The FSCA and the Prudential Authority (PA) have told financial institutions that the Joint Standard on cybersecurity and cyber resilience is likely to commence on 1 June 2025.
The Joint Standard sets comprehensive guidelines for specified financial institutions to manage and mitigate cybersecurity risks. The standard outlines the measures and best practices these financial institutions must adopt to ensure robust cybersecurity and resilience against cyber threats.
The Joint Standard applies to the following financial institutions:
- banks and mutual banks;
- insurers;
- market infrastructures – that is, a licensed stock exchange, central securities depository, clearing house, or trade repository;
- discretionary FSPs (as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs);
- Category I FSPs that provide investment fund administration services;
- administrative FSPs (as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs);
- retirement funds registered under the Pension Funds Act (PFA);
- over-the-counter derivative providers (as defined in the Financial Markets Act Regulations);
- administrators approved in terms of section 13B of the PFA; and
- registered credit rating agencies (as defined in section 1 of the Credit Rating Services Act).
The Authorities last week published the final version of Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience, which was tabled in Parliament on 30 November 2023.
Click here to download the Joint Standard.
In an accompanying communication, the FSCA and the PA said it is likely that financial institutions will be afforded 12 months from the commencement date to comply fully with the Joint Standard. Nevertheless, they urged the industry to prepare for its implementation. The Authorities will formally determine the effective date “in due course”.
Public consultation on the first version of the draft Joint Standard began in December 2021. The deadline to comment on the revised draft was 28 February last year.
Read: Small FSPs concerned about cost implications of proposed cybersecurity joint standard
Click here to download the Consultation Report (June 2023), which includes the Authorities’ responses to comments from industry stakeholders.
Here is a recap of the key requirements of the Joint Standard:
Oversight of cyber risk management
The Joint Standard provides that the governing bodies of financial institutions are ultimately responsible for oversight of cyber risk management. They may delegate primary oversight activities to an existing or a new committee.
Governing bodies must ensure that a sound and robust cybersecurity strategy and framework is established, implemented, and maintained.
They must ensure that the roles and responsibilities for security are clearly defined in the contacts or service level agreements with third-party service providers.
Cybersecurity strategy and framework
Financial institutions are required to review their cybersecurity strategy regularly, but at least annually, to address changes in the cyber threat landscape, allocate resources, identify, and remediate gaps and incorporate any lessons learnt during that period.
The cybersecurity framework must clearly articulate how a financial institution will identify cyber risks and determine the controls to keep those risks within acceptable limits.
Cybersecurity and cyber resilience fundamentals
A financial institution will be required to identify business processes and information assets that support business and delivery of services, including those managed by third-party service providers.
Appropriate and effective cyber resilience capabilities and cybersecurity practices must be implemented to prevent, limit and/or contain the impact of a potential cyber event or cyber incident.
A security-by-design approach must be implemented, which refers to building security in every phase of software development to minimise system vulnerabilities and reduce the attack surface.
A financial institution must instal network security devices to secure the network between the financial institution and the internet, as well as the connections with third-party service providers, and deploy network detection or prevention systems to detect and block any malicious traffic.
If a financial institution uses cryptography, it must establish cryptographic key management policies, standards, and procedures covering key generation, distribution, installation, renewal, revocation, recovery, and expiry.
Comprehensive cybersecurity awareness training programmes should be implemented to maintain a high level of awareness among all users in the financial institution.
Cybersecurity hygiene practices
Financial institutions will be required to establish a security access control policy, enforce strong password protocols, and ensure that multi-factor authentication is applied to users with access to critical system functions.
A financial institution must notify the responsible authority for the financial sector law in terms of which it is licensed or registered after classifying a cyber incident or an information security compromise as material.
A tailored solution for your business
If you are looking for a solution that will ensure your business will comply with the Joint Standard, a good starting point is to watch Moonstone’s interviews with Justin Westcott, the chief technology officer of DataGr8, a leading cyber and data security company.
DataGr8 offers tailored solutions to help financial institutions comply with the cybersecurity and cyber resilience Joint Standard, as well as Joint Standard 1 of 2023: Information Technology Governance and Risk Management.
To watch the interviews, go Moonstone Compliance’s website and click on Insights.
Simple solution:
Send invoices for cyber losses to Zuckerberg ,Gates and the other morons that provided us with these slow ,weak and easily corruptible systems.
Why is it that we the Financial Services Industry have to fix other peoples problems
Just remember with every app you get a free hacker.