From CompliNEWS | Financial Service Intelligence Watch

Joint Standard on Cybersecurity and Cyber Resilience, all documents

The rise of the digital era, ushered in by the Fourth Industrial Revolution (4IR), has revolutionised how financial institutions interact with their clients through the deployment of advanced technology and online systems. While these technological advancements have brought numerous benefits, they have also expanded the threat landscape. The frequency and sophistication of cyberattacks have increased significantly, posing a major challenge for institutions worldwide. The financial sector, in particular, has become a prime target for these attacks.

In response to the growing threat landscape, cybersecurity risk has garnered significant attention from both the financial sector and regulatory bodies. The Prudential Authority and the Financial Sector Conduct Authority (collectively referred to as the Authorities) have recognised the need for a robust regulatory framework to manage cyber risks. To address this need, the Authorities have published the Joint Standard on Cybersecurity and Cyber Resilience (Joint Standard).

The Joint Standard outlines the requirements for sound cybersecurity and cyber resilience practices and processes for financial institutions. It aims to provide a comprehensive regulatory framework that addresses both prudential and conduct aspects of cyber risk management. The Joint Standard is scheduled to take effect on 1 June 2025. However, the Authorities strongly encourage the industry to begin preparations for its implementation well in advance.

The Joint Standard in full
Consultant report
Statement of Needs

The Joint Standard requires financial institutions to:

  • Mitigate and address any risks related to cybersecurity and cyber resilience arising from juristic persons under a bank, insurer, or insurance group when applying the requirements of the Joint Standard.
  • Notify the responsible authority of cyber incidents or information security compromises classified as material incidents. The specific format and manner for reporting these incidents are yet to be determined.
  • Establish and maintain a regularly reviewed cybersecurity strategy to manage cyber risks and respond to changes in the cyber threat landscape.
  • Identify business processes and information assets that support business operations and service delivery. Conduct risk assessments on critical operations and information assets and maintain an inventory of all information assets. Implement appropriate and effective cybersecurity practices to mitigate the impact of potential cyber incidents.
  • Ensure that access to information is restricted to authorized users and devices only. Develop data loss prevention policies and measures to detect and prevent unauthorised use of sensitive data and information. Implement a cybersecurity awareness program to maintain high awareness levels among all users.
  • Maintain effective cyber resilience capabilities to monitor, detect, respond to, and recover from cyberattacks on IT systems. Establish a data backup strategy to ensure that sensitive information stored in backup media is secured.
  • Regularly test all elements of cyber resilience capacity and security controls to assess vulnerabilities and determine overall effectiveness.
  • Establish a regularly reviewed access control policy and process to enforce strong password security controls for users accessing IT systems and information assets. Secure administrative accounts and grant privileged access only when necessary.
  • Implement multi-factor authentication for all users accessing critical system functions, including accounts used to access applications containing sensitive information. Protect the network from unauthorised access and disruption by implementing security controls at the network perimeter.
  • Test and apply security patches to address vulnerabilities in IT assets. Maintain written security standards for hardware and software configurations to minimise exposure to cyber threats. Implement endpoint protection to prevent malware infection.