A recent (1 June 2021) headline on a UK based website reports that there were 116 million records breached in the UK in May 2021. Although no formal figures are available for South Africa, the level of cyber attacks must be proportionally similar in this country.
One of the guest speakers at the September 2019 Moonstone Regulatory Update Conference was Justin Westcott from the Cyber Security Institute. He remarked that all businesses should consider the possibility of a cyber attack as a “when” not an “if” event.
Reporting Obligations
What are the obligations of financial services providers to report any cyber attack to the FSCA?
S 17(1)(c) of the FAIS Act, 2002 (FAIS) read with S 19(4) imposes an obligation on compliance officers and auditors to inform the Conduct Authority in writing of any irregularity or suspected irregularity in the conduct or the affairs of the financial services provider concerned of which the compliance officer and auditor became aware in performing their functions as such and which, in their opinion, is material.
The affairs of the FSP include the obligation imposed by S 8A(a) of FAIS which provides, inter alia, that a financial services provider must continue to comply with the Fit and Proper requirements as spelt out in detail in Board Notice 194 of 2017 (Determination of Fit and Proper Requirements for Financial Services Providers, 2017).
In particular, S 37(2)(iii) provides that the governance framework of an FSP must include effective and adequate systems of corporate governance, risk and internal controls, systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, including:
- electronic data security and internal and external cybersecurity;
- physical security of assets and records;
- system application testing;
- backup and disaster recovery plans and procedures for systems and electronic data
The required risk and internal controls must include systems and processes to ensure accurate, complete and timeous processing of data, reporting of information and the assurance of data integrity.
Other legislative obligations
There are also requirements imposed by the General Code of Conduct for Authorised Financial Services Providers and Representatives (Board Notice 80 of 2003 as amended). These include the requirements of S 3(2) in terms of which certain client records must be kept and providers are obliged to keep such client records and documentation safe from destruction.
Sections 11 and 12 make it obligatory, inter alia, for providers to have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence, professional misconduct or culpable omissions. In addition, providers must structure the internal control procedures concerned so as to provide reasonable assurance that the relevant business can be carried on in an orderly and efficient manner.
He who hesitates…
If a provider suffers a cyber attack and any of these requirements can be considered to have been compromised in a material manner, the matter must be reported to the Conduct Authority without delay.
In a recent meeting with senior officials of the FSCA, it was made clear – and emphatically so – that any data breach, any cyber attack or any malware detection that has a material impact on the affairs of the provider, must be reported to the FSCA immediately.
Such report or reports must disclose full details known at the time regarding the extent of the attack or breach, the remedial action that has and will be implemented and an assessment of the possible prejudice the attack or breach may have on other providers, product suppliers and representatives – but most importantly, the possible prejudice to clients. If necessary one or more follow-up reports can be submitted as and when appropriate.
It is suggested that providers notify the FSCA themselves and do not rely on reports by compliance officer or auditors. The reason for this is that the sooner the matter is reported to the FSCA, the sooner the FSCA may be able to provide support and guidance not otherwise available to providers. After all, the attack on one provider will certainly not be the first to come to the attention of the Authority and their experience in this regard may just be what is needed in the specific circumstances of the reported event.