From CompliNEWS | Financial Service Intelligence Watch

South Africa bolsters cybersecurity/IT governance in financial sector with new Joint Standard

In light of escalating cybercrimes, including phishing scams and security breaches targeting banks and financial institutions, South Africa is taking significant steps to enhance cyber resilience within its financial sector. The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) have introduced Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institutions. ENS reports on the Lexology site that this initiative is poised to fortify governance, risk management structures, and IT management protocols among financial entities, ensuring a proactive stance against cyber threats.

Who Needs to Comply?

The Joint Standard targets a broad spectrum of financial entities, including banks, mutual banks, insurers, managers within the Collective Investment Scheme, market infrastructures, and both discretionary and administrative Financial Service Providers (FSPs).

Implementation Timeline

Financial institutions have a grace period until 15 November 2024, to align their operations with the Joint Standard’s mandates, ensuring ample time for compliance.

Compliance Accountability

The onus of compliance lies with the governing body of each financial institution, primarily the board of directors, underscoring the importance of leadership in cybersecurity governance.

Compliance Requirements

To meet the Joint Standard, institutions need to establish and refine IT strategies, risk management protocols, operations, and policies concerning sensitive information and IT resilience. The scope of compliance is comprehensive, reflecting the institution’s size, complexity, and inherent risks.

Non-compliance Repercussions

While the Joint Standard itself does not enumerate penalties for non-compliance, the supervisory authorities wield extensive powers to enforce compliance through regulatory review processes and evaluations.

Mandatory Compliance for All

No exemptions are provided under the Joint Standard, emphasising its universal applicability across the financial sector, with the FSCA and the PA overseeing adherence.

Ensuring Compliance

Institutions are advised to engage their boards and legal teams in a collaborative effort to conduct gap analyses and develop a compliance roadmap well ahead of the November 2024 deadline.

ENS’ Technology, Media, and Telecommunications (TMT) team offers a comprehensive compliance package, including training, risk assessments, document preparation, and board empowerment programs, tailored to navigate the intricacies of the Joint Standard.

As cyber threats evolve, the Joint Standard represents a critical step towards safeguarding South Africa’s financial sector, reinforcing the nation’s commitment to cybersecurity and the protection of personal and financial data.

Read the Full ENS article here