top of page

LEGAL NOTE: August 2022

Draft Joint Standard on Cybersecurity and Cyber Resilience Requirements


The FSCA and the Prudential Authority (PA) (Authorities) have published, for consultation, the draft Joint Standard entitled Cybersecurity and Cyber Resilience Requirements. The Joint Standard is issued by the Authorities in terms of their powers under the Financial Sector Regula on Act. A Joint Standard (once published and effective) is compulsory (law) and must be complied with by the persons to whom it applies.

The authorities state that they are unable, at this stage, to ascertain the full extent of the expected impact of the draft Joint Standard on financial institutions. As part of the consultation process, the Authorities have solicited industry inputs on the expected impact of implementing the proposed Joint Standard.

The Joint Standard, and the joint communication about the draft Joint Standard issued by the Authorities, is available on their websites.

It is likely that there will be a second draft issued for another round of consultation.


What is the overall aim of the Joint Standard?


The aim of the Joint Standard is to ensure that financial institutions have adequate cybersecurity and cyber resilience practices

The communication about the Joint Standard provides that: “The draft Joint Standard seeks to ensure that these financial institutions implement processes and have tools and technology which will prepare them for cyber-attacks as well as respond to and recover from such attacks”.


To which financial institutions will the Joint Standard apply?


The Joint Standard will apply to the following financial institutions:

  • Retirement funds

  • Managers of collective investment schemes

  • Banks (and branches)

  • Branches of foreign institutions

  • Controlling companies

  • Mutual banks

  • Market infrastructure

  • Discretionary Financial Services Provider (FSP)

  • Administrative FSP

  • Insurers

  • Over-the-counter derivative providers


Who is responsible to ensure compliance with the Joint Standard?


The governing body is ultimately responsible for ensuring that the financial institution complies with the requirements set out in the Joint Standard and the oversight of cyber risk management (but may delegate primary oversight activities to a committee). The governing body of a retirement fund is its board.

The governing body together with senior management must, among other things, ensure that a sound and robust cybersecurity strategy and framework is established, implemented, and maintained.


Proportionality


The Joint Standard allow for a proportional application of the requirements as they must be implemented commensurate with the risk appetite, nature, size, and complexity of a financial institution.


Cybersecurity strategy and framework


A financial institution must (among other things)-


o establish and maintain a cybersecurity strategy that is approved by the governing body;

o establish a cybersecurity framework to manage cyber risks;

o align its cybersecurity framework with its enterprise risk management framework;

o establish cybersecurity policies, standards and procedures that are informed by industry standards and best practices to manage cyber risks and safeguard information assets;

o annually define and quantify business risk tolerance relative to cybersecurity and ensure that it's consistent with the business strategy and risk appetite; and

o establish metrics to gather information that enables reporting at both a technical and executive-level across all aspects of its cyber risk management implementation programme.


Regulatory reporting and notification


The Joint Standard includes requirements for financial institutions to notify the Authorities of material system failure, malfunction, delay, disruptive event, or cyber incident within 24 hours of the event being classified as 'material'.


The Authorities may determine the regulatory reporting required by financial institutions in relation to requirements of the Joint Standard.


bottom of page