South Africa’s financial services sector operates at a precarious intersection: highly digitised, globally integrated, and increasingly targeted by cybercriminals. While the sector has made meaningful strides in governance, regulation, and operational resilience, my research reveals that many institutions remain vulnerable due to fragmented strategies, outdated frameworks, and a compliance-over-culture mindset.

In this talk, I will unpack the true state of cyber readiness in the sector, informed by two years of intensive research and interviews across major banks, insurers, and regulatory bodies. Drawing on findings from my Master’s and PhD theses, I will explore:

• Why governance maturity, not just technology, is the defining success factor in cybersecurity
• How King IV principles and global standards are being interpreted (and misinterpreted) across the sector
• The gap between executive confidence and operational vulnerability
• The rise of sophisticated social engineering and insider threats in financial institutions
• Practical steps to embed cybercrime readiness into board-level decision-making