Addressing increased cybersecurity threats to financial institutions: The FSCA and Prudential Authority’s response
27 Feb 2024
by Ridwaan Boda, Kayla Casillo and Priyanka Naidoo
In recent years, South Africa has experienced an increase in cybercrimes, cyberattacks, and security breaches, with banks and financial institutions being prime targets. Reports have found that stolen or compromised credentials and phishing scams are the primary attack vectors used to perform cybercrimes. Consequently, there is an imminent need for the financial sector to reassess security strategies, safeguard financial data, increase cyber resilience, and manage and mitigate the potential risks associated with personal and confidential information.
In response to these potential threats to the financial sector, the Financial Sector Conduct Authority (“FSCA”) and the Prudential Authority (“PA”) published the Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institution (“Joint Standard”). It aims ensure that financial institutions, including insurers, have the necessary governance and risk management structures, as well as processes and procedures related to IT risk management in place. Additionally it ensures that financial institutions regularly conduct risk assessments, identify potential threats, and implement mitigation measures.
Following the newsflash that we published at the end of 2023, we have been inundated with queries from organisations regarding the Joint Standard and have put together a comprehensive Q&A below.
To whom does the Joint Standard apply?
The Joint Standard will apply to your organisation if it constitutes any of the following:
- a bank, a branch, a branch of a bank or a bank controlling company defined in Section 1 of the Banks Act, 1990;
- a mutual bank as defined in section 1 of the Mutual Banks Act, 1993;
- an insurer and a controlling company of an insurer as defined in Section 1 of the Insurance Act, 2017;
- a manager as defined in Section 1 of the Collective Investment Scheme Control Act, 2002;
- a market infrastructure as defined in Section 1 of the Financial Markets Act, 2012;
- a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; and
- an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003.
Is the Joint Standard already effective?
No. The Joint Standard commences on 15 November 2024, giving financial institutions sufficient time to ensure that they are compliant.
Who is responsible for ensuring that my organisation complies with the Joint Standard?
The governing body (as defined in the Financial Sector Regulation Act, 2017) of the financial institution is ultimately responsible to ensure that the requirements of the Joint Standard are continuously met. The “governing body” is the board of directors of the organisation.
What does my organisation need to do to become compliant with the Joint Standard?
The Joint Standard focuses on various areas of compliance, specifically:
- IT strategy
- IT risk management
- IT operations
- Handling of sensitive or confidential information
- Risks associated with financial products / services
- IT programme and/or project management
- IT resilience and business continuity
The Joint Standard prescribes governance, documents, processes and policies that need to be implemented in each of these areas.
The minimum requirements and principles set out in this Joint Standard are for the sound practices and processes of IT governance and risk management and must be implemented to reflect the nature, size, complexity and risk profile of the relevant organisation.
What is the penalty for non-compliance with the Joint Standard?
The Joint Standard does not specify any separate penalties for non-compliance with its requirements. The Authorities may, through ongoing supervisory review and evaluation processes, request for specific information or regulatory reports as well as assurance in terms of compliance with the Joint Standard. The Authorities’ powers are quite wide under the respective financial sector laws, and non-compliance may depend on the financial sector law in terms of which the relevant financial institution is licensed or registered.
Who is the regulatory authority overseeing compliance with the Joint Standard?
Both the FSCA and the PA.
My organisation already has IT governance and policies. Do we still need to comply with the Joint Standard?
Yes. The Joint Standard is quite prescriptive on what governance, documents, policies and processes need to be implemented. To the extent that your organisation has these in place already, it is a great start to ensuring compliance with the Joint Standard and your organisation will likely need to align such documents with the requirements of the Joint Standard. This may mean updating or supplementing existing processes and policies, and/or implementing new processes and policies.
Are any organisations exempt from complying with the Joint Standard?
No, unless directed otherwise by the FSCA and the PA.
Who do I need to consult with to ensure my organisation is compliant with the Joint Standard?
- Your board of directors is ultimately accountable for ensuring that the organisation complies with the Joint Standard. Your board should therefore be made aware and even trained on the Joint Standard and all the relevant documents and processes that you have in place to be compliant.
- Your legal team both internally and externally should work with your IT team to devise a gap analysis and compliance programme and implement any remediations identified to ensure compliance by 15 November 2024.
Considering the amount of time and effort required in ensuring compliance with the Joint Standard, it is recommended that financial institutions prioritise their Joint Standard compliance journey sooner rather than later. ENS’ TMT team has established a Joint Standard offering to guide financial institutions through each requirement in order to be compliant.
Our offering includes:
- Introductory and awareness training for IT teams and stakeholders;
- A risk assessment, policy and financial product gap analysis;
- Preparation of the relevant documents (can be packaged into toolkits to ease implementation);
- A hotline for security breaches notifiable under the Joint Standard;
- Amendment of existing documents; and
- Workshops and staff training on behalf of the financial institution in respect of the requirements of the Joint Standard.
Given that the Joint Standard has expanded the duties and accountability of the board of directors, this offering extends to board empowerment and support. This includes training for the board on the Joint Standard, consultation on the impact of the Joint Standard to existing roles and responsibilities, and guidance on establishing separate board committees to implement the governance requirements from the Joint Standard.
For more information, please contact one of our TMT experts.
Ridwaan Boda
Executive | Technology, Media and Telecommunications
rboda@ENSfrica.com
Kayla Casillo
Senior Associate | Technology, Media and Telecommunications
kcasillo@ENSafrica.com
Priyanka Naidoo
Senior Associate | Technology, Media and Telecommunications
pnaidoo@ENSafrica.com