Mzansi’s Cyber Storm: How King V Arms Boards to Fight Back
Share
From ransomware spikes to AI threats – what Principle 10 demands in 2026
Written by: Sharleen Botha
The wake-up call every South African director received in 2025
If you thought the Transnet ransomware attack of 2021 was bad, buckle up.
South African organisations now face around 2,000 cyberattacks every week – a 14% jump year-on-year. Ransomware incidents have made us Africa’s #1 target alongside Egypt, while reported data breaches tripled since 2021 to over 1,700 in 2023 alone and keep climbing.
The cost? An average of R5–10 million per ransomware incident, plus reputational damage that extends well beyond insurance coverage. Yet only 30% of South African executives feel confident in their cyber defences (Deloitte 2025 Cyber Survey).
Enter King V — the governance revolution Mzansi has been waiting for
Launched by the Institute of Directors in Southern Africa (IoDSA) in late 2025, King V becomes applicable to financial years starting 1 January 2026.
For the first time, cybersecurity is a fiduciary duty — not an IT issue.
The numbers that should haunt every boardroom
| Threat | 2025 Reality in SA | Real-world cost |
|---|---|---|
| Ransomware | Highest in Africa (INTERPOL) | R5–10 million per attack + weeks of downtime |
| Weekly attacks | 2,000+ per organisation (+14% YoY) | Finance & healthcare hardest hit |
| Data breaches | Tripled since 2021 → 1,700+ reported | POPIA fines up to R10 million |
| Phishing success | Women targeted 3× more than men | Insider leaks via stolen phones |
| AI-powered attacks | Deepfakes already used in CEO fraud | Costs rising; ceiling unknown |
These aren’t hypotheticals — they’re happening right now while many boards still delegate cyber to the IT manager and hope for the best.
From King IV to King V: The quantum leap
King IV (2016) told boards to “govern technology”.
King V demands it – and spells out exactly how.
The new code is leaner, smarter, and laser-focused on the digital age.
Principle 10: “The governing body should govern data, information, and technology in a way that sustains and optimises the organisation’s strategy and objectives.”
Translation: If your strategy depends on technology (and whose doesn’t?), cybersecurity now has a permanent seat at the board table.
Principle 10 unpacked: Your 2026 board checklist
Strategic ownership (RP 105)
- Approve a technology resilience policy that includes disaster recovery and business continuity.
- Ensure cyber strategy aligns with business strategy – no more silos.
Cyber defence mandate (RP 108) – the big one
“Effective cyber security strategies and practices to protect technology assets, information and data.”
- Oversee minimum cyber requirements for all third-party providers (cloud, MSPs, payroll).
- Demand regular penetration testing and incident-response drills.
- Receive quarterly cyber risk dashboards in plain business language (not tech jargon).
AI governance (RP 109)
- Enforce human oversight and override mechanisms.
- Guarantee ethics, transparency, fairness, and security.
- Define accountability when algorithms fail.
Independent assurance (RP 110)
- Annual third-party audits of cyber controls.
- Ethics and compliance reviews of all emerging tech.
Data governance (RPs 100–104)
- Full POPIA compliance baked into every process.
- “Privacy by design” for every new system.
Companies that mature their cyber-governance model are significantly less likely to experience material breaches (Gartner benchmarks).
The boardroom reality check: Are you still exposed?
Ask yourself these five questions in your next board meeting:
- Do we have at least one cyber-literate board member?
- Have we tested our ransomware-response plan in the last 12 months?
- Are our cloud vendors contractually bound to equivalent cyber standards?
- When last did we see a one-page cyber-risk heat map instead of a 40-slide deck?
- Who in this room can explain our AI ethics policy in 60 seconds?
If any answer is “uhm…” – you’re already behind.
Five moves every SA board must make before 31 December 2025
- Perform a King V gap analysis.
- Appoint a cyber-literate independent director — or train existing members via IoDSA’s Cyber for Directors programme.
- Run a ransomware simulation before year-end.
- Upgrade third-party contracts with mandatory cyber clauses (your lawyer will thank you).
- Build the quarterly cyber dashboard – with five metrics: attacks blocked, patch latency, training completion, insurance coverage, recovery time objective.
Do these and you’ll sleep better on 1 January 2026.
The upside: King V isn’t red tape – it’s rocket fuel
- 20–30% lower insurance premiums
- Faster funding rounds – VCs love boards that treat cyber as strategy
- Talent magnetism – Gen-Z engineers won’t join companies that treat data like it’s 1999
In a country where cybercrime threatens to drag down GDP growth by several percentage points, King V can be the difference between surviving and thriving.
Your move, Mzansi
The cyber storm isn’t coming – it’s here.
Ransomware gangs don’t care about your B-BBEE score. Deepfake scammers don’t pause for load-shedding. AI weapons are already in the wild.
But for the first time, South African boards have a world-class governance shield: King V.
Download the full code. Perform a gap analysis. Run the simulation.
Because come 1 January 2026, “we didn’t know” will no longer be an acceptable excuse.
The question isn’t whether you can afford to get King V-ready. It’s whether you can afford not to.