The FSCA and the Prudential Authority (the Authorities) have published a revised version of the draft Joint Standard on cybersecurity and cyber resilience requirements for financial institutions for public comment. The first version was published in December 2021.
The Need for a Cybersecurity and Cyber Resilience regulatory framework
The Authorities confirmed that South Africa has seen a rising number of cyber incidents. Recent cyber incidences have impacted a range of providers such as fund investment administrators, market infrastructures, insurers and banks. Although the impact cannot be quantified, the “cost factor” is extensive and demonstrated an inability to timeously price assets; provide fund valuation; and settlements. Therefore, the interconnectedness of the South African financial ecosystem and impact on the various sectors within the value chain, strengthens the need for this Joint Standard.
There is a need for the Authorities to provide an appropriate and comprehensive regulatory framework for managing cyber risks from both a prudential and conduct perspective. It is against this background that the proposed Joint Standard on cybersecurity and cyber resilience requirements has been drafted and is being released for consultation with the industry.
The draft Joint Standard
The draft Joint Standard sets out the requirements for sound practices and processes of cybersecurity and cyber resilience for financial institutions.
At a high level, the proposed Joint Standard seeks to:
- ensure that financial institutions establish sound and robust processes for managing cyber risks;
- promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;
- ensure that financial institutions undertake systematic testing and assurance regarding the effectiveness of their security controls;
- ensure that financial institutions establish and maintain cyber resilience capability, to be adequately prepared to deal with cyber threats; and
- provide for notification by the regulated entities of material cyber incidents to the Authorities.
The proposed Joint Standard will apply to all:
- banks, branches of foreign institutions, branches of a bank and controlling companies as respectively defined section 1 of the Banks Act, 1990;
- mutual banks registered under the Mutual Banks Act, 1993;
- insurers and controlling companies as defined under the Insurance Act, 2017;
- market infrastructures licensed under the Financial Markets Act 2012;
- managers of collective investment schemes licensed under the Collective Investment Scheme Control Act, 2002;
- a discretionary FSP as defined in the Codes of Conduct for Administrative and Discretionary FSPs, 2003;
- a Category I FSP as contemplated in section 3(a) of the Determination of Fit and Proper Requirements for Financial Services Providers, 2017, that provides investment fund administration services;
- an administrative FSP as defined in the Codes of Conduct for Administrative and Discretionary FSPs, 2003;
- pension funds registered under the Pension Funds Act, 1956;
- an OTC derivative provider as defined in the Financial Markets Act Regulations;
- an administrator approved in terms of section 13B of the Pension Funds Act, 1956; and
- a registered credit rating agency as defined in section 1 of the Credit Rating Services Act, 2012.
Industry feedback
The first version of the draft Joint Standard was published in December 2021. Masthead including other industry stakeholders provided comment. The Authorities have taken account of submissions made and revised the draft Joint Standard for a second consultation.
One of the key considerations raised during the first consultation, in relation to particularly the smaller entities is the lack of resources and skills to implement the proposed Joint Standard. This also applies to Category I FSPs by extension, which was not in the first draft.
According to the responses received, the Joint Standard sets a high baseline for smaller institutions which on its own has cost and capacity implications as smaller institutions would need to contract with IT security firms or IT infrastructure to ensure compliance with the Joint Standard. The Authorities do acknowledge this concern and have sought to address it by ensuring that the minimum requirements and principles set out in the Joint Standard must be implemented in a proportional manner that reflects the nature, size, complexity, and risk profile of a financial institution. In light of this, the expectation is that the costs that will be incurred by smaller institutions will be commensurate with their size.
Written submissions on the revised draft Joint Standard must be sent via e-mail to FSCA.RFDStandards@fsca.co.za for the attention of Mr Andile Mjadu and PA-Standards@resbank.co.za for the attention of Ms Kalai Naidoo, on or before 28 February 2023.
Once finalised, it is expected that the proposed Joint Standard will result in sound practices and processes for cybersecurity and cyber-resilience for financial institutions and that there will be improved outcomes for financial customers as cyber-attacks will be reduced and their personal information will be better protected.
Click here to access the draft Joint Standard and related documents