In December 2021, The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the draft Joint Standard: Cybersecurity and Cyber Resilience Requirements for Financial Institutions (Joint Standard) for consultation. The deadline for submitting comments on the draft Joint Standard closed on 15 February 2022.
The Joint Standard sets out the minimum standards for financial institutions to implement best practices and processes to identify and guard against risks relating to cybersecurity and cyber resilience.
The FSCA and PA (Authorities) explained that they would review any submissions it receives from the public, and would thereafter release a revised draft Joint Standard for comment for a period of six weeks.
In December 2022, the Authorities released a statement on their proposed revisions to the Joint Standard for a second round of comments. Interested parties can submit their comments about the documents to the Authorities by 28 February 2023. Thereafter, the Authorities will consider further comments they may receive. Once this consultation process ends, the Authorities will submit the updated proposed Joint Standard and related documents to Parliament for a period of least 30 days if they decide to move forward with it.
Note: The Authorities may publish the draft Joint Standard for a third round of public comment if they receive further comments that materially impacts the Joint Standard during the second round of consultations. The consultation process will end on 28 February 2023.
We will update this summary as soon as the revised Joint Standard is published.
The Joint Standard also seeks to ensure that any financial institution that falls prey to a cyber-attack can recover from it.
- A bank, a branch, a branch of a bank and a controlling company as respectively defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990);
- A mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993);
- An insurer and a controlling company as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017);
- A manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002);
- A market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012);
- A discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category II);
- An administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category III);
- A pension fund registered under the Pension Funds Act, 1956 (Act No. 24 of 1956);
- An OTC derivative provider as defined in the Financial Markets Act Regulations; and
- Registered credit rating agencies
- metrics to gather information that enables reporting at both a technical and executive-level across all aspects of its cyber risk management implementation programme;
- a cybersecurity framework that demonstrates how a financial institution will identify cyber risks and determine the controls required to keep those risks within acceptable limits; and
- appropriate and effective cyber resilience capabilities and cybersecurity practices to prevent, limit or contain the impact of a potential cyber event.
- establish a process to conduct regular vulnerability assessments (scans) on its IT systems to identify security vulnerabilities and ensure risk arising from these vulnerabilities are addressed in a timely manner; and
- ensure that the frequency of vulnerability assessments (scans) is commensurate with the criticality of the IT system and the security risk to which it is exposed.
- review its network architecture, including the network security design; as well as systems and network interconnections on a periodic basis to identify potential vulnerabilities;
- implement network access controls to detect and prevent unauthorised devices from connecting to its network. Network access control rules in network devices must be reviewed on a regular basis to ensure they are kept up-to-date.
It is worth noting that in the future, the FSCA and the PA will review and assess the adequacy of financial institutions’ policies, processes, and practices related to cybersecurity and cyber resilience as part of their supervisory programs.
In the proposed revision of the Joint Standard, the Authorities have said that they have provided for a 12-month transitional period once the final Joint Standard is published. This will allow businesses sufficient time to enhance their security controls and address any gaps to comply with the Joint Standard.
- conduct regular vulnerability assessments (scans) on its IT systems to:
- identify security vulnerabilities;
- ensure risks arising from these vulnerabilities are addressed in a timely manner; and
- conduct ad hoc vulnerability assessments that match their risk profile and requirements.
- comply with the Joint Standard as it will help them demonstrate cyber resilience.
- comply with several of their obligations under the Joint Standard like:
- gathering information that enables reporting;
- identifying cyber risks and determining the controls required to mitigate those risks.
- comply with the Joint Standard by demonstrating cyber resilience.
- comply with several of their obligations under the Joint Standard like:
- gathering information that enables reporting;
- identifying cyber risks and determining the controls required to guard against those risks.
- The Authorities’ statement on 22 December regarding proposed revisions to the Draft Joint Standard and accompanying documents (please click on “Joint Standard – Cybersecurity and cyber resilience” to download the relevant documents using this link)
- Link to download of Draft Joint Standard released on 15 December 2021 from South African Reserve Bank
- Link to the Financial Sector Conduct Authority (FSCA)