The FSCA and the Prudential Authority (PA) have confirmed that the Joint Standard on cybersecurity and cyber resilience will commence on 1 June 2025.
In May, the Authorities published the final version of Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience. They said the Joint Standard was likely to commence in June next year.
Read: Cybersecurity Joint Standard: Authorities announce likely commencement date
The FSCA and the PA issued a Joint Notice last week confirming that the commencement date is 1 June 2025.
Financial institutions will be afforded 12 months from the commencement date to comply fully with the Joint Standard, according to the Consultation Report and communication published with the Joint Standard.
The Joint Standard itself does not provide for a transitional period, and last week’s Joint Communication and Joint Notice were silent on this matter.
Joint Standard 2 of 2024 sets comprehensive guidelines for specified financial institutions to manage and mitigate cybersecurity risks. The standard outlines the measures and best practices these financial institutions must adopt to ensure robust cybersecurity and resilience against cyber threats.
The Joint Standard applies to the following financial institutions:
- banks and mutual banks;
- insurers;
- market infrastructures – that is, a licensed stock exchange, central securities depository, clearing house, or trade repository;
- discretionary FSPs (as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs);
- Category I FSPs that provide investment fund administration services;
- administrative FSPs (as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs);
- retirement funds registered under the Pension Funds Act (PFA);
- over-the-counter derivative providers (as defined in the Financial Markets Act Regulations);
- administrators approved in terms of section 13B of the PFA; and
- registered credit rating agencies (as defined in section 1 of the Credit Rating Services Act).
The Joint Standard requires these financial institutions to:
- Establish and maintain a regularly reviewed cybersecurity strategy to manage cyber risks and address changes in the cyber threat landscape.
- Identify business processes and information assets that support the business and the delivery of services, conduct risk assessments on critical operations and information assets, and maintain an inventory of all its information assets.
- Implement appropriate and effective cybersecurity practices to prevent the impact of potential cyber incidents.
- Ensure that access to information is limited to authorised users and devices.
- Develop data-loss prevention policies and measures to prevent and detect the unauthorised use of sensitive data and information.
- Implement a cybersecurity awareness programme to maintain a high level of awareness among all users.
- Maintain effective cyber resilience capabilities to monitor, detect, respond to, and recover from cyberattacks.
- Establish a data backup strategy to ensure that any sensitive information stored in the backup media is secured.
- Regularly test all elements of their cyber resilience capacity and security controls to assess vulnerabilities and determine overall effectiveness.
- Establish a regularly reviewed access control policy and process to enforce strong password security controls for users to access IT systems and information assets.
- Secure administrative accounts and grant privileged access only when necessary.
- Implement multi-factor authentication for all users with access to critical system functions, including user accounts utilised to access applications containing sensitive information.
- Protect the network from unauthorised access and disruption through the implementation of security controls at the network perimeter.
- Test and apply security patches to address vulnerabilities in IT assets.
- Maintain written security standards for hardware and software configurations to minimise exposure to cyber threats.
- Implement endpoint protection to prevent malware infection.
- Notify the responsible authority of cyber incidents or information security comprises classified as material.
A tailored solution for your business
If you are looking for a solution that will ensure your business will comply with the Joint Standard, a good starting point is to watch Moonstone’s interviews with Justin Westcott, the chief technology officer of DataGr8, a leading cyber and data security company.
DataGr8 offers tailored solutions to help financial institutions comply with the cybersecurity and cyber resilience Joint Standard, as well as Joint Standard 1 of 2023: Information Technology Governance and Risk Management.
To watch the interviews, go Moonstone Compliance’s website and click on Insights.