By Shruti Menon Seeboo
The shift from technical cybersecurity to strategic cyber resilience was formally codified in Mauritius on 2nd April 2026. Set against the serene backdrop of the Royal Green Wellness Resort in Moka, the inaugural Cyber Resilience Leadership Forum (CRLF) arrived not as another IT conference, but as a high-level rendezvous for the island’s executive leadership. The forum’s core premise was sophisticated yet sobering: in a world where artificial intelligence has decentralised the ability to cause disruption, the ultimate line of defence is no longer a firewall, but the quality of executive decision-making under pressure.
Opening the forum, Emcee Farah Jhumka, CEO of BlueFox SAS framed the event as a seminal moment for the Mauritian business community. She was clear that the CRLF, established by Storm Guidance as an annual fixture, represents a “vital platform” for navigating the “clear and present dangers” of a digital landscape that has become increasingly volatile. Jhumka’s remarks set a deliberate tone of clinical, evidence-based dialogue, steering the conversation away from the jargon of server rooms and toward the responsibilities of the boardroom.
“It is not a technical conference,” Jhumka emphasised, noting that the forum was designed to address what it “genuinely means to lead through cyber risk in 2026 and beyond.” Her analysis highlighted that Mauritius is currently entering a period of heightened operational risk, a trend mirrored globally. The entry of artificial intelligence into the “equation on both sides”—both for those defending and those seeking to exploit—has fundamentally altered the standard of preparedness. For Jhumka, the forum’s existence is a direct response to the rising regulatory expectations facing boards across every sector in Mauritius. Her opening served as a call to arms for executives to meet these higher standards with a proactive, rather than reactive, posture.
The Diplomatic and Strategic Imperative: HE Paul Brummell, CMG, British High Commissioner to Mauritius
Following Jhumka, the British High Commissioner to Mauritius, HE Paul Brummell, CMG, provided a broader geopolitical context to the proceedings. He noted the “delightful” nature of the inaugural edition, positioning it as a critical executive-level platform for strengthening the nation’s digital future. Brummell’s contribution underscored that cyber incidents are rarely contained within the IT department; they are, by their very nature, business crises that unfold with alarming speed.
Linking the event to the UK-Mauritius Strategic Partnership Framework, the High Commissioner reinforced that building leadership capability is a central component of the shared vision between the two nations. “Cyber threats are neither rare nor selective,” he observed, reminding the audience that every organisation—regardless of size or regulatory status—faces the inevitability of disruption. Whether triggered by ransomware, data breaches, or human failure, the question for the modern leader is no longer if, but when.
Brummell drew a poignant comparison to the Marine Corps Combat Hunter Programme, suggesting that the CRLF was designed to ensure that prioritisation and planning occur well before a crisis, rather than during a “mad scramble” for answers. He argued that resilience is a “board-level obligation,” where leaders are expected not only to mitigate risk but to respond with transparency and responsibility.
The High Commissioner particularly lauded the forum’s inclusion of a cyber incident simulation, where “theory meets reality.” He pointed out that the most valuable hours of an incident are the first few, where leaders must manage third-party exposure, understand the nuances of legal privilege, and engage regulators appropriately. For Brummell, this preparation is vital for Mauritius as it continues to strengthen its role as a regional hub for finance and innovation. “Cyber resilience isn’t built overnight,” he concluded, “it’s built through preparation, rehearsal, disciplined governance, and leadership that is ready to act when action matters most.”
The Mathematics of Vulnerability: Neil Hare Brown, CEO of Storm Guidance
The transition from introductory remarks to the core methodology of the forum was led by Neil Hare Brown, CEO of Storm Guidance, whose session served as a masterclass in the quantification of digital peril. His approach was rooted in a foundational management axiom: “You cannot manage what you do not measure.” For many leaders in the room, cyber risk has long felt like an abstract or nebulous threat, but Hare Brown’s objective was to ground this uncertainty in the cold, hard logic of actuarial science and statistical probability.
Hare Brown began by stripping away the “ridiculous statistics” often associated with the cybersecurity industry, opting instead for a conservative, evidence-based assessment of the current landscape. Drawing on the FAIR (Factor Analysis of Information Risk) methodology pioneered by Jack Jones, he defined cyber risk through two primary lenses: probable frequency and probable magnitude. This shift in definition is crucial for the modern executive; it moves the conversation away from “preventing hacks” and toward “managing the frequency and severity of future losses.”
The data presented was striking, particularly when placed in the context of traditional business risks that boards have managed for centuries. Hare Brown noted that while between 8% and 15% of businesses recorded at least one major incident in the past year, the true gravity of the situation is revealed through comparison. “It is over 200 times more likely for an organisation to have a cyber incident than it is to have a fire,” he observed, “and over 1,000 times more likely than a major flood.” For a business community that meticulously insures against fire and environmental disaster, these figures represent a call for a radical recalibration of corporate priorities.
However, Hare Brown was careful to note that frequency is not merely a matter of being “targeted.” He argued that while attacks may be constant, an actual incident only occurs when an attacker meets a vulnerability. “Poor and vulnerable software is at the heart of the issue,” he stated, suggesting that organisations capable of maintaining rigorous software hygiene can significantly reduce the frequency of successful breaches.
When addressing the second factor—magnitude—Hare Brown invoked a “roll call” of global entities, from the British Library to Harrods, to illustrate that no sector is immune. He highlighted the British Library specifically as a sobering example of the “long tail” of cyber recovery, noting that they remain in a state of restoration two years after their initial breach. This underscored his point that the magnitude of a loss is not just a momentary hit to the balance sheet, but a potential multi-year operational drag.
Ultimately, Hare Brown framed the role of the business leader as one of strategic balance. He outlined the four traditional pillars of risk management—mitigation, transfer, avoidance, and acceptance—and challenged the delegates to consider how much loss their balance sheets could truly absorb before these management strategies must be triggered. “Risk acceptance,” he concluded, “is about how much loss you can take before you have to think about other types of risk management.” By the end of his session, the “black box” of cyber risk had been replaced with a clear, measurable framework, providing the executive audience with the vocabulary and the metrics needed to lead with genuine confidence.
The Frontline Reality: Dr. Kaleem Usmani, Head of the Computer Emergency Response Team (CERT-MU)
The discussion then transitioned from the strategic and mathematical to the operational reality of the island’s frontline defence. Dr. Kaleem Usmani, Head of the Computer Emergency Response Team (CERT-MU), provided a granular analysis of the threats currently permeating the Mauritian digital ecosystem. His address served as a vital reality check, bridging the gap between global trends and local vulnerabilities, while reinforcing the High Commissioner’s sentiment that resilience is a long-term build. “Cyber resilience cannot be built overnight,” Dr. Usmani affirmed, “It involves a number of things… right from governance till sensitisation.”
Dr. Usmani began by situating Mauritius within a broader continental context, noting that CERT-MU is the second oldest service of its kind in Africa. He highlighted the institution’s role in assisting the Ministry of Information Technology, Communication and Innovation in developing strategies that are now more critical than ever. “We are talking about the blueprint,” he noted, referring to the government’s aggressive push into Artificial Intelligence, IoT, and updated national cybersecurity strategies. However, he was quick to point out that these top-down policies require a symmetrical response from the private sector: “This is the private sector who are presenting today; they are there to support the government.”
A significant portion of Dr. Usmani’s analysis was dedicated to the “hidden” nature of cybercrime in Mauritius. He candidly addressed the limitations of current data, noting that the statistics he presents only reflect incidents reported to CERT-MU. “What I’m showing you here, that’s what is reported to us,” he explained. “Could be at the level of the banking institutions, could be at the level of the legal sector—they are not reported. So, if we have to have a great risk profiling for the whole country, that might not be the fully correct statistic.” This lack of a consolidated reporting effort remains a primary hurdle for national resilience, leading Dr. Usmani to call for a unified platform where “threats to the whole country could be reported at one place.”
The statistics he did provide, however, were illuminating and specifically focused on the social impact of digital connectivity. In 2025, CERT-MU recorded 6,073 total incidents, with a population of 1.2 million and nearly 900,000 active social media users. “This is becoming dominant,” he observed, pointing out that 46% of cases involved Facebook, followed by TikTok at 43%. The breakdown of these 6,073 cases included 1,635 instances of online harassment, 938 scams, and 792 cases of cyberbullying. “These things are something which are still dominating the country,” he noted, adding that even the youth are not exempt, with over 150 incidents involving individuals aged 7 to 17.
Crucially, Dr. Usmani touched upon the economic toll of these disruptions. “Global cybercrime estimated cost is around $10.5 trillion in 2025… 4 billion annually we are losing in Africa.” Regarding the local impact, he was blunt: “Even in terms of Mauritius, we do not have the statistical algorithm… we have to have the cybercrime costing assisted to be done exactly.” He warned that while ransomware is currently “less reported,” it remains a significant latent threat, often overshadowed by the “daily basis” occurrence of phishing, online shopping fraud, and crypto scams.
Looking toward the remainder of 2026, Dr. Usmani’s projections were focused on the sophistication of new attacks. “Global cyberattacks have a very important legacy… it comes down to AI-powered attacks. AI is something that technology is helping [the attackers]… to make compromises much more accessible to people.” He specifically flagged the rise of “deepfake, audio, video, phishing campaigns and information” as real happenings in Mauritius. To counter this, he urged a return to fundamental “good practices,” including the mandatory use of two-factor authentication, strengthened user monitoring, and the rigorous testing of incident response plans. “The component of strength and policy decisions is one of the things of being a cyber person,” he concluded, framing resilience as a continuous exercise in vigilance.
From Passive Compliance to Decision-Centricity: Leadership Perspectives on the 2026 Cyber Landscape
The inaugural Cyber Resilience Leadership Forum 2026 reached a critical juncture during its first panel session. As the dialogue shifted from introductory remarks to the practicalities of executive readiness, the focus sharpened on a single, sobering reality: in 2026, resilience is no longer a technical metric, but a test of leadership character under fire. Moderated by Farah Jhumka, the discussion brought together the nation’s foremost authorities on data protection, financial services, and cybersecurity academia to dissect the shifting responsibilities of the modern board.
Opening the panel, Drudeisha Madhub, the Data Protection Commissioner, delivered a stinging critique of the traditional approach to regulatory adherence. “What I’ve seen from my own experience is that there is a lot of passive compliance across all sectors,” she observed. “We believe compliance is a checklist. You know, we tick the box. We put some organisational resilience, like keeping the lights on, and then that’s it, we’re done.” Madhub argued that this “passive-orientated” culture is not merely inadequate but is actively “burdening us and creating more risks with time.” For the Commissioner, the priority for 2026 must be a shift toward “trust-driven data governance.” She reminded the executive audience that a data breach is never just a technical failure; it is “a failure of trust” with legal and reputational consequences that strike at the very heart of business profitability. “We need to champion a culture where not only cyber security, ethics, and data protection reconverge,” she stated, framing these “biblical principles” as a pillar of national security.
This sentiment was echoed and expanded upon from an academic perspective by Dr. Sheeba Armoogum, Associate Professor and Head of Cybersecurity at the University of Mauritius. Dr. Armoogum challenged the delegates to redefine their understanding of resilience entirely. “In 2026, we are going to define resilience. It’s no longer going to be defined as how new your system is,” she posited. “It is going to be defined as how well the leaders decide under pressure.” Introducing the concept of “decision-centric resilience,” Armoogum argued that while cyber-attacks and AI-driven disruptions are now inevitable variables, the differentiator for a resilient organisation is executive judgement. “You can have the best system in your organisation, but if the decision and the judgement is not right, it will fail,” she warned. “Resilience is more about the wise decision-maker when certainty no more exists.”
Representing the backbone of the Mauritian economy, Daniel Essoo, CEO of the Mauritius Bankers Association, brought the conversation back to the necessity of structured preparedness within the financial services sector. While acknowledging the importance of culture and decision-making, Essoo highlighted that true resilience requires a rigorous, evolving plan. “You need a plan, and you need to be prepared. Because there’s only so much you can do if you’re under attack,” he noted. For Essoo, the 2026 risk environment is uniquely volatile due to changing economic dynamics and the rapid integration of AI. He described a framework where banks must move beyond “systemic blockages” like firewalls and encryption to create “threat models that constantly evolve.”
Dr. Kaleem Usmani of CERT-MU reinforced this by identifying the “capacity gap” that often exists within commercial entities. He argued that resilience is a composite of governance, technical controls, and, crucially, visibility. “Unless and until you don’t know what these threats are… you are losing,” Dr. Usmani remarked, specifically citing the danger of Advanced Persistent Threats (APTs) that sit silently within a system. He emphasised that resilience must be reaffirmed through constant investment in infrastructure and monitoring. “The better you can have the threat, the better you can manage,” he concluded, linking business continuity directly to the ability to see the adversary in real-time.
As the panel delved deeper into what “good” resilience actually looks like in practice, Dr. Armoogum urged boards to move away from mere declarations of safety toward active demonstration. “It is not about declaring how good your organisation’s resilience is… it is more about demonstrating,” she said. She advocated for “testability” through simulations and “red teaming” to ensure the organisation can operate while failing. “The system should be implemented… to make sure that the system operates with the failure that is slowing and the recovery faster.”
From a regulatory standpoint, Commissioner Madhub clarified that “good resilience” is characterised by “verifiable audit trails” and transparency. She pointed to the Data Protection Act’s requirement for a Record of Processing Operations (ROPO) as a primary tool for operational transparency. “A data breach is not just a technical failure… we learn by experience,” she noted, explaining that the ROPO allows leaders to identify and leverage high-impact risks. She was firm on the requirement for standardisation, noting that her office provides a specific legal template that organisations must use. “Should you not have it, it will mean that you are also committing an offence.”
Closing this segment of the dialogue, Daniel Essoo provided a vivid analogy of the chaos inherent in a live incident, comparing a cyber-attack to his 9-year-old son’s first rugby match. “He had a cut on his lip, and he was all about trying to grab the ball, and he had no idea who he was passing it to… welcome to a cyber attack.” Essoo’s point was clear: while it is “the easiest thing in the world” to have a plan on paper, the true test is making sense of the “legs, arms, and pain” during the heat of a crisis. In the banking sector, this has led to a push for robust, quarter-to-quarter statistical reporting to tailor risk responses. “It’s taken a while—eight years—but we’re getting there now,” Essoo remarked regarding the finalisation of standardised fraud reporting templates. For the leaders gathered in Moka, the message was unmistakable: the era of ticking boxes is over, and the era of demonstrated, decision-centric resilience has begun.
The panel continued with a cautionary narrative from Essoo, who moved beyond the rugby pitch to a real-world example of how disparate events can signal a coordinated cyber-threat. He recalled a series of bomb scares that affected seven schools in Mauritius simultaneously—an event that mirrored identical incidents in Jamaica, Canada, and Louisiana. “This was actually, in my view, a cyber incident,” Essoo remarked, using the anecdote to challenge the mindset of modern executives. He questioned whether companies are truly prepared to recognise such “distractions” on social media as potential tests of state response or diversions designed to create operational voids. “Do we recognise when to actually increase our alert levels?” he asked, stressing that resilience is not merely about technical education, but about a “right mindset” to identify systemic patterns in a chaotic information environment.
Dr. Usmani of CERT-MU picked up this thread, arguing that the true solution to this uncertainty lies in “real-time simulation standards.” He suggested that organisations must move away from a dependency on external consultants and instead build the internal capacity to fill their own gaps. “If you have that capacity… you don’t have to wait for anything,” Usmani noted, particularly addressing the banking sector’s ability to leverage its infrastructure. However, he was candid about the “concerning gaps” across the Mauritian ecosystem, identifying a “scarcity of cyber people” and a premature level of readiness in critical sectors. While technical solutions are plentiful, Usmani argued that “getting the best out of those solutions… is very difficult and that could only be achieved once you have good people.”
This led Dr. Armoogum to advocate for a fundamental shift in how the nation measures its progress. “We need to move from compliance verification to resilience validation,” she posited. Armoogum argued that while Mauritius is proficient at annual “checklist” audits, it lacks “resilience validation under real attack.” She questioned the maturity of organisations that claim stability but have yet to demonstrate how they function when their systems are actively failing.
The dialogue then turned to the critical microseconds following an incident. Essoo noted that while the board sets the framework, the executive team must have the response “right there in their DNA.” He observed a tendency to treat cyber incidents in isolation—a “silo” mentality that he compared to a fire warden only focusing on their own building while ignoring a serial arsonist in the neighbourhood. “Incidents are rarely isolated,” Essoo warned, advocating for protocol coordination across the ecosystem to ensure leaders don’t just “focus on what they’ve seen” but maintain the perspective to ask what else might be happening simultaneously.
Dr. Usmani reinforced this need for speed, defining resilience by the “isolation process” that should occur within fifteen minutes to a few hours of an incident. “This has to be efficiently done and this is not happening,” he noted, calling for these processes to be mooted at a national level during a crisis. Essoo agreed, pointing out that while micro-level solutions for individual entities are “perfectly okay,” the macro-level protection of the ecosystem remains fragmented. He raised the difficult question of collective authority: “Is it the regulator’s job to come back with the licence fees? What about non-licence fees who might be subject to an attack?” Essoo concluded that Mauritius urgently needs protocols for the whole ecosystem to work as a collective, rather than a group of isolated entities protecting their own “switches and real estate.”
Data Protection Commissioner, Ms. Madhub brought a legal “honesty” to the discussion, admitting that while Mauritius is prepared at the micro level, “at the macro level, we are definitely not prepared… we should be honest about it.” She shifted the focus to the specific legal obligations of “readiness” under the Data Protection Act, particularly the 72-hour mandatory notification delay for data breaches. “I believe in action-orientated and measurable effectiveness of measures,” Madhub stated, asserting that data protection laws have improved the “proactiveness” of the country. She explained that her office does not just look at the incident itself, but at whether the organisation integrated “privacy by design” and “privacy by default” before the breach occurred.
The human element remains the most volatile factor, as Dr. Armoogum noted that individuals often “become the victim of more crimes” during the panic of an incident due to a lack of awareness on where to report. Dr. Usmani and Commissioner Madhub both concluded by stressing the “intersection of law, governance, and accountability.” Madhub highlighted the recently launched National Data Strategy for Mauritius as a definitive model for this governance. “Without having the right governance model… there’s nothing happening in terms of cyber security,” she stated. She reminded the audience of the mandatory requirement for all controllers and processors to be registered—a list that currently counts 25,000 entities but is far from exhaustive. “We are sending enforcement notices to all those who are not registered,” she warned, adding that for high-risk processing, such as biometric or large-scale data, a “Data Protection Impact Assessment” (DPIA) is a non-negotiable legal obligation. For the leaders at the CRLF 2026, the final takeaway was clear: resilience is a collective, proactive, and legally codified discipline that starts with registration and ends with demonstrated readiness under fire.
