With compliance to Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience set to take effect on 1 June, discussions are under way between the Prudential Authority (PA) and the Financial Sector Conduct Authority on how the Twin Peaks regulators will assess compliance.
Basani Mabaso (pictured), senior cybersecurity risk analyst at the PA, said that for the past three years, the Authority has issued an annual questionnaire to help financial institutions identify vulnerabilities.
“The questionnaires aligned to the standards, and it also helped us to actually measure compliance before we issued the standard,” said Mabaso. “But we’re still going to use this as a mechanism going forward, but so far, it is still a self-assessment. We will see how we can engage assurance providers to assist validating those results.”
Mabaso played a key role in developing the Joint Standard, which was issued on 17 May last year. It complements Joint Standard 1 of 2023 on IT Governance and Risk Management, which took effect in November. Joint Standard 1 establishes governance and policy requirements, and Joint Standard 2 outlines the minimum technical controls to support them.
Financial institutions, including banks, insurers, stock exchanges, retirement funds, and investment fund administrators, have 12 months from 1 June to comply fully.
Speaking at the FSCA’s annual Industry Conference, Mabaso warned that digitalisation and technological innovation, while driving growth, also expose institutions to cyber threats.
“Cyberattacks can cause intolerable harm to our customers, or destroy the financial institution or its reputation, as well as disrupt the financial market, and that can also have an impact on financial stability,” she said.
She noted the need for robust security measures.
“Every institution must assume that attackers will eventually gain access to their network. This is because our traditional security measures are no longer enough to ensure adequate security due to the increasing threat industry.”
The regulatory focus, she explained, is shifting.
“It’s not a matter of ‘if’; it’s ‘when’. The question now is how quickly institutions can recover from incidents.”
Six pillars of cybersecurity
Joint Standard 2 outlines the requirements for sound cybersecurity practices, ensuring financial institutions are prepared for cyberattacks and equipped to respond and recover effectively.
The standard covers six key elements, starting with defining roles and responsibilities. This includes the role of the governing body and the responsibilities of those tasked with implementing cybersecurity strategies and frameworks within organisations.
Governance requirements are another critical aspect, underscoring the need for dedicated governance committees to oversee cybersecurity efforts.
The standard also establishes fundamental principles of cybersecurity and cyber resilience, along with essential hygiene practices to strengthen security measures.
“So, what we think is very important for each and every organisation to have in place, looking at user access management, managing privileged accesses, reviewing those on a regular basis, having defence in depth, as well as implementing your multi-factor authentication. So of course, for your critical systems as well,” said Mabaso.
The standard also mandates that regulated entities notify authorities of any material cyber incidents, reinforcing accountability and ensuring timely responses to threats.
Cybersecurity and cyber resilience fundamentals
Joint Standard 2 establishes seven key domains to bolster financial institutions’ defences against cyber threats.
The first domain, identification, requires institutions to classify and safeguard their most critical information assets.
“Some call that the crown jewels, and that, of course, includes information that will be managed by your third parties,” said Mabaso.
She recalled that in her “previous life” as a cybersecurity specialist overseeing cyber and information security risk at the South African Reserve Bank, she encountered organisations that would say, “We don’t have crown jewels or critical information; we have classified everything as important.”
“It’s not possible, because you need to have some form of a way to prioritise the mitigations of risk. Hence, the standard says that you need to identify risk and make sure that you put measures in place to protect those crown jewels, as well as critical services and assets.”
The protection domain ensures institutions implement adequate controls to safeguard the confidentiality, integrity, and availability of their information and services. The detection domain requires institutions to establish monitoring measures – covering people, processes, and technology – to identify anomalous activities.
“We’ve seen a number of organisations that would be hacked, say, for a number of years, and never know that they actually had [been]. So, if you don’t have these types of controls, how will you ever know that you are hacked?” Mabaso asked.
The response and recovery domain mandates institutions to develop and test incident response plans to ensure swift recovery.
“We expect institutions to implement capabilities to rapidly respond and recover from cyber incidents. That will entail making sure that you have your incident response plans in place. If anything were to happen, as quickly as possible, you need to be able to recover. Everybody needs to know what to do when something happens so that you can swiftly recover.”
The situational awareness domain focuses on threat intelligence and information-sharing. Mabaso noted it is critical for organisations to understand both their enemies and themselves, because this knowledge helps in recognising the procedures and tactics attackers may use, allowing them to implement the appropriate controls to mitigate those threats.
“We encourage institutions to have a good understanding of their threat landscape, as well as the impact to their business, and actively participate in threat intelligence information-sharing arrangements with trusted parties.”
Institutions must also test the effectiveness of their controls.
“You need to know that your controls work as intended. This will include testing, such as your penetration testing, assessing vulnerabilities, and making sure that the findings are mediated in a timely manner.”
The final domain, learning and evolving, ensures institutions continuously refine their cybersecurity strategies.
“You can’t have the same incident happening and recurring over and over. You need to learn from that. Institutions must put proactive, not reactive, measures [in place] in terms of risk management strategies.”
Resilience is key
Cyberattacks are not a question of if, but when, and financial institutions must prioritise resilience to protect themselves, their customers, and the broader industry, warns Mabaso.
“We all know that no organisation is immune to that. The most important thing is being resilient,” Mabaso said.
Mabaso explained that the standard sets out requirements for financial institutions to identify important business services by assessing how disruptions could affect their customers, the industry, and the broader financial system.
She said financial institutions must proactively assess their vulnerabilities and invest in security measures to ensure operational continuity in the face of disruptions.
“It is prudent that our supervised entities need to understand their vulnerabilities, invest in protecting those, and protecting themselves and their customers, and [so that] the market will retain continuity in case of operational disruption,” she said.
Mabaso noted that cyber resilience cannot be achieved in isolation. Information sharing plays a critical role in strengthening industry-wide security by enabling regulators and stakeholders to collaborate on incident response and situational awareness.
She pointed to the importance of participation in cybersecurity collaboration forums such as the Cyber Co-ordination Task Force, the Association for Savings and Investment South Africa, the South African Insurance Association, and the Banking Association South Africa.
To improve industry-wide situational awareness, Joint Standard 2 requires financial institutions to notify regulators – the PA or the FSCA – of material cyber incidents.
“We said in a manner that has been determined by the authorities. Some might have seen the template that we’ve issued, which states that within 24 hours of classifying that incident, institutions are expected to report those incidents.”
This information, she said, is essential for tracking cyber threats across the sector.
“The information is crucial because it assists us to create trends of the sector, as well as trends for the industry. And we’ve been notified that that information is very crucial by the different industries – we are expected to share with them, to provide a feedback loop for those entities.”
A tailored solution for your business
If you are looking for a solution that will ensure your business will comply with the Joint Standard, a good starting point is to watch Moonstone’s interviews with Justin Westcott, the chief technology officer of DataGr8, a leading cyber and data security company.
DataGr8 offers tailored solutions to help financial institutions comply with the cybersecurity and cyber resilience Joint Standard, as well as Joint Standard 1 of 2023: Information Technology Governance and Risk Management.
To watch the interviews, go Moonstone Compliance’s website and click on Insights.
