Liberty’s recent disclosure of a data breach did what most incidents do in the first 24 hours: it triggered concern, prompted customer notifications, and raised the familiar questions about what data was accessed and whether systems remain secure. Liberty told clients that unauthorised access to personal information had been detected, while policies, investments and services remained unaffected.
That matters. But it is not the full story.
What rarely receives adequate attention is what happens after the initial disclosure. In financial services, the breach itself is only phase one. The longer tail is where the real damage tends to sit.
South Africa is already operating in a high-pressure threat environment. Check Point reported that local organisations faced an average of 2,145 cyber-attacks per week earlier this year, above the global average. Meanwhile, the Information Regulator has projected that reported security compromise incidents could approach 2,500 for the current financial year.
Customers are not witnessing isolated events. They are watching a pattern take shape.
For insurers, banks and investment firms, that pattern creates a trust problem. Not because every breach results in immediate financial loss, but because personal information has a long shelf life in the criminal economy. Names, ID numbers, contact details and policy-linked data do not need to be monetised immediately. They can be combined with other compromised datasets later, deployed in impersonation attempts, social engineering campaigns or claims fraud months after the incident has faded from the news cycle. This is the dimension most breach updates fail to adequately address.
A second issue that deserves more attention is the distinction between disclosure and containment. Under POPIA, organisations must notify the regulator and affected individuals as soon as reasonably possible after becoming aware of a compromise. That obligation is necessary. But notification is not the same as control. A company can meet its reporting requirements and still be working through forensic uncertainty, log gaps, third-party exposure, or incomplete visibility into where compromised data has already travelled.
That is why the most important question is rarely “Was there a breach?” It is: “How quickly did the organisation establish context?”
IBM’s 2025 Cost of a Data Breach Report found that organisations in South Africa took an average of 227 days to identify and contain a breach, still faster than the global average. Breach costs locally came in at $2.37 million(roughly R43.8 million), with faster response times, supported by AI and automation, helping to reduce both figures.
For financial institutions, speed matters because the reputational window closes fast. Customers will tolerate bad news more readily than vague news. They will forgive an incident more easily than they will forgive prolonged uncertainty. When people do not understand what happened, what was exposed, and what they should do next, they start filling the gaps themselves. That is where trust erodes and where secondary harm begins.
The Liberty breach should therefore be read as more than a one-company event. It is a signal that financial services firms are under sustained, systemic pressure, and that breach readiness is no longer solely about prevention. It is about containment, communication, and post-incident trust management.
The measure of cyber resilience in 2026 is not whether an organisation gets hit. It is how quickly it can establish facts, reduce uncertainty, and protect trust before the damage compounds.
