It’s the perfect time to focus on your growth – register now for our comprehensive Key Individual Programme©. Click here to learn more.

Media Articles

How to navigate the new IT Governance and Cybersecurity Standards

Posted on 9 Jul 2024

 

Need help with implementing the Joint Standards?

The deadline for implementing the Joint Standard on IT Governance and Risk Management is 15 November 2024.

We offer a specialised IT Risk Management and Cybersecurity Implementation Service designed to assist with both the Joint Standard on IT Governance and Risk Management and the Joint Standard on Cybersecurity and Cyber Resilience Requirements (effective 1 June 2025).

Get in touch today to ensure your compliance

Two recent joint standards will require financial institutions to sharpen their information technology (IT) risk management and cybersecurity risk policies. Here is a brief overview of the standards and how Masthead can assist FSPs in ensuring compliance and enhancing cybersecurity resilience.

Technological advancements have greatly benefited the financial services industry, enabling businesses to streamline processes and offer improved services to their clients. However, the increased use of technology has also made the industry more vulnerable to IT risk and cybercrime. In this rapidly changing environment, safeguarding IT systems and data has become essential to protect both businesses and their clients from cybercriminals.

To help combat increasing cyber threats, the Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) recently introduced two pivotal standards: the Joint Standard 1 of 2023 on IT Governance and Risk Management and the Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience Requirements. These standards set out the principles and minimum requirements that specified financial institutions must adhere to, aiming to reduce IT and cybersecurity risks.

Background on the standards

The Joint Standard on IT Governance and Risk Management was published in November 2023 and outlines the principles and minimum requirements for IT governance and risk management. It aims to ensure that financial institutions implement sound practices to reduce IT-related disruptions and breaches. It will be effective from 15 November 2024 and applies to Category II discretionary FSPs and administrative FSPs, among others.

The Joint Standard on Cybersecurity and Cyber Resilience Requirements was introduced in May 2024 and will take effect on 1 June 2025. It sets out the requirements for robust cybersecurity and cyber resilience practices, helping financial institutions withstand and recover from cyber incidents. This standard applies to Category II discretionary FSPs, Category I FSPs that provide investment fund administration services in relation to a collective investment scheme or hedge fund, administrative FSPs and OTC derivative providers, among others.

How will these requirements impact FSPs?

IT Governance and Risk Management: This standard outlines the principles and minimum requirements for IT governance and risk management that financial institutions must adhere to. This includes establishing a robust IT risk management framework, protecting sensitive information and ensuring compliance with mandatory disclosures.

Crucially, it expects financial institutions to implement IT controls that align with their specific risks, taking into consideration the institution’s nature, size and complexity. In other words, financial institutions can’t simply adopt a generic IT governance and risk management template; the framework needs to address the specific risks associated with the institution. More complex institutions, for example, will need to go beyond the standard’s minimum requirements to ensure risks are properly identified, assessed and managed.

Cybersecurity and Cyber Resilience: Similar to the IT Joint Standard, this standard sets out the minimum requirements for a cybersecurity strategy but requires financial institutions to tailor it to their nature, size, complexity and risk profile. The standard expects financial institutions to implement sound practices and processes relating to cybersecurity and cyber resilience. Requirements include, amongst others:

  • The governing body is responsible for compliance and overseeing cyber risk management, including establishing a robust cybersecurity strategy with clearly defined roles. This strategy must be approved by the governing body, reviewed annually and aligned with the business strategy.
  • Institutions must incorporate cyber risk management into their overall governance structures and ensure independent oversight.
  • Other key requirements include identifying and protecting critical assets, maintaining effective detection and response capabilities, conducting regular training and testing, and ensuring continuous improvement.
  • Institutions must also report significant cyber incidents and comply with regulatory reporting requirements.

How FSPs can prepare for the new Joint Standards

FSPs should start reviewing their current IT management and cyber risk policies to prepare for the new standards set to take effect later this year and midway through next year.

In today’s environment, where cyberattacks are becoming increasingly common, having robust IT and cybersecurity frameworks will not only be a regulatory requirement but also sound business practice. Institutions hit by cyberattacks face both financial and reputational damage, potentially losing clients who feel inadequately protected. These frameworks also ensure compliance with other regulations, such as the Protection of Personal Information Act (POPIA).

How can Masthead help?

To assist FSPs in adopting these new regulations or reviewing their existing IT management and cybersecurity strategies, Masthead has developed an IT Risk Management and Cybersecurity Implementation Service. This service offers a streamlined approach to establishing a robust IT management and cybersecurity framework and related policies. Our Compliance Officers can guide institutions through the requirements and help document and implement necessary policies in conjunction with the FSP to ensure compliance.

While Masthead can support FSPs with compliance through gap analysis, readiness assessments, remedial guidance, frameworks and monitoring, it is not an IT risk management or cybersecurity provider. Financial institutions will need an appropriate provider to implement and oversee the actual processes and protocols documented in their IT Risk Management and Cybersecurity frameworks.

FSPs with existing providers should engage with them on the practical aspects of this project. For those without a partner, Masthead has collaborated with a third-party provider to offer cost-effective readiness assessments. These assessments will determine an institution’s readiness and maturity concerning the new standards and help plan a course of action toward compliance. For more detail, FSPs can contact their Masthead Compliance Officer.

Preparation is Key

The new Joint Standards on IT Governance and Risk Management and Cybersecurity and Cyber Resilience set a high bar for financial institutions. But help is available – Masthead’s IT Risk Management and Cybersecurity solution is designed to help FSPs meet these requirements, protecting their businesses and ensuring regulatory compliance.

To learn more about how Masthead can support your journey towards enhanced IT governance and cybersecurity resilience, contact your Compliance Officer or the regional office closest to you.

 

MASTHEAD IS

A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?

CONTACT US

Phone:

021 686 3588

E-mail:

  Show Email

B-BBEE CERTIFICATE

Masthead is a level 1 B-BBEE contributor.

Read more and view certificate