“Mauritius is neither lagging nor leading in the cybersecurity domain”

Sharvine Appadu, Chief Information Security Officer of Cim Finance 

The issue of cybersecurity has become one of the major concerns for companies in Mauritius. Proof of this is that the subject is debated in numerous workshops and conferences. For Sharvine Appadu, Chief Information Security Officer of Cim Finance, Mauritius is on the right path when it comes to cybersecurity, with firms eager to adopt international standards and frameworks. But we have not yet developed “coherent and effectively enforced national cybersecurity strategies” like Singapore or the United Kingdom have. For that to happen would require sustained political commitment and genuine public-private sector collaboration.

Shareenah Kalla

With several workshops on cybersecurity organized since the beginning of the year, there seems to have been a wake-up call in Mauritius. What’s your take on this?

This is a very encouraging development. The increase in cybersecurity workshops reflects a clear and welcome shift in mindset, moving from reactive responses towards a more proactive and structured approach to risk management. We are witnessing stronger engagement across the entire ecosystem, including regulators, businesses and public institutions.

That said, awareness must now translate into concrete action. The priority is sustained investment, stronger capabilities and consistent implementation across all sectors. Cybersecurity must be embedded into day-to-day operations and not remain solely at the level of discussion.

“A significant cyber incident can inflict immediate financial losses, lasting reputational damage and serious legal consequences for any organisation.”

Where does Mauritius stand today when it comes to cybersecurity?

Mauritius can be considered at a developing stage in cybersecurity. There is strong regulatory intent, particularly within the financial sector, alongside a growing adoption of international standards and frameworks. However, the landscape remains uneven. While certain sectors are relatively advanced, others are still at an earlier stage, creating vulnerabilities at a systemic level. Strengthening national resilience will require a more balanced approach across industries.

Would you say that we are lagging behind on this issue?

Mauritius is neither lagging nor leading. We are in a transition phase, marked by clear progress, but also by structural constraints that must be addressed. These include a degree of reliance on external and cloud infrastructure, as well as gaps in resilience, detection and response capabilities. The scarcity of skilled cybersecurity professionals in the local market also remains a key challenge that the industry is actively working to address.

Do Mauritian companies have adequate structures in place to deal with cybersecurity?

The level of preparedness varies significantly. Larger organisations generally have governance frameworks and controls in place. However, SMEs may face resource and capability constraints, which represents a potential area of concern within the broader ecosystem. More importantly, cybersecurity is still too often perceived as a technical matter. It must be recognised as a business risk with direct implications for operations, reputation and financial performance.

 

“AI has fundamentally lowered the barrier to entry for cybercrime.”

 

Businesses like Cim Finance, banks and insurance firms must protect themselves, but they also need to safeguard customer data. Do you believe these companies are sufficiently protected in Mauritius?

Financial institutions are generally better positioned, supported by strong regulatory frameworks such as the Data Protection Act, and oversight from the Bank of Mauritius and the Financial Services Commission. These institutions invest in the right tools and solutions, and cybersecurity receives serious attention at executive and board level. Regular assessments are conducted to identify and address weaknesses proactively. However, as with any global financial ecosystem, no system can be considered entirely immune. Threats continue to evolve at pace, and risks linked to third parties and supply chains are becoming increasingly significant areas of focus that the sector continues to actively monitor and manage.

In a recent case, clients’ personal data fell victim to cyber pirates. What is your view on this?

Such incidents serve as a clear reminder that Mauritius is not insulated from global cyber threats. Consistent enforcement of the Data Protection Act across all industries is essential, as is greater awareness among both organisations and citizens. Above all, data protection can no longer be managed quietly in the background. It must be elevated to a core responsibility at boardroom level.

What measures has Cim Finance put in place to protect the personal data of its clients?

At Cim Finance, cybersecurity is a strategic priority embedded at the highest levels of governance. Our board and executive management treat it as a core business responsibility. We operate within a structured three-lines-of-defence framework to ensure accountability and layered protection. We invest continuously in technology, encompassing endpoint security, email security, data loss prevention and a Security Operations Centre. We also place strong emphasis on awareness, with ongoing training programmes for employees. Real time monitoring, threat detection and independent external assessments further reinforce our resilience in line with industry best practices and regulatory expectations.

In an era of wars and cybercrime, would you say cybersecurity has reached a turning point?

Cybersecurity has clearly reached a turning point. It is no longer solely an IT concern, but a business and national priority. Geopolitical tensions, organised cybercrime and rapid digital transformation have significantly expanded the threat landscape. At the same time, increased reliance on third parties has multiplied exposure. Organisations that do not adapt to this reality face increased operational and reputational risks.

At a recent conference, Daniel Essoo, CEO of the Mauritius Bankers Association, stressed that cybersecurity should no longer remain just a topic on paper; it must be put into action. Do you agree?

Entirely. Policies and frameworks are essential, but they must be supported by rigorous execution. Effective cybersecurity requires continuous testing, including vulnerability assessments, penetration testing and incident simulations. It must also be integrated into daily operations and embedded from the design phase of any new initiative. Measurable KPIs and KRIs, with clear accountability, are essential to ensuring that commitments translate into outcomes.

Do you think the authorities and government are doing enough to alert the public about cyberattacks and scams, given that CERT-MU’s latest figures show that these crimes are on the rise?

Progress is being made through the introduction of guidelines on cyber and technology risk, AI, cloud computing, mobile banking and third-party management, which represents a meaningful step forward for regulated institutions. However, public awareness remains insufficient. Citizens are still increasingly exposed to phishing, scams and social engineering. Cybersecurity messaging needs to be simple, accessible and delivered in the languages that resonate with the public, including Creole. Greater cross-industry collaboration on threat intelligence sharing and coordinated awareness campaigns would also make a significant difference.

How can AI become a dangerous tool in the hands of cybercriminals?

AI has fundamentally lowered the barrier to entry for cybercrime. It is accessible to virtually anyone, and it enables criminals to craft highly convincing phishing and social engineering attacks at scale. AI can automate large-scale operations, making attacks faster, more efficient and harder to detect. It can learn and adapt in real time, allowing attackers to refine their strategies and circumvent traditional defences. Beyond phishing, AI-generated deepfakes, encompassing fake audio, video and images are being used to impersonate individuals and spread disinformation, significantly amplifying the reach and impact of cybercrime across all sectors.

Does this mean we need stronger ethical frameworks around AI?

Absolutely. Ethical frameworks are essential to ensure that AI is adopted responsibly, with sound governance, compliance with existing regulations such as the Data Protection Act, and embedded risk controls. As the misuse of AI for fraud and disinformation grows, ethical governance becomes a critical line of defence. Responsible AI development is ultimately what ensures that technological progress serves long-term societal goals without generating new vulnerabilities.

Shouldn’t there be greater synergy between the public and private sectors on this issue?

To a degree, yes. Particularly financial institutions, which are driven by both regulatory requirements and the direct financial consequences of cyber incidents. The private sector also benefits from greater agility in procurement and technology adoption. However, being ahead on certain dimensions does not mean the work is complete. The priority, now, is to raise standards across all sectors and ensure that progress in the private sector is matched and supported at the national level.

Let’s be honest: isn’t the private sector already ahead of the game?

To some extent, particularly within financial services, the private sector is more advanced. This is largely attributable to regulatory requirements and the direct financial consequences that cyber incidents carry. The private sector also benefits from greater agility in procurement and the adoption of new technologies.

However, being ahead in certain areas does not mean the work is complete. The priority, now, is to raise standards consistently across all sectors and ensure that progress made within the private sector is matched and supported at the national level.

Should cybersecurity be given greater importance in the next national budget?

Cybersecurity is already present in the national budget, which is a good starting point. However, I would advocate for more targeted initiatives: enforcing cybersecurity standards across all industries, investing in national cyber infrastructure, and creating dedicated funding streams for awareness, education and innovation. Particular attention should be given to supporting SMEs, which currently may have higher exposure while having more limited resources to address it.

Which countries could Mauritius look to as examples in this field?

Two countries stand out as particularly strong reference points. Singapore has developed one of the most coherent and effectively enforced national cybersecurity strategies globally, making it a genuine benchmark for small island nations. The United Kingdom offers another compelling model, underpinned by robust regulatory frameworks and well-established national cyber programmes that have been refined over many years. Together, these examples demonstrate what sustained political commitment, combined with genuine public-private sector collaboration, can achieve.

How much does a healthy economy depend on strong cybersecurity?

The dependency is profound and, I would argue, increasingly direct. Cybersecurity underpins trust in financial systems and in the digital economy as a whole. A significant cyber incident can inflict immediate financial losses, lasting reputational damage and serious legal consequences for any organisation.

Conversely, a demonstrably strong cybersecurity posture is an economic asset in its own right. It signals reliability, stability and institutional maturity. It attracts foreign investment and reinforces Mauritius’ standing as a credible and trustworthy international financial centre.