1. Scope
This policy applies to any event that compromises the confidentiality, integrity or availability of Personal Information, Customer Data or Cyntech production systems. It is owned by the Information Officer and reviewed annually.
2. Lifecycle
Continuous monitoring of authentication events, admin actions, error rates and dependency advisories. Security inbox monitored business hours; on-call rotation outside hours for severity-1 reports.
Severity classified within 4 hours using impact × likelihood matrix. Severity 1–2 trigger immediate war-room and customer-notification clock.
Compromise scope established; affected credentials rotated; access revoked; tenants isolated where required. Forensic snapshots taken before any destructive remediation.
Notification clocks (see table) run in parallel. Notifications include nature, scope, likely consequences, measures taken and contact for further information.
Root-cause remediation deployed; integrity of backups verified; affected systems restored from known-good baselines.
Blameless post-mortem within 10 business days; corrective actions tracked to closure; customer-facing summary issued where appropriate.
3. Notification clocks
Concurrent clocks we maintain in our playbook:
| Regime | Notify | Clock |
|---|---|---|
| POPIA s22 (ZA) | Information Regulator + affected data subjects | As soon as reasonably possible after determination |
| Cybercrimes Act 19 of 2020 (ZA) | South African Police Service | Within 72 hours of becoming aware (for scheduled offences) |
| GDPR Art. 33 (EU) | Lead supervisory authority | Within 72 hours of awareness |
| GDPR Art. 34 (EU) | Affected data subjects | Without undue delay where high risk |
| UK GDPR (UK) | ICO + affected data subjects | Within 72 hours / without undue delay |
| CIRCIA (US) | CISA — covered cyber incidents | Within 72 hours of reasonable belief |
| CIRCIA (US) | CISA — ransom payments | Within 24 hours of payment |
| US state breach laws | State AG + residents | Per jurisdiction (typically 30–90 days) |
| Contractual (customer) | Affected customer | Per DPA — Cyntech standard: 48 hours |
4. Customer notifications
Where Cyntech processes Personal Information as Operator/Processor, we notify the affected customer (Controller) within 48 hours of becoming aware, providing the information required by Art. 33(3) GDPR and POPIA s22(4). The customer remains responsible for notifying its own data subjects and supervisory authorities, with our active assistance.
5. Sector-specific reporting (Energy / O&G)
- US bulk-electric-system customers in scope of NERC CIP-008: we provide forensic data within their reporting window.
- US pipeline customers subject to TSA SD02C / SD-Pipeline-2021-02D: we cooperate with 24/12-hour CISA reporting.
- EU operators in scope of NIS2: we provide an early warning within 24 hours and an incident notification within 72 hours of customer awareness.
6. Records
We maintain an internal incident register in accordance with Art. 33(5) GDPR. Customers may request a written summary of any incident affecting their data.
7. Reporting an incident to us
If you believe Cyntech systems are involved in a security incident affecting you, email security@cyntech.co.za with "INCIDENT" in the subject. For vulnerabilities, see our Vulnerability Disclosure Policy.