Leon Greyling, Director at ICTS Legal Services
South African retirement funds largely outsource core operations – administration, investment management, actuarial services, and technology platforms – to third-party providers. These arrangements create material cyber risk because sensitive member data and critical processes often reside outside the fund’s direct control. Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience, effective 1 June 2025, imposes clear obligations on retirement funds (as financial institutions) to manage these risks proportionately.
The Standard requires regular vulnerability assessments and penetration testing of critical IT systems and information assets, with frequency and depth driven by risk profile. Critically, paragraph 7.7.1(b) explicitly contemplates reliance: where a fund’s systems or assets are managed by a third-party provider and the fund relies on that provider’s information security control testing, the fund “must be satisfied that the nature and frequency of testing … is commensurate” with the relevant risk factors. This clause signals that duplication of testing is not automatically required. The practical question for trustees and principal officers is therefore whether to commission independent penetration tests on providers or to rely on the providers’ own programmes – provided transparency is robust and non-evasive.
Independent penetration testing by the retirement fund
Conducting or commissioning its own tests gives the fund direct, unbiased visibility into the provider’s controls as they interact with the fund’s environment. Scope can be tailored to specific integration points, data flows, and member-data exposures that matter most to the fund. Findings carry greater weight for internal governance and regulatory scrutiny because they are generated under the fund’s mandate rather than the provider’s. This approach also demonstrates proactive oversight to the FSCA and Prudential Authority.
However, the drawbacks are significant. High-quality penetration testing is expensive; a single comprehensive engagement can easily exceed R150 000-R300 000 depending on scope and methodology. For funds with multiple material providers the costs multiply quickly and are ultimately borne by members. Logistical and contractual barriers are equally real: many providers operate multi-tenant or cloud environments and are reluctant to grant deep access to external testers appointed by multiple individual clients. Scoping, timing, and rules of engagement become complex, often resulting in superficial or delayed tests. Smaller funds (or their employee benefit advisors) rarely possess the in-house cyber expertise to define precise scopes or evaluate findings effectively. Finally, independent testing by every client creates inefficiency and potential inconsistency across the industry. For these reasons, surely the regulators did not intend to require independent testing by funds.
Reliance on provider-procured penetration testing
Relying on testing already performed by the provider (or its independent assessor) offers clear efficiency advantages. Large administrators and asset managers are typically themselves subject to Joint Standard 2 or equivalent regulatory expectations; they usually maintain mature, frequent testing programmes using accredited firms and a range of methodologies. A single high-quality programme can serve multiple clients without duplication. This model aligns directly with the risk-based language in paragraph 7.7.1(b) and avoids imposing unnecessary costs on retirement funds.
The principal risks are loss of independence and the potential for results to be confusing. A provider’s tester may face commercial pressure to minimise findings or to scope tests narrowly. Even more commonly, providers supply only high-level executive summaries or heavily redacted reports that omit medium-severity issues, detailed exploitation paths, or the adequacy of remediation. Without meaningful transparency, a fund cannot genuinely “satisfy itself” that the testing regime is commensurate with risk.
So….
The balanced, regulation-aligned path: reliance with non-evasive transparency
The more proportionate and sustainable approach for most retirement funds is structured reliance on provider-led penetration testing, reinforced by contractual and operational transparency requirements that are deliberately non-evasive. This model respects the intent of Joint Standard 2 while preserving the fund’s accountability.
In practice, funds should embed the following in service level agreements and ongoing oversight:
- Providers must engage reputable, independent assessors at a frequency and depth commensurate with the criticality of the services provided – typically at least annually for core administrative or investment platforms.
- Detailed reports (or a technical summary plus executive overview sufficient for risk assessment) must be delivered to the fund within a defined period after each test. These should include scope and methodology statements, all findings by severity, and clear remediation plans with owners and deadlines.
- The fund retains rights to request raw or additional findings, to comment on scoping for high-risk providers, and to receive progress updates on remediation. Where concerns arise, the fund should have the contractual ability to trigger supplementary testing or a joint exercise.
- Periodic assurance that the provider’s overall testing programme remains fit for purpose can be obtained through review of SOC 2 Type II reports, ISAE 3402 reports covering cyber controls, or targeted gap analyses commissioned by the fund every two to three years for material providers.
This framework enables the fund to document, for regulatory and board purposes, exactly how it satisfied the “commensurate” test in paragraph 7.7.1(b). It also encourages providers to treat transparency as a competitive strength rather than a burden.
Independent testing retains a role for high-risk providers or where previous findings have been unsatisfactory, but should very much be the exception, rather than the rule. For the majority of established relationships, well-governed reliance on provider-conducted penetration testing – backed by prompt, detailed, and non-evasive disclosure of results – delivers stronger, more sustainable cyber resilience at lower cost to members. It is the approach most consistent with both the letter and the spirit of Joint Standard 2 of 2024.
ENDS








