From CompliNEWS | Financial Service Intelligence Watch
Joint Standard on Cybersecurity and Cyber Resilience Requirements for financial institutions, guidance note
Compli-Serve
The Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB) have introduced the Joint Standard on Cybersecurity and Cyber Resilience Requirements, requiring financial institutions to achieve compliance by 1 June 2025. This new standard is crucial for ensuring that financial institutions adopt robust cybersecurity measures to protect against evolving threats. Non-compliance could lead to significant regulatory fines and damage to reputations.
The Joint Standard is a comprehensive set of requirements aimed at strengthening the cybersecurity frameworks of financial institutions. It emphasises the importance of proactive risk management, continuous monitoring, and rapid response mechanisms. By integrating international best practices with local regulatory requirements, the standard aims to ensure that South African financial institutions are well-prepared to tackle cybersecurity challenges.
Key highlights of the Joint Standard include the implementation of a cyber risk governance and management framework to identify, assess, and mitigate cyber risks. It also covers cyber threat intelligence management, emphasising the collection and use of cyber threat intelligence to enhance organisational resilience. Other critical aspects include breach readiness, ensuring effective threat detection and response, employee training and awareness to bolster readiness against cyber threats, and controls assurance through regular exercises to validate the effectiveness of cybersecurity controls.
The Joint Standard on Cybersecurity and Cyber Resilience Requirements applies to a wide range of financial institutions, including banks and mutual banks, insurers, and market infrastructures such as licensed stock exchanges, central securities depositories, clearing houses, and trade repositories. It also covers discretionary Financial Service Providers (FSPs), Category I FSPs offering investment fund administration services, and administrative FSPs.
Compli-Serve Guidance on The Standard
Governance and Oversight
Governance Structure
- How is cybersecurity governance structured at the FSP?
- Who in the senior management team is responsible for overseeing cybersecurity and cyber resilience?
- Are there dedicated committees or roles specifically for cybersecurity oversight?
Strategy and Framework
- What is the current cybersecurity strategy, and how is it aligned with the overall business strategy?
- How often is the cybersecurity strategy reviewed and updated?
Roles and Responsibilities
- Are the roles and responsibilities related to cybersecurity clearly defined within the organization?
- How is the enforcement of cybersecurity policies ensured across the organization?
- Risk Management and Controls
Risk Assessment and Management
- How does the FSP identify and assess cybersecurity risks?
- What processes are in place to ensure risks are managed and mitigated appropriately?
- How often are risk assessments conducted?
Security Controls
- What cybersecurity controls are currently in place?
- How are these controls monitored and tested for effectiveness?
- What measures are in place for data protection, access management, and network security?
Incident Response
- Does the FSP have a cyber incident response and management plan?
- How often are incident response plans tested through simulation exercises?
- What is the procedure for reporting material cyber incidents to the authorities?
- Policies and Procedures
Policy Framework
- What cybersecurity policies, standards, and procedures are currently in place?
- How are these policies aligned with industry standards and best practices?
- How often are policies reviewed and updated?
Third-Party Management
- How does the FSP ensure that third-party service providers comply with cybersecurity standards?
- Are there agreements in place for the secure return or transfer of data with third parties?
- Training and Awareness
Training Programmes
- What cybersecurity awareness and training programmes are in place?
- How frequently are training sessions conducted and updated?
Senior Management and Board Training
- How is the governing body educated about cyber risks and management practices?
- Technical Controls and Practices
Identity and Access Management
- What identity and access management mechanisms are in place?
- How is multi-factor authentication implemented and enforced?
Data Security
- What measures are in place for data encryption, data loss prevention, and securing sensitive information?
Network and Application Security
- How is the network perimeter secured?
- What processes are in place for application security testing and secure coding practices?
Monitoring and Detection
- How does the FSP monitor for cyber threats and vulnerabilities?
- What tools and processes are used for continuous monitoring and detection?
Compliance and Reporting
Regulatory Compliance
- How does the FSP ensure compliance with the Joint Standard and other relevant regulations?
-
What processes are in place for reporting to the authorities?