US-Iran Cyber Tensions: Why South African Businesses Should Pay Attention

In the first weeks of 2026, reports emerged of a significant escalation in cyber operations between the United States and Iran. While the details remain classified, the pattern is unmistakable: both nations have expanded the scope and sophistication of their offensive cyber capabilities, and both have demonstrated willingness to deploy them against the other's critical infrastructure, financial systems, and strategic assets.

For most South African business leaders, this reads like a distant geopolitical concern — a problem for Washington and Tehran, not for Johannesburg and Cape Town. That assumption is dangerous, and history proves it wrong. Cyber operations designed for one target routinely escape containment and cause catastrophic damage to uninvolved countries and organisations thousands of kilometres away.

South African businesses are not bystanders in geopolitical cyber conflict. They are potential collateral damage. And the legal, regulatory, and operational consequences of that collateral damage are entirely their own to manage.

The NotPetya Precedent: When Targeted Attacks Go Global

On 27 June 2017, a piece of malware called NotPetya was unleashed on Ukrainian accounting software used by businesses to file tax returns. The attack was attributed to Russian military intelligence (GRU) and was designed as a weapon in Russia's ongoing conflict with Ukraine. It was never intended to leave Ukraine's borders.

Within hours, NotPetya had spread across the globe. It crippled Maersk, the world's largest shipping conglomerate, destroying 49,000 laptops and 4,000 servers and costing an estimated $300 million. It shut down production at Merck, one of the world's largest pharmaceutical companies, causing $870 million in losses. It disabled operations at FedEx's TNT Express subsidiary ($400 million), Mondelez International ($188 million), and Reckitt Benckiser ($129 million). Total global damages exceeded $10 billion.

None of these companies had anything to do with Russia, Ukraine, or the geopolitical conflict that motivated the attack. They were simply connected to the global digital ecosystem in ways that allowed the malware to propagate beyond its intended target.

NotPetya is the precedent that every South African risk professional should study. It demonstrates three critical lessons:

1. Cyber weapons do not respect borders. Malware designed for one target can propagate to any connected system, anywhere in the world, within hours.
2. Collateral damage is the norm, not the exception. The most devastating cyber attacks in history have caused the majority of their damage to unintended targets.
3. Neutral countries are not safe. South Africa's non-aligned foreign policy provides zero protection in cyberspace. If your systems are connected and your defences are weak, you are a target of opportunity.

The US-Iran Cyber Landscape in 2026

The cyber dimension of US-Iran tensions has been escalating for over a decade. The Stuxnet attack in 2010 — a joint US-Israeli operation that destroyed Iranian nuclear centrifuges — established the precedent for state-sponsored cyber operations against critical infrastructure. Iran responded by building its own offensive cyber capability, which has been deployed repeatedly against US allies, Gulf state infrastructure, and Western financial institutions.

In 2026, several factors have intensified this dynamic:

• Nuclear negotiations collapse: The failure of diplomatic efforts has removed a key incentive for restraint in the cyber domain.
• Proxy conflicts: Regional tensions involving Iran-backed groups have created additional triggers for cyber retaliation.
• AI-enhanced capabilities: Both sides are reportedly integrating AI into their offensive cyber operations, increasing the speed, scale, and sophistication of attacks.
• Supply chain targeting: Rather than attacking well-defended primary targets directly, state actors increasingly target less-defended suppliers, partners, and connected systems — exactly the kind of indirect attack vector that affects uninvolved countries.

Iranian cyber groups — including APT33 (Elfin), APT34 (OilRig), and APT35 (Charming Kitten) — have historically focused on the Middle East, the United States, and Europe. But their targeting has broadened over time. African countries, including South Africa, have appeared in threat intelligence reports with increasing frequency, particularly in the context of supply chain attacks on multinational corporations with African operations.

Why South Africa Is Vulnerable

South Africa's vulnerability to geopolitical cyber spillover is a function of several compounding factors.

Critical Infrastructure Exposure

South Africa's critical infrastructure — energy generation and distribution, water treatment, telecommunications, financial systems, and port operations — relies on operational technology (OT) and industrial control systems (ICS) that are, in many cases, inadequately segmented from IT networks. The Transnet ransomware attack of 2021, which crippled South Africa's port operations for weeks, demonstrated the fragility of these systems.

State-sponsored cyber operations frequently target OT/ICS systems because of their strategic impact. An attack on South Africa's power grid, water systems, or financial infrastructure — even if unintentional spillover from a US-Iran operation — could have devastating consequences for the economy and public welfare.

Multinational Supply Chain Connections

South African businesses are deeply integrated into global supply chains. Major corporations operating in South Africa use the same enterprise software, cloud platforms, and communication tools as their counterparts in regions directly targeted by state-sponsored cyber operations. A supply chain attack targeting a software vendor used by US defence contractors could propagate to that vendor's South African customers through the same update mechanism.

Limited Cyber Defence Capacity

South Africa's national cybersecurity capacity, while improving, remains limited relative to the threat. The Cybercrimes Act (Act 19 of 2020) provides a legal framework, but enforcement capacity is constrained. The national CSIRT (Computer Security Incident Response Team) is operational but under-resourced. Many critical infrastructure operators lack the monitoring, detection, and response capabilities to identify and contain a sophisticated state-sponsored attack.

POPIA Breach Obligations in Geopolitical Crossfire

When a South African organisation suffers a data breach as collateral damage from a geopolitical cyber operation, POPIA's breach notification obligations apply in full. The law does not distinguish between a breach caused by a criminal hacker, a state-sponsored actor, or geopolitical spillover. The obligations are the same.

Under POPIA Section 22, a responsible party that has reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person must:

1. Notify the Information Regulator as soon as reasonably possible after discovery of the breach.
2. Notify the affected data subjects in sufficient detail to allow them to take protective measures.
3. Describe the nature of the breach, the personal information involved, and the measures taken to address the breach.

The 72-hour notification guideline (aligned with international best practice) applies regardless of the source of the attack. An organisation that suffers a state-sponsored attack and fails to notify within the required timeframe faces the same regulatory consequences as one that suffered a preventable breach due to negligence.

The Cybercrimes Act Response Framework

The Cybercrimes Act provides additional obligations and tools relevant to state-sponsored attacks. Section 54 requires electronic communications service providers and financial institutions to report cyber offences to the South African Police Service within 72 hours of becoming aware of them. Section 55 empowers the National Commissioner of Police to declare certain computer systems as critical information infrastructure, triggering enhanced protection requirements.

In practice, a state-sponsored cyber attack affecting South African organisations would engage both POPIA (if personal information is compromised) and the Cybercrimes Act (if a cyber offence has been committed against South African systems). Organisations need to understand and plan for both obligations simultaneously.

However, the practical challenge is significant. Attributing a cyber attack to a specific state actor is extraordinarily difficult and typically requires intelligence resources that private organisations do not possess. The Cybercrimes Act and POPIA do not require attribution for compliance purposes — but the inability to identify the attacker complicates incident response, forensic investigation, and insurance claims.

Practical Steps for South African Businesses

The Insurance Question

Cyber insurance is a critical consideration. After the NotPetya attack, multiple insurers attempted to deny claims under "act of war" exclusions, arguing that because NotPetya was a state-sponsored military operation, it fell outside the scope of commercial cyber insurance. The landmark Merck v. Ace American Insurance case in 2022 rejected this argument, finding that traditional war exclusions applied to armed conflict, not cyber operations. But the insurance industry responded by introducing more specific cyber war exclusions in subsequent policy renewals.

South African organisations should carefully review their cyber insurance policies for:

• War and terrorism exclusions (and whether they specifically address cyber operations)
• Attribution requirements (whether the policy requires proof that an attack was or was not state-sponsored)
• Infrastructure failure exclusions (which could apply if the attack targets shared infrastructure like cloud providers)
• Systemic event exclusions (which could apply if many policyholders are affected by the same attack simultaneously)

Key Takeaways