Joint Standard 1: IT Governance

Joint Standard 1 IT governance requirements place importance on effective IT risk management, oversight, asset protection, access controls, resilience and incident reporting. From a cybersecurity perspective, this makes external risk visibility, secure digital services, email domain trust and governance-friendly evidence important parts of a financial institution’s IT risk management approach.

Act no: N/A

Type: Principle-based

Purpose: Establishes principles and minimum requirements for effective IT governance and risk management within financial institutions. Notes: Issued jointly by the FSCA and Prudential Authority under the Financial Sector Regulation Act 9 of 2017

1.  a bank, a branch (commonly referred to as a ‘branch of a foreign institution’), a branch of a bank or a bank controlling company defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990);
2.  a mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993);
3.  an insurer and a controlling company of an insurer as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017);
4. a manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002);
5. a market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012);
6. a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 [Explanatory note: (Category II)]; and
7. an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 [Explanatory note: (Category III)].

Banks, Insurers, Investment Managers, Market Infrastructures, IT Service Providers for Financial Institutions.

• IT Risk Framework: Institutions must establish, implement, and regularly review a comprehensive IT risk management framework [Clause 7].
• Asset Protection: IT assets must be identified, prioritised, and safeguarded from unauthorised access or misuse [Clause 7.3(e)].
• Threat & Vulnerability Analysis: Institutions must assess the likelihood and impact of IT threats and establish mitigation controls [Clause 7.3(f)].
• Access Controls: Logical access to sensitive systems and data must be tightly controlled, enforced, and monitored [Clause 10.2(a)].
• Incident Notification: Material IT incidents must be reported to the responsible authority within the defined timeframe [Clause 15.1].
• Business Continuity & Resilience: Institutions must define recovery priorities and maintain tested IT resilience plans [Clause 13.1].
• Confidentiality Protections: Sensitive or personal data must be processed per POPIA and safeguarded against loss or theft [Clause 10.2(e)].
• Online Services Risk: Financial institutions must evaluate and mitigate IT risks specific to internet-facing services [Clause 11.1].

Administrative penalties imposed for contraventions of joint standards [Section 267 – Financial Sector Regulation Act].

N/A

Potential licence revocation, directives, or other enforcement actions [Section 144 – Financial Sector Regulation Act].

Specific information or assurance may be requested by FSCA or Prudential Authority [Clause 15.2]

The loss of trust and damage to reputation can have long-term consequences for an FSP, including decreased customer loyalty, reduced business opportunities, and potentially higher costs associated with rebuilding trust.

CyberProfiler: External Vulnerability Scan

Provides a safe, non-invasive external vulnerability scan of your public digital footprint, highlighting security weaknesses that may be visible to attackers.

• Threat & Vulnerability Analysis: Identifies current and emerging threats in external systems [Clause 7.3(f)]
• Online Services Risk: Assesses risks and security gaps in systems offering online financial services [Clause 11.1]

Managed DMARC Protection

Supports DMARC implementation and monitoring to help reduce domain spoofing risk, improve outbound email trust, and move safely towards enforcement.

• Confidentiality Protections: Helps prevent data leaks and phishing attacks via email spoofing [Clause 10.2(e)]
• Access Controls: Aids in enforcing domain-level communication controls [Clause 10.2(a)]

• South African Reserve Bank (PA): Prudential Authority Publications
• Michalsons: Joint Standard Summary

(Links verified and active as of May 2025)

Where appropriate, we link to Michalsons’ expertly maintained legal resources and plain-language explanations. We gratefully acknowledge their role in making South African legislation more accessible and understandable.