FSCA publishes final joint standard on cybersecurity and cyber resilience requirements for financial institutions
23 May, 2024

Lize de la Harpe – Senior Legal Advisor at Sanlam

 

 

The Financial Sector Conduct Authority (FSCA) in conjunction with the Prudential Authority (PA) on 16 May 2024 published Joint Standard 2 of 2024 titled “Cybersecurity and Cyber Resilience”. The joint standard applies to various financial institutions, including (but not limited to) banks, insurers, retirement funds (and fund administrators) and collective investment scheme managers. It sets out detailed requirements and principles for sound practices and processes relating to cybersecurity and cyber resilience.

 

 

Background

 

The PA has the mandate to promote and enhance the safety, and soundness of regulated financial institutions and market infrastructures. The FSCA has a responsibility to enhance and support the efficiency and integrity of financial markets as well as protect financial customers.

 

Both the PA and the FSCA (jointly referred to as Authorities) have a responsibility to assist the South African Reserve Bank (SARB) in maintaining financial stability. Section 107 of the Financial Sector Regulation Act, 2017 empowers the Authorities to make joint standards on any matter in respect of which either of them has the power to make a standard.

 

The rise of the digital era has transformed how financial institutions interact with their clients. While technological advancement has brought with it numerous benefits, the threat landscape has also evolved.

 

Cyber-attacks are often targeted at strategic industry sectors such as the financial sector. Cyber-attacks can pose a major impact on financial institutions, potentially compromising their sustainability. Due to the interconnectedness of the financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of that entity but other financial institutions as well, with potentially systemic consequences.

 

As such, cybersecurity risk has gained the necessary attention of the Authorities.

 

On 15 December 2021, a draft Joint Standard was released for public consultation. Comments were due on 15 February 2022. On 13 December 2022, the Authorities released a revised version of the draft Standard for public consultation with comments due on 28 February 2023.

 

The Joint Standard was submitted to Parliament on 30 November 2023, as required in terms of section 103(1) of the Financial Sector Regulation Act, which requires that, before a regulatory instrument can be issued, it must be submitted to Parliament for a period of at least 30 days while Parliament is in session.

 

The parliamentary period has now elapsed, and the final Joint Standard and accompanying documentation has accordingly been published.

 

 

The requirements

 

The Joint Standard aims to:

 

  1. ensure that financial institutions establish sound and robust processes for managing cyber risks;
  2. promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;
  3. ensure that financial institutions undertake systematic testing and assurance regarding the effectiveness of their security controls;
  4. ensure that financial institutions establish and maintain cyber resilience capability, to be adequately prepared to deal with cyber threats; and
  5. provide for notification by the regulated entities of material cyber incidents to the Authorities.

 

It sets out detailed principles that financial institutions must comply with, including but not limited to:

 

  1. establishing and maintaining a cybersecurity strategy that is aligned with its overall business strategy and reviewed at least annually;
  2. implementing cyber resilience capabilities and practices to prevent, limit and/or contain the impact of a potential cyber event or cyber incident;
  3. installing network security devices to secure the network;
  4. establishing a comprehensive cybersecurity awareness training programme;
  5. monitoring and detecting cyber events and cyber incidents;
  6. implementing an incident response and management plan;
  7. testing control effectiveness;
  8. conducting regular vulnerability assessments on its IT systems; and
  9. implementing malware protection.

 

It also includes a reporting requirement in terms whereof financial institutions are required to notify the responsible Authority of a material cyber incident or information security compromise.

 

 

Conclusion

 

The Joint Standard is envisaged to commence on 1 June 2025. Notwithstanding the fact that the Joint Standard will likely take effect after 12 months, the Authorities have urged the industry to start preparing for its implementation.

 

 

ENDS

 

 

 

Author

@Lize de la Harpe, Sanlam
+ posts
Share on Your Socials

You May Also Like…

Share

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!