Draft Joint Standard on Cybersecurity and Cyber Resilience Requirements
The FSCA and the Prudential Authority (PA) (Authorities) have published, for consultation, the draft Joint Standard entitled Cybersecurity and Cyber Resilience Requirements. The Joint Standard is issued by the Authorities in terms of their powers under the Financial Sector Regula on Act. A Joint Standard (once published and eﬀective) is compulsory (law) and must be complied with by the persons to whom it applies.
The authorities state that they are unable, at this stage, to ascertain the full extent of the expected impact of the draft Joint Standard on ﬁnancial institutions. As part of the consultation process, the Authorities have solicited industry inputs on the expected impact of implementing the proposed Joint Standard.
The Joint Standard, and the joint communication about the draft Joint Standard issued by the Authorities, is available on their websites.
It is likely that there will be a second draft issued for another round of consultation.
What is the overall aim of the Joint Standard?
The aim of the Joint Standard is to ensure that ﬁnancial institutions have adequate cybersecurity and cyber resilience practices
The communication about the Joint Standard provides that: “The draft Joint Standard seeks to ensure that these ﬁnancial institutions implement processes and have tools and technology which will prepare them for cyber-attacks as well as respond to and recover from such attacks”.
To which ﬁnancial institutions will the Joint Standard apply?
The Joint Standard will apply to the following ﬁnancial institutions:
Managers of collective investment schemes
Banks (and branches)
Branches of foreign institutions
Discretionary Financial Services Provider (FSP)
Over-the-counter derivative providers
Who is responsible to ensure compliance with the Joint Standard?
The governing body is ultimately responsible for ensuring that the ﬁnancial institution complies with the requirements set out in the Joint Standard and the oversight of cyber risk management (but may delegate primary oversight activities to a committee). The governing body of a retirement fund is its board.
The governing body together with senior management must, among other things, ensure that a sound and robust cybersecurity strategy and framework is established, implemented, and maintained.
The Joint Standard allow for a proportional application of the requirements as they must be implemented commensurate with the risk appetite, nature, size, and complexity of a ﬁnancial institution.
Cybersecurity strategy and framework
A ﬁnancial institution must (among other things)-
o establish and maintain a cybersecurity strategy that is approved by the governing body;
o establish a cybersecurity framework to manage cyber risks;
o align its cybersecurity framework with its enterprise risk management framework;
o establish cybersecurity policies, standards and procedures that are informed by industry standards and best practices to manage cyber risks and safeguard information assets;
o annually deﬁne and quantify business risk tolerance relative to cybersecurity and ensure that it's consistent with the business strategy and risk appetite; and
o establish metrics to gather information that enables reporting at both a technical and executive-level across all aspects of its cyber risk management implementation programme.
Regulatory reporting and notiﬁcation
The Joint Standard includes requirements for ﬁnancial institutions to notify the Authorities of material system failure, malfunction, delay, disruptive event, or cyber incident within 24 hours of the event being classiﬁed as 'material'.
The Authorities may determine the regulatory reporting required by ﬁnancial institutions in relation to requirements of the Joint Standard.