access. It’s been in force since 1 July 2021, and it hasn’t gone anywhere.

What “appropriate and reasonable” actually means

POPIA doesn’t hand you a checklist. It doesn’t say “install this firewall” or “use this encryption standard.” Instead, section 19 asks you to do four things on an ongoing basis: identify the foreseeable risks to the personal information you hold, put safeguards in place against those risks, verify regularly that the safeguards actually work, and update them as new risks emerge.

POPIA §19 — the cycle

  1. Identifythe reasonably foreseeable risks to the personal data you hold
  2. Safeguardput appropriate, reasonable measures in place against them
  3. Verifyregularly check the safeguards are actually working
  4. Updateadjust as your app changes and new risks emerge
Section 19 is an ongoing cycle, not a one-time project. The loop is the point.

That last point is the one businesses miss most often. Compliance under POPIA isn’t a one-time project you finish and file away. It’s a cycle. What was “reasonable” for your website eighteen months ago may not be reasonable today, because the risk landscape moved and your web app probably changed along with it — new features, new integrations, a new payment flow you bolted on in March.

If a breach happens and personal information is accessed or acquired by someone who shouldn’t have it, section 22 kicks in: you’re required to notify the Information Regulator and the affected people in writing, as soon as reasonably possible, describing what happened and what you’re doing about it. Failing to notify is itself a compliance failure, separate from the breach itself. So the standard isn’t “never get breached” — it’s “know your risk, address it honestly, and be able to show your working if something goes wrong.”

Why it matters beyond avoiding a fine

Most businesses that come to us aren’t worried about the Information Regulator knocking on the door. They’re worried about a bank, an insurer, or a corporate client asking a version of the same question: “prove you’re looking after our data.” Banks want it before extending facilities. Insurers want it before underwriting cyber cover. Larger clients want it before they’ll sign a contract that involves handing you their customer data. POPIA §19 is the backdrop to all of these conversations, whether the person asking mentions it by name or not.

A certificate in a drawer versus evidence you can re-run

Here’s where a lot of compliance work goes wrong. A business pays for an assessment, gets a PDF, files it, and treats the PDF as the compliance. That’s a certificate in a drawer — a point-in-time claim that nobody can re-verify six months later when your app has changed and the question comes up again.

We think about this differently. Evidence should be something you can re-run, not something you take on faith. When we do a Deep Scan, we’re not filling a template with generic risk language — we’re actively testing your live web application the way an attacker would, and for anything we flag, we reproduce it with a working proof of concept. If we can’t prove it, we don’t report it: 0% false positives on confirmed findings is the standard we hold ourselves to. We’re an operator running the assessment, not an unattended scanner spitting out a list that needs a security background to interpret. Every finding also gets mapped to a recognised framework — MITRE ATT&CK, NIST CSF, OWASP, or CWE — so what you hand to a bank or an insurer isn’t “trust us,” it’s a documented, cross-referenced finding that any competent reviewer on their side can independently check against the standard cited.

Where to start

Before anything is tested, we confirm you own the domain and get your written authorisation — we never scan without both. If you’re not sure whether your current security posture would hold up to that “prove it” question from a bank or a client, that’s the actual question a Deep Scan answers. Get in touch and we’ll walk you through what it covers, what it costs for a business your size, and what you’ll have in hand at the end of it.