Leon Greyling, Director at ICTS Legal Services

In the fast-evolving landscape of financial services, where digital threats loom larger than ever, one might expect consultants and advisors to rise to the occasion with vigour and enthusiasm. Yet, in South Africa, the rollout of Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience Requirements for Financial Institutions has revealed a troubling trend: a reluctance among retirement fund consultants to fully embrace this critical legislation. Instead of championing robust security measures for their clients’ benefit, many are opting for the bare minimum, citing perceived complexity and high costs. This minimalist approach not only undermines the spirit of the standard but also leaves retirement fund members vulnerable to escalating cyber risks – particularly in the era of the two-pot retirement system.  Why this perceived laziness?  What ever happened to the days of the consultant driving the discussion, sourcing solutions, questioning providers?

Joint Standard 2 of 2024, jointly issued by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA), marks a pivotal step in fortifying the financial sector against cyber threats. Effective from mid-2025 for most institutions, it mandates comprehensive governance frameworks, risk assessments, incident response plans, and resilience strategies for entities like banks, insurers, and retirement funds. The standard isn’t just a checklist; it’s a call to action for proactive cybersecurity management, recognising that financial institutions handle sensitive data and monies that cybercriminals increasingly target. With global cyber-attacks costing trillions annually, South Africa’s regulators aimed to elevate standards, ensuring institutions don’t just react to breaches but build enduring defences.

This urgency is amplified by the two-pot retirement system, introduced in September 2024 as part of pension reforms. While designed to provide financial flexibility amid economic pressures, it has inadvertently heightened cyber vulnerabilities. The system has resulted in a surge in transactions – with millions of withdrawal requests processed digitally – creating more entry points for hackers, phishing scams, and data breaches.  Experts warn that the influx of funds moving through online portals makes retirement funds prime targets, with risks including identity theft, fraudulent claims, and ransomware attacks that could disrupt entire systems.  In a two-pot environment, where transaction volumes could double or triple, the stakes are higher: a single breach might expose thousands of members’ personal and financial details, leading to long-term losses far exceeding compliance costs.

Yet, rather than viewing Joint Standard 2 as an opportunity to safeguard clients (as an opportunity to consult), many consultants are treating it as a burdensome obligation. Reports from the sector indicate a prevailing attitude of “minimal compliance” – implementing barely enough to claim compliance, often skimping on advanced tools like AI-driven threat detection or third-party audits due to fears of complexity and expense. This shortsightedness is perplexing. Consultants, traditionally the bridge between regulation and practical implementation, should be at the forefront of enthusiasm. Where are the days when advisors dove into new laws with zeal, turning potential hurdles into competitive advantages for themselves and value for their clients?

The failure here is multifaceted. By promoting bare-bones adherence, consultants risk leaving retirement funds underprepared for sophisticated threats. For instance, without robust resilience measures, a cyber-attack could halt withdrawals in the two-pot system, eroding member trust and triggering regulatory scrutiny. Costs are a valid concern – implementing the standard might require investments in training, software, and partnerships – but these pale compared to the fallout from a major incident, and free markets have now driven costs to more reasonable levels (after initial opportunism by some providers of services). The FSCA has emphasized that the standard is about building security, not just ticking boxes, yet inertia persists. This minimalism exposes members, many of whom are ordinary workers relying on these funds for their future, to unnecessary dangers in an already volatile digital world.

True consulting demands more. Advisors should actively seek innovative solutions, such as collaborating with cybersecurity firms to tailor cost-effective frameworks that exceed baseline requirements. They ought to explain the standard’s nuances to fund boards, demystifying terms like “cyber resilience” and illustrating real-world benefits through case studies. Coordination is key: negotiating with vendors for scalable tools, integrating them seamlessly into existing systems, fostering cross-industry knowledge sharing, and holding third-party providers accountable. Simply requesting a letter of “compliance” from third-party providers is hollow comfort and bereft of consulting.  Rather than advocating for the minimum, consultants should champion a culture of excellence – conducting thorough risk assessments, validating responses, and embedding cybersecurity into the DNA of a retirement fund.

The rewards of this enthusiastic approach are clear. Funds that embrace Joint Standard 2 holistically will not only comply but thrive, through strong governance and disciplined execution.  It could reduce long-term costs by preventing breaches and position South Africa’s financial sector as a global leader in cyber resilience. Consultants who lead this charge will build trust, differentiating themselves in a crowded market, and over-coming the malaise that has set in with more and more stand-alone retirement funds moving into umbrella funds.

On that note, the umbrella fund boards of trustees should be implementing extensive programs to protect their participating employers and members, and management committees should demand evidence thereof.

So, what’s happened to the days of enthusiastic consulting? Perhaps they’ve been overshadowed by complacency and commercial intent. But it’s not too late. As Joint Standard 2 takes full effect, advisors must rediscover their proactive roots. For the sake of retirement fund members navigating a riskier two-pot landscape, minimalism isn’t enough – it’s time to build the security our clients deserve, by assisting them – yes….by consulting!

ENDS

Ed’s note: To inform your thinking on this, watch the ICTS Legal Services 2025 Evolutionary Award entry submission here