If Banks Rehearse Cyber Attacks, Your Business Should Too

The Prudential Authority (PA), the regulator responsible for South Africa's banks and insurers, published its 2025/26 annual report in June. Buried in the supervision section is something every business owner should pay attention to: during 2025, the regulator sat in as an observer while banks, insurers and market infrastructures ran cyber attack simulations.
Not audits. Not paperwork reviews. Rehearsals of an actual breach, from the first alert through to crisis communication and reporting.
If the most heavily defended organisations in the country are being pushed to practise getting attacked, that tells you something about where cyber risk sits in 2026. And the lessons from those exercises apply well beyond banking.
What the banks actually practised
According to the report, the simulations ranged from tabletop discussions to full technical and hybrid exercises. The scenarios mirrored the threats the PA sees in the real world: phishing, ransomware, data breaches, third-party and supply chain compromises, and technology-driven outages.
Crucially, the exercises did not just test firewalls. They tested people and process:
- Governance: who has the authority to make decisions when systems are down?
- Escalation: how quickly does the right information reach the right people?
- Crisis communication: what do you tell staff, customers and regulators, and when?
- Recovery: can you actually restore operations, not just in theory?
The PA noted a positive trend it clearly wants to see more of: boards and senior management taking part directly, treating cyber risk as a business risk rather than an IT issue alone.
The detail that matters most
One observation in the report stands out. Institutions that documented their exercises properly, held formal debriefs and assigned clear ownership of the follow-up actions got measurably better. Those with thin documentation struggled to turn the exercise into improvement.
In other words, the value was never the simulation itself. It was the discipline around it: write down what went wrong, decide who fixes it, and check that they did.
That is a habit any organisation can copy, whatever its size.
Why this applies to your business
You might read this and think it is a banking story. It is not, for two reasons.
First, the threats in those bank scenarios are the same ones aimed at everyone else. Ransomware operators and phishing crews do not check your turnover before they attack. Smaller organisations often make more attractive targets precisely because they have not rehearsed anything.
Second, banks have security teams, budgets and regulators keeping them honest. Most businesses have none of those. The gap between "we have antivirus" and "we know exactly what we would do on the worst morning of the year" is where real damage happens: days of downtime, lost data, and awkward conversations with customers.
What a rehearsal looks like at SME scale
You do not need a regulator or a war room to do this properly. A practical version looks like:
- Run a tabletop exercise. Two hours, key people in a room. Pick one scenario: ransomware on a Monday morning, or a supplier breach that exposes your data. Walk through it step by step and write down every question nobody can answer.
- Test a real restore. Backups only count if they come back. Restore an actual system or dataset and time it. If your backups are not immutable, a ransomware attacker can encrypt those too.
- Agree the first hour. Who isolates machines, who calls your IT provider, who speaks to staff and customers, and where do the contact details live if email is down?
- Close the loop. Like the banks, document the gaps, assign owners, set dates, and rerun the exercise later in the year.
Where support fits in
Some of this needs capability that few SMEs keep in-house. Detection and response is the clearest example: a simulated breach is pointless if, in real life, nobody is watching at 02:00. That is the case for a 24/7 managed detection and response (MDR) service, which gives you the around-the-clock monitoring the banks build internally.
The same goes for knowing your weak points before an attacker does. Vulnerability management tools such as our own Vikelus platform keep a running view of the gaps in your systems, so your rehearsal reflects your actual exposure rather than a guess. And because phishing opened many of the scenarios the PA observed, regular security awareness training for staff remains one of the cheapest risk reductions available.
The takeaway
South Africa's financial regulator has moved past asking institutions whether they have cyber defences. It now watches them practise failing safely. That shift, from prevention on paper to rehearsed resilience, is the direction all businesses are heading, regulated or not.
You do not need a bank's budget to follow suit. One honest tabletop exercise, one tested restore and one written first-hour plan will put you ahead of most of your peers, and it will tell you exactly where you need help before you need it.
Want this handled for you?
Talk to the F1 team about managed IT, cybersecurity and cloud for your business.

