Joint Standard on Cybersecurity and Cyber Resilience Requirements

The Joint Standard on Cybersecurity and Cyber Resilience Requirements sets the minimum standards for financial institutions to implement best practices and processes to identify and guard against cybersecurity and cyber resilience risks. The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published this joint standard on 17 May 2024; the commencement date is 1 June 2025.

Financial institutions in South Africa must comply with this joint standard 2 of 2024. Many mature and large financial institutions will already meet many of the standards. We (together with other service providers) can help you ensure your organisation meets these standards practically and effectively. You will need to follow a multi-disciplinary approach to comply. A key component of complying will be demonstrating that you comply.

All financial institutions in South Africa must meet these cybersecurity standards by 1 June 2025.

Objectives of the Cybersecurity Joint Standard

The joint standard aims to protect financial institutions against cyber attacks and prepare them to recover from attacks by essentially requiring them to do two things.

1. They should implement processes.
2. They should have the right tools and technologies.

Who does the joint standard apply to?

• Banks, banks branches and controlling companies governed by the Banks Act.
• Mutual banks and controlling companies governed by Mutual Bank Act.
• Insurers and controlling companies governed by the Insurance Act.
• Investment managers governed by the Collective Investment Scheme Act.
• Market infrastructures governed by the Financial Markets Act.
• Discretionary FSPs governed by Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs.
• Administrative FSPs governed by Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs.
• Pension funds registered under the Pension Funds Act.
• OTC derivative providers governed by the Financial Markets Act Regulations.
• Registered credit rating agencies

If you provide services to financial institutions, this joint standard will also impact you.

Key considerations of the Joint Standard on Cybersecurity and Cyber Resilience Requirements

This joint standard is principle-based. A financial institution must implement its requirements in accordance with its risk appetite, nature, size and complexity. The standard specifies information security measures that apply to financial institutions. The standard is different from the Cybercrime Act which establishes offences that arise from a person’s actions.

The governing body roles and responsibilities

The governing body of of a financial institution has several responsibilities under the Cybersecurity standard. (We can help you to train or brief your governing body.)

1. Ensure that the institution complies with the standard.
2. Oversee cyber risk management.
3. Work with senior management to establish a sound and robust cybersecurity strategy and framework.
4. Make management responsible for collaborating with other stakeholders to ensure cyber resilience.
5. Clearly define roles and responsibilities for security in the contracts and Service Level Agreements with third-party service providers. (We can help you with IT contracts and Data Processing Agreements (DPAs).)

There is overlap with the Digital Operational Resilience Act (DORA). In addition to the the CIA triad: confidentiality, integrity and availability, DORA introduces authenticity.

The standards each financial institution must meet

1. Have good governance of cybersecurity and cyber resilience.
2. Establish and maintain a cybersecurity strategy and framework. (We can facilitate a workshop to help you achieve this.)
3. Implement the cybersecurity fundamentals, including:
   1. identify and protect against events or incidents, (We help you put organisational measures in place.)
   2. manage identity and access,
   3. secure data,
   4. secure applications and systems,
   5. secure its network,
   6. meet the standards for using cryptography, and (We can help you register as a cryptography provider)
   7. ensure a sufficient level of awareness by conducting cybersecurity awareness training. (Join our cybersecurity compliance programme)
4. Detect cyber events or incidents.
5. Respond and recover from cyber-attacks. (We can be your breach coach)
6. Respond and manage cyber events or incidents. (Get an incident response policy)
7. Be aware of the situation it finds itself in.
8. Test all elements of its cyber resilience capacity, including:
   1. test the effectiveness of its controls,
   2. assess its vulnerabilities,
   3. test whether it can be penetrated,
   4. carry out simulation exercises,
   5. test application security,
   6. manage the remediation of issues.
9. Learn and evolve.
10. Practice cybersecurity hygiene.
11. Notify and report any incident to the relevant authorities (including the information regulator). (We help with incident reports)

Many of the standards require a financial institution to have good cybersecurity policies, standards, processes and procedures. We can help you get these right.

This is our plain language summary of the standards. For a full understanding we encourage you to read the actual standard.

Actions you could take regards Joint Standard 2 of 2024

• Meet this Joint Standard 2 of 2024 by asking for our assistance by enquiring now.
• Secure your information and cyberspace or environment in accordance with the law by asking for our help with cybersecurity law or joining our cybersecurity compliance programme.
• Learn more about how your organisation can protect people’s personal information by joining our data protection programme.
• Learn about the impact of the Cybercrimes Act on financial institutions by reading our related post.
• Receive future updates or alerts about cybersecurity and our events by subscribing to the Michalsons newsletter.
• Dive into the details of the POPIA by reading the web-based version of it.

The process giving rise to this FSCA and SARB Joint Standard

In December 2021, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) (a prudential regulator within the administration of the SARB) published the draft Joint Standard: Cybersecurity and Cyber Resilience Requirements for Financial Institutions (Joint Standard 2 of 2024) for consultation. The deadline for submitting comments on the draft Joint Standard 2 closed on 15 February 2022. At the time, the FSCA and PA (Authorities) explained that they would review any submissions it receives from the public, and would thereafter release a revised draft Joint Standard for comment for a period of six weeks.

Then in December 2022, the Authorities released a statement on their proposed revisions to the Joint Standard for a second round of comments. Interested parties had a chance to submit their comments about the documents to the Authorities by 28 February 2023. Thereafter, the Authorities considered further comments they received. Once this consultation process ended, the Authorities submitted the updated proposed Joint Standard and related documents to Parliament for a period of least 30 days.