To get the warning, you have to give up the evidence.
Peers warning peers is the most powerful defence the sector has — see the attack before it reaches you. The reason it works less well than it should is that contributing intelligence means revealing your own indicators, your own topology, and the fact that you were hit.
The model is well established globally. Information-sharing and analysis centres pool indicators of compromise, attack patterns, and trends among members, increasingly through machine-readable standards such as STIX and TAXII that let one institution's detection become another's early warning. The financial-sector body, FS-ISAC, runs a peer network spanning thousands of member firms across more than seventy countries. In Africa the public-sector instance is the national computer incident response teams: Kenya's KE-CIRT/CC issued close to twenty million advisories in a single quarter of 2025, a largely one-directional flow from the centre out to the sectors it protects.
One-directional sharing is useful but thin. The value compounds when the flow is bidirectional — when members contribute their own intelligence and the commons grows richer than any one institution could build alone. That is exactly where the model stalls. Contributing means exposing indicators drawn from your own logs, which often carry customer data; it means revealing details of your own environment; and frequently it means disclosing that you were attacked, which competitors and customers would rather not know. Banks compete. The incentive to take from the pool and give little back is structural, and it keeps the commons shallower than the threat warrants.
The regulatory cross-currents make the hesitation rational rather than merely cautious. The same data that is useful to share is protected data. An indicator tied to a customer transaction, a log line that contains a subscriber identifier, a pattern that reveals a named victim — sharing these can itself be a personal-data disclosure under Kenya's Data Protection Act, South Africa's POPIA, or Nigeria's NDPA. And because the principal sharing bodies are headquartered abroad, contribution is frequently a cross-border transfer, which brings its own basis requirement. The threat-intelligence lead who wants to participate fully is also the person who would answer for it if a contribution leaked personal data across a border without basis.
The cost of that hesitation is paid in repetition. The same phishing kit, the same command-and-control infrastructure, the same fraud playbook moves from one institution to the next, and each victim discovers it alone because the first could not safely warn the rest. In a market where attackers reuse infrastructure across banks, telcos, and payment providers — and where a single SIM-swap technique can be turned on every mobile-money platform in turn — the gap between the first compromise and the sector's awareness of it is measured in institutions breached. That toll falls directly out of the contribution problem, not out of any failure of detection.
The fraud overlap sharpens the point in the African context. The intelligence most worth sharing across a telco and a bank is the pattern behind SIM-swap and mobile-money fraud — the device change, the swap, the immediate transfer. That pattern is also the most personal data either institution holds. FS-ISAC has published frameworks specifically to help cyber and fraud teams share across the lifecycle of an attack, but in a market where a phone number is a bank key, the very richness that makes the intelligence valuable is what makes it unshareable under the current architecture of trust.
What the sector needs is not more willingness to share. Willingness is not the binding constraint. What it needs is a way to contribute the pattern without contributing the substrate the pattern is drawn from — to give the consortium the shape of the attack while keeping the identifiable detail inside the institution that holds it.
The intelligence worth sharing is wrapped in the data you are not allowed to share. The wrapping is the whole problem.
Where each sits.
Akki governs what leaves and logs every contribution, so the threat-intelligence lead can show the data protection officer and, if asked, the regulator exactly what was shared and that it was de-identified before it crossed the boundary. Participation stops being an act of faith that nothing sensitive slipped out, and becomes a governed, recorded process the institution can stand behind.
Solva reasons over inbound intelligence against the institution's own environment and refuses to raise or action an alert on a thin correlation, drafting instead an assessment of whether a shared indicator is genuinely relevant. A consortium feed is only as useful as the discipline applied to it; Solva is what stops shared intelligence from becoming a fresh source of the alert fatigue described in the first article.
This is the workflow SyniSense is built for. It anonymises at the perimeter, stripping the identifiable customer detail and the topology markers out of an indicator before it is contributed, so the institution gives the consortium the pattern — the technique, the infrastructure, the behaviour — without exposing the data the pattern was derived from. On inbound intelligence the process reverses inside the perimeter, where matching a shared indicator against the institution's own identifiable environment is lawful. The boundary is enforced by architecture, not by a clause in a membership agreement.
For the threat-intelligence lead, full participation becomes possible. Because de-identification is enforced in the pipe, the institution can contribute the patterns that thicken the commons without each contribution becoming a fresh argument with legal about what might be exposed. The free-rider problem eases not because firms become more generous but because contributing stops being dangerous.
For the data protection officer, the cross-border and personal-data questions have real answers. What was shared, that it was de-identified, and on what basis it crossed a border are logged per contribution rather than assured in a policy. Signing off on consortium membership is no longer signing a blank cheque.
For the sector, the commons deepens. As more institutions can safely contribute, the shared picture becomes richer and the early warning becomes earlier — the entire point of collective defence, finally unblocked by the constraint that was holding it back. And the benefit compounds: each institution that joins the bidirectional flow improves the warning every other member receives, so the value of participating rises as participation does — the network effect that collective defence was always meant to produce but in practice rarely has.
For the customer, the protection is structural. Their identifiable data is not the price of their bank's participation in collective defence; the institution can help defend the sector without trading away the data it was trusted to hold.
For the national response team, the picture sharpens. A flow that today runs largely one way — KE-CIRT and its peers pushing advisories out to the sectors they protect — becomes more genuinely two-way as institutions can feed observations back without exposing what they are not permitted to share. The national view of the threat landscape is only ever as good as what the private sector is willing to contribute to it, and the same boundary that unblocks peer sharing unblocks the contribution that improves the public picture.