The King V Code is changing corporate governance in South Africa by moving cybersecurity from a purely technical issue to a central responsibility for company boards. The Institute of Directors in Southern Africa (IoDSA) published King V’s draft on 24 February 2025. It states that boards must actively manage cybersecurity, information governance, and new technology risks. But are South African organisations ready for these changes?

This article explains how King V impacts cybersecurity governance. It describes how Principle 9 deals with managing information, how Principle 8 combines risk management and compliance and provides clear guidance on new technologies like artificial intelligence (AI). It also offers practical implementation tips, compares King V with international standards, and gives recommendations for businesses of all sizes.

How King V focuses on managing information and cybersecurity

Principle 9 of the King V Code states clearly that the board must oversee how the organisation uses information and technology to grow and achieve its goals.

This means cybersecurity, data management, IT systems, and new technologies must be managed under one framework. Boards must now do more than just meet regulations; they must actively use information to support business strategy.

This approach recognises that cybersecurity protects more than just IT systems. It affects overall business stability, protects the organisation’s reputation, ensures compliance with laws like the Protection of Personal Information Act (POPIA), and builds stakeholder trust.

Combining risk and compliance with cybersecurity management in terms of King V

Principle 8 of King V requires the board to manage risks and compliance actively. This includes setting clear risk policies, approving essential procedures, and monitoring how they are carried out. Crucially, it treats cybersecurity as a strategic business risk.

Traditionally, cybersecurity was seen only as the responsibility of IT departments. King V changes this view. Boards must now see cybersecurity threats as significant risks affecting the entire business. Weak cybersecurity is not just a technical issue; it can undermine compliance with privacy laws like POPIA and lead to substantial financial and reputational damage.

Managing AI and other new technology risks

King V also clearly addresses risks from emerging technologies, especially artificial intelligence (AI). The code stresses the importance of using AI ethically and transparently, with human oversight. Boards must understand how AI affects people inside and outside the organisation.

Principle 9 states explicitly that boards must carefully manage the risks of AI. Organisations must monitor AI systems to prevent unfair or unethical outcomes. This ensures compliance with laws and maintains public trust.

How King V compares with King IV on cybersecurity

Moving from King IV to King V significantly simplifies governance responsibilities. King IV focused mainly on controlling IT through rules and checks. King V emphasises a more strategic approach, making managing information part of overall board decisions.

King V also introduces a simple reporting template. This helps organisations clearly explain how they apply the code’s principles, especially cybersecurity and data management.

Aligning King V with international standards and privacy laws

King V aligns closely with global cybersecurity standards like ISO 27001 and the NIST Cybersecurity Framework. It recommends managing cybersecurity as part of overall risk management rather than a technical requirement.

The code also complements South Africa’s POPIA law. It strives to ensure that organisations handle personal information securely, following strict privacy standards.

However, detailed cybersecurity reporting under King V creates challenges. Organisations must balance transparency with protecting security details to avoid helping attackers.

Practical steps for boards and organisations

King V requires boards to significantly strengthen their technical knowledge, especially in cybersecurity and AI. Boards may need to recruit members with technology expertise or provide regular training to existing directors.

Smaller organisations may struggle with King V’s ‘apply-and-explain’ method. Although flexible, this approach requires organisations to demonstrate how their governance aligns with King V’s goals, even with limited resources.

Effective cybersecurity reporting must satisfy stakeholders without revealing sensitive details. Finding this balance highlights the need for expert advice.

Actions you can take next

King V transforms cybersecurity into a board-level strategic responsibility, as clearly explained in Principles 8 and 9. Boards must actively integrate cybersecurity and new technology considerations into their strategic plans. Success will depend on board expertise, transparent reporting, and alignment with international standards. To get started, you can: