On the 4th of December, the FSCA and Prudential Authority published FSCA Communication 34 of 2023 and the final draft Joint Standard on Cybersecurity and Cyber Resilience Requirements. The Joint Standard outlines the principles for cyber security and cyber resilience for certain categories of financial services providers. The final draft was revised in line with the comments received from the public consultation process and was submitted to Parliament for final approval on 30 November 2023.
The financial industry is prone to cyber-attacks like phishing, malware, and insider threats. The proposed Joint Standard aims to ensure that FSPs implement controls and processes to ensure financial institutions can mitigate these risks.
The Joint Standard applies to financial institutions as defined. The definition of a financial institution in the Joint Standard was crafted to include entities that, due to their role within the financial ecosystem, are highly vulnerable to cyber threats. The Joint Standard applies to a discretionary FSP, a Category I FSP that provides investment fund administration services in relation to a collective investment scheme or hedge fund, an administrative FSP and OTC derivative providers, amongst others.
Here are some of the requirements financial institutions would need to comply with:
- Financial institutions must establish a sound and robust process for managing cyber risks;
- Financial Institutions must promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;
- Financial Institutions must ensure that they can undertake systematic testing and assurance regarding the effectiveness of their security controls;
- Financial Institutions must ensure that the establishment and maintenance of cyber resilience capability, are adequately prepared to deal with cyber threats; and
- Financial Institutions must provide notifications by the regulated entities of material cyber incidents to the Authorities.
In terms of the Joint Standard, FSPs are obligated to enhance their ability to protect against cyber threats and to safeguard sensitive client information. The effective proposed date will be 12 months after the publication date.