Defend Truth

SECURITY CRACKDOWN OP-ED

Joint Standard — tackling the rising tide of cybersecurity threats to financial institutions

Joint Standard — tackling the rising tide of cybersecurity threats to financial institutions
SA is facing a surge in cybercrimes targeting financial institutions, prompting the Financial Sector Conduct Authority and Prudential Authority to introduce the Joint Standard 1 of 2023. (Photo: Unsplash)

The Financial Sector Conduct Authority and the Prudential Authority have issued a Joint Standard which, among other things, ensures that financial institutions regularly conduct risk assessments, identify potential threats, and implement mitigation measures.

In recent years, South Africa has experienced an increase in cybercrimes, cyberattacks, and security breaches, with banks and financial institutions being prime targets. Stolen or compromised credentials and phishing scams are the primary attack vectors used to perform cybercrimes.

Consequently, there is an imminent need for the financial sector to reassess security strategies, safeguard financial data, increase cyber resilience and manage and mitigate the potential risks associated with personal and confidential information.

In response to these potential threats to the financial sector, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the “Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institution”.

The Joint Standard aims to ensure that financial institutions, including insurers, have the necessary governance and risk management structures, as well as processes and procedures related to IT risk management in place. Additionally, it ensures that financial institutions regularly conduct risk assessments, identify potential threats, and implement mitigation measures.

Read more in Daily Maverick: Catastrophic global cyber event predicted as SA government faces increasing attacks — experts

We have been inundated with queries from organisations regarding the Joint Standard and have put together a comprehensive Q&A:

To whom does the Joint Standard apply?

The Joint Standard will apply to your organisation if it constitutes any of the following:

  • A bank, a branch, a branch of a bank or a bank controlling company defined in Section 1 of the Banks Act, 1990;
  • A mutual bank as defined in section 1 of the Mutual Banks Act, 1993;
  • An insurer and a controlling company of an insurer as defined in Section 1 of the Insurance Act, 2017;
  • A manager as defined in Section 1 of the Collective Investment Scheme Control Act, 2002;
  • A market infrastructure as defined in Section 1 of the Financial Markets Act, 2012;
  • A discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; and/or
  • An administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003.

Is the Joint Standard already effective?

No.  The Joint Standard commences on 15 November 2024, giving financial institutions sufficient time to ensure that they are compliant.

Who is responsible for ensuring that my organisation complies with the Joint Standard?

The governing body (as defined in the Financial Sector Regulation Act, 2017) of the financial institution is ultimately responsible for ensuring that the requirements of the Joint Standard are continuously met. The “governing body” is the board of directors of the organisation.

What does my organisation need to do to become compliant with the Joint Standard?

The Joint Standard focuses on various areas of compliance, specifically:

  • IT strategy;
  • IT risk management;
  • IT operations;
  • Handling of sensitive or confidential information;
  • Risks associated with financial products/services;
  • IT programme and/or project management;
  • IT resilience and business continuity; and
  • The Joint Standard prescribes governance, documents, processes and policies that need to be implemented in each of these areas.

The minimum requirements and principles set out in this Joint Standard are for the sound practices and processes of IT governance and risk management and must be implemented to reflect the nature, size, complexity and risk profile of the relevant organisation.

What is the penalty for non-compliance with the Joint Standard?

The Joint Standard does not specify any separate penalties for non-compliance with its requirements.  The authorities may, through ongoing supervisory review and evaluation processes, request specific information or regulatory reports as well as assurance in terms of compliance with the Joint Standard. The authorities’ powers are quite wide under the respective financial sector laws, and non-compliance may depend on the financial sector law in terms of which the relevant financial institution is licensed or registered.

Who is the regulatory authority overseeing compliance with the Joint Standard?

Both the FSCA and the PA.

My organisation already has IT governance and policies. Do we still need to comply with the Joint Standard?

Yes. The Joint Standard is quite prescriptive on what governance, documents, policies and processes need to be implemented. To the extent that your organisation has these in place already, it is a great start to ensuring compliance with the Joint Standard and your organisation will likely need to align such documents with the requirements of the Joint Standard. This may mean updating or supplementing existing processes and policies, and/or implementing new processes and policies.

Are any organisations exempt from complying with the Joint Standard?

No, unless directed otherwise by the FSCA and the PA.

Who do I need to consult with to ensure my organisation is compliant with the Joint Standard?

Your board of directors is ultimately accountable for ensuring that the organisation complies with the Joint Standard. Your board should therefore be made aware and even trained on the Joint Standard and all the relevant documents and processes that you have in place to be compliant.

Your legal team both internally and externally should work with your IT team to devise a gap analysis and compliance programme and implement any remediations identified to ensure compliance by 15 November 2024.

Considering the amount of time and effort required to ensure compliance with the Joint Standard, it is recommended that financial institutions prioritise their Joint Standard compliance journey sooner rather than later. DM

Ridwaan Boda is Executive in the Technology, Media and Telecommunications Department of law firm ENSafrica. Kayla Casillo and Priyanka Naidoo are Senior Associates in the department.

Gallery

Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted

X

This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.


Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Become a Maverick Insider

This could have been a paywall

On another site this would have been a paywall. Maverick Insider keeps our content free for all.

Become an Insider
Elections24 Newsletter Banner

On May 29 2024, South Africans will make their mark in another way.

Get your exclusive, in-depth Election 2024 newsletter curated by Ferial Haffajee delivered straight to your inbox.