orangeblock

COFI is Coming: Five cybersecurity challenges SA’s financial institutions need to tackle now

06 July 2026 | Technology | General | Palo Alto Networks

South Africa's financial institutions face growing demands for conduct and compliance, and regulation is moving to keep pace.

The Conduct of Financial Institutions (COFI) Bill, now before Parliament, will consolidate and tighten the rules the sector operates under, with an expected transitional period of around three years once enacted. The Financial Sector Conduct Authority (FSCA) has been clear that readiness is an industry-wide responsibility, urging institutions to prepare now rather than wait for the new regime to take effect.

But regulation moves at the pace of legislation, and the threat landscape does not. The South African Banking Risk Information Centre recorded an 86% year-on-year rise in digital banking fraud to 97,975 cases, with losses up 74% to R1.888 billion. And as AI-powered attack tools become more accessible, the gap between a vulnerability being discovered and exploited is collapsing. The controls regulation is building toward may simply arrive slower than the threats already at the door.

“Trust is the foundation of every financial institution. Banks, insurers and investment firms are custodians of both financial assets and highly sensitive customer information. That makes them attractive targets not only because of the data they hold, but because disruption can quickly undermine customer confidence, operational continuity and market reputation," says Rynier Schoeman, Cyber Architecture Specialist and Solutions Consultant at Palo Alto Networks. "Regulation sets a baseline, but threat actors can now move faster than many traditional security operations were designed to respond. For financial institutions, waiting for the next regulatory deadline is not an option."

He outlines five key challenges facing the sector, and argues that regulatory compliance is only one part of the broader readiness equation:

1. Social engineering is now the primary route into financial institutions
Research from Unit 42, the incident response and threat intelligence arm of Palo Alto Networks, found that 36% of investigated incidents over the past year began with social engineering, with attackers escalating privileges to domain administrator in under 40 minutes in documented cases. Financial institutions face a particular challenge because personal information exposed through unrelated breaches often mirrors the data banks use for customer verification, including ID numbers, addresses and contact details. "The information criminals need frequently already exists in the public domain," points out Schoeman. "The challenge for financial institutions is recognising how convincingly attackers can now impersonate legitimate customers, employees or service providers."

2. Both legacy banking environments and modern digital platforms create risk
Established financial institutions often operate complex technology estates that have evolved over decades, creating extensive and interconnected attack surfaces. However, digitally native banks and fintechs are not immune. Their reliance on rapid software development, cloud services and third-party integrations introduces a different set of vulnerabilities. "AI-driven reconnaissance tools can identify weaknesses across the entire technology stack, from legacy infrastructure to newly deployed applications,within minutes rather than days and weeks," Schoeman explains. "Financial institutions must secure an environment that is constantly changing while facing adversaries who can adapt at machine speed."

3. A major breach can create systemic consequences beyond a single institution
"The impact of a cyberattack is no longer limited to operational disruption," Schoeman notes. "The threat of exposing confidential customer, transactional or regulated information is often sufficient to force organisations into difficult decisions." Because South Africa's financial ecosystem is highly interconnected through payment systems, settlement networks and shared financial infrastructure, a significant breach at one institution can have broader implications. Customers may lose access to critical services, businesses can face payment and payroll disruptions, and confidence in the wider financial system can be affected. In severe cases, broader economic and investor sentiment may also come under pressure.

4. Compliance alone does not deliver cyber readiness
COFI is not only a governance and licensing exercise. Webber Wentzel's Financial Regulatory Practice Group has flagged that institutions will need to review their automated and technology-driven systems to confirm they remain fit for purpose under the new regime. With a transitional period of around three years expected once COFI is enacted, there is a window to prepare, but frontier AI is already compressing the threat landscape faster than any regulatory timeline can anticipate.

"Compliance frameworks are essential, but they describe a minimum standard, not a security posture," Schoeman warns. "Institutions that treat COFI readiness as purely a legal and governance exercise risk overlooking the technology and operational obligations that sit inside it. The cyber threat environment will not pause for a three-year transitional period."

5. Tool fragmentation creates operational and security blind spots
According to Schoeman, many financial institutions already possess powerful security capabilities but struggle to realise their full value because those tools operate in isolation. Multiple management consoles, disconnected workflows and years of configuration drift reduce visibility and complicate effective oversight. Skills shortages, third-party dependencies and growing operational complexity add further pressure. "Comprehensive visibility is the starting point for effective risk management. If security teams cannot see a threat, they cannot assess it, contain it or respond to it."

"For a sector built on trust, resilience cannot be tied to a single regulatory date. The institutions best placed for what's coming, whether that's COFI, the next standard, or the next wave of AI-driven attacks, will be those that treat compliance as a baseline to build on, not a box to tick," he concludes.

quick poll
Question

If you had to choose one approach to protect your hard-earned investment cash from today’s market madness, which would it be?

Answer