Staff writer
Victoria Falls — Digital transformation and cyber governance expert Zéline Francis has called on insurers and pension funds to urgently strengthen cybersecurity collaboration and data-sharing frameworks, warning that African institutions face significantly higher cyberattack risks than their global counterparts.
Speaking at the ongoing Insurance and Pensions Commission (IPEC) 2026 Symposium in Victoria Falls, Francis said African organisations are between 30% and 50% more likely to suffer cyberattacks compared to those in Europe and North America, largely due to weaker cybersecurity postures and limited reporting of incidents.
“This figure is understated,” she said. “The reality is likely far worse because many organisations are not reporting breaches. Without accurate data, we cannot fully understand the scale of the threat or develop effective responses.”
Francis, who has over 25 years’ experience advising financial services boards across Africa and the United Kingdom, emphasised that the lack of reliable cyber incident data is undermining both risk management and the development of a viable cyber insurance market.
She noted that while cybercrime has grown into a global economic force valued at an estimated US$10 trillion, spending on cybersecurity defence remains significantly lower, at about US$250 billion. This disparity, she said, presents both a major risk and a commercial opportunity for insurers.
“There is a huge cyber insurance market emerging, but it cannot be properly priced without credible data,” Francis said. “Actuaries need accurate information on frequency and severity of attacks to develop sustainable products.”
The insurance and pensions sector, she warned, is a prime target for cybercriminals due to the volume and sensitivity of data it holds, including medical records, financial information, pension data and payment systems.
“Insurers sit on highly valuable data. It’s not just about money flows — it’s about personal and financial identities. That makes the sector particularly attractive to threat actors,” she said.
Francis added that slow adoption of advanced cybersecurity measures across parts of the industry has further increased vulnerability, making African institutions easier targets compared to more mature markets.
She highlighted global examples of major cyber breaches in the insurance and healthcare sectors, where millions of customer records were compromised, underscoring the potential scale of risk. However, she stressed that similar incidents in Africa often go unreported or are disclosed only partially, limiting industry-wide learning.
“What matters is not who was hacked, but how they were hacked, what it cost, and how they responded,” she said. “That is the intelligence the industry needs to build resilience.”
Francis warned that the cyber threat landscape has evolved rapidly over the past decade, with attacks becoming more sophisticated, organised and commercially driven. The rise of artificial intelligence has further accelerated this trend, enabling attackers to develop and deploy malicious tools faster and at scale.
According to her presentation, AI-enabled cyberattacks have increased by nearly 90%, while the time it takes for attackers to move within compromised systems — known as “breakout time” — has dropped to under 30 minutes.
“That means by the time your systems detect an intrusion, the damage may already be done,” she said.
She also pointed to the growing role of organised cybercrime networks and state-sponsored actors, which are often backed by significant financial and technological resources. In addition, internal vulnerabilities — including compromised employee credentials — remain one of the most common entry points for attackers.
“Your biggest risk is often inside your organisation,” Francis said. “Attackers are increasingly using legitimate access credentials rather than traditional malware to infiltrate systems.”
Against this backdrop, she urged insurance executives and boards to take a more active role in cybersecurity governance, warning that regulatory frameworks are tightening and could expose leadership to personal liability for failures in protecting data.
“The days of leaving cybersecurity solely to IT departments are over. Boards and executives must understand the risks and take accountability,” she said.
Francis identified a critical “information gap” across Africa, where underreporting of cyber incidents creates a false sense of security and limits the effectiveness of regulatory oversight and industry responses.
She challenged industry players to adopt a culture of transparency by sharing anonymised data on cyber incidents with regulators and peers.
“The benefits of sharing far outweigh the risks,” she said. “Without collaboration, we cannot build the intelligence needed to defend ourselves.”
Closing the information gap, she added, would enhance regulatory effectiveness, improve sector-wide learning, support investment in cybersecurity, and enable the development of appropriately priced cyber insurance products.
Francis also cautioned firms to carefully assess third-party risks, particularly as more organisations migrate to cloud-based systems.
“Moving to the cloud does not eliminate risk — it transfers responsibility,” she said. “Insurers must ensure their service providers meet the necessary security standards.”
As a way forward, she called for the establishment of a regional cybersecurity “centre of excellence” for the insurance and pensions sector, bringing together regulators, insurers and technology experts to share intelligence, develop best practices and coordinate responses to emerging threats.
“We do not stand a chance individually against these highly sophisticated threat actors,” she said. “But collectively, we can build the resilience needed to protect our industry and, ultimately, the savings of our citizens.”
Her remarks come as regulators and industry leaders at the symposium intensify discussions on digital transformation, risk management and the future of insurance in an increasingly technology-driven environment.
