Joint Standard 2: Cyber Resilience

Joint Standard 2 cybersecurity requirements make cyber risk management, control testing, monitoring, incident response and resilience a formal expectation for specified South African financial institutions. From a cybersecurity perspective, this makes external vulnerability visibility, email domain trust, ongoing risk evidence and board-readable reporting important parts of a financial institution’s cyber resilience approach.

Act no: N/A

Type: Principle-based

Purpose: Establishes minimum cybersecurity and cyber resilience standards for financial institutions to safeguard IT systems, data, and services.

Financial Service Providers (FSPs), IT vendors servicing financial institutions.

• Board Accountability: Governing body must oversee cyber risk and approve cybersecurity strategies and frameworks [Clause 4.1, 4.2]
• Cybersecurity Strategy: Institutions must establish, maintain, and annually review a cybersecurity strategy aligned to business objectives [Clause 6.1.1–6.1.2]
• Access and Identity Management: Implement strict access controls and identity verification processes including strong authentication and remote access policies [Clause 7.2.2]
• Data Security Controls: Encrypt sensitive data, control endpoint access, and enforce secure data handling in both production and non-production environments [Clause 7.2.3]
• Incident Response and Recovery: Maintain tested plans for rapid response and recovery from cyber incidents, with defined RPO and RTO [Clause 7.4.1–7.5.1]
• Threat Intelligence Sharing: Participate in external cyber threat intelligence sharing and ensure internal monitoring systems are in place [Clause 7.6.2]
• Vulnerability and Penetration Testing: Regular vulnerability scans and penetration testing (black, grey, white box) on critical systems [Clause 7.7.2–7.7.3]
• Multi-Factor Authentication: Enforce MFA for critical systems, privileged accounts, and internet-facing applications [Clause 8.3.1]
• Malware and Patch Management: Proactively manage malware threats and apply patches in a timely and risk-based manner [Clause 8.5.1, 8.7.1]

Administrative penalties [Section 167 – Financial Sector Regulation Act]

N/A

Institutions may face regulatory interventions including supervisory reviews and enforceable undertakings [Section 134 – Financial Sector Regulation Act]

Customers are likely to lose faith in an FSP that has been exposed to security vulnerabilities or has failed to protect their data, leading to a decline in customer base and potential loss of revenue.

CyberProfiler: External Vulnerability Scan

Provides a safe, non-invasive external vulnerability scan of your public digital footprint, highlighting security weaknesses that may be visible to attackers.

• Vulnerability Assessment: Enables regular vulnerability identification aligned with the institution’s external exposure profile [Clause 7.7.2]
• Vulnerability and Patch Management: Identifies external vulnerabilities to inform patching and mitigation priorities [Clause 8.5.1]

Managed DMARC Protection

Supports DMARC implementation and monitoring to help reduce domain spoofing risk, improve outbound email trust, and move safely towards enforcement.

• Email System Authorisation: Ensures that only authorised email systems and domains are used for communication, reducing the risk of impersonation attacks [Clause 7.2.3(a)(v)]
• Internet Service Control: Helps detect and block unauthorised use of email-related internet services that could leak sensitive information [Clause 7.2.3(a)(vi)]

• South African Reserve Bank: Download the Joint Standard → South African Reserve Bank Prudential Authority
• FSCA: Financial Sector Conduct Authority (FSCA)
• Michalsons: Joint Standard on Cybersecurity and Cyber Resilience Requirements

(Links verified and active as of May 2025)

Where appropriate, we link to Michalsons’ expertly maintained legal resources and plain-language explanations. We gratefully acknowledge their role in making South African legislation more accessible and understandable.