Financial regulators propose joint standard on minimum requirements for cybersecurity and cyber resilience

On 15 December 2021, the Prudential Authority (PA) and Financial Sector Conduct Authority (FSCA) jointly published a proposed Joint Standard titled “Cybersecurity and Cyber Resilience Requirements” in terms of section 107 and 108(1) of the Financial Sector Regulation Act, 9 of 2017.

The objective of the Draft Joint Standard is to ensure that financial institutions have adequate cybersecurity and cyber resilience practices and processes. We enclose a copy of the Draft Joint Standard here.

It is proposed that the Draft Joint Standard will apply to the following financial institutions:

1. banks, branches of foreign institutions, branches of a bank and controlling companies as respectively defined in section 1 of the Banks Act 94 of 1990;
2. mutual banks registered under the Mutual Banks Act 24 of 1993;
3. insurers and controlling companies as defined under the Insurance Act 18 of 2017;
4. a market infrastructure as defined in the Financial Markets Act 19 of 2012;
5. managers of collective investment schemes licensed under the Collective Investment Scheme Control Act 45 of 2002;
6. a discretionary FSP as contemplated in the Code of Conduct for Administrative and Discretionary FSPS, 2003;
7. an administrative FSP as contemplated in the Code of Conduct for Administrative and Discretionary FSPS, 2003;
8. pension funds licensed under the Pensions Funds Act 24 of 1956; and
9. an over-the-counter (OTC) derivative provider as defined in the Financial Markets Act Regulations.

Highlights of the proposed minimum cybersecurity requirements include:

Principle of proportionality

The proposed requirements set out in the Draft Joint Standard facilitate proportional application by providing that the requirements must be implemented commensurate with the risk appetite, nature, size and complexity of a financial institution.

Cybersecurity governance rests with the governing body together with senior management

Oversight and management of a financial institution’s cybersecurity strategy and framework will rest with the governing body of a financial institution. A governing body may delegate these responsibilities to a committee. Notably, governance of information security must be sufficiently segregated and independent to mitigate potential conflicts of interest.

Governing bodies together with senior management must ensure that service level agreements are in place with third party cybersecurity service providers and that there is collaboration and engagement with relevant stakeholders (such as technical experts) to ensure cyber resilience in their framework.

Routine monitoring of cyber resilience and cyber frameworks

A financial institution must assess its risk tolerances annually and regularly review policies, procedures and practices implemented to mitigate cyber threats. The Draft Joint Standard proposes a number of cyber resilience fundamentals that should be implemented by financial institutions. Some of the notable fundamentals are listed below, namely:

• critical IT asset identification and record-keeping;
• a security-by-design approach for application and system security;
• cryptographic key management practices; 
• cyber incident detection, incident response and system recovery practices;
• situational awareness and training, penetration testing and vulnerability assessments; and
• scenario-based simulation exercises.  

Cybersecurity hygiene practices such as multi-factor authentication (MFA), malware protection and regulatory reporting

The Draft Joint Standard focuses on access management and proposes that financial institutions have password policies, MFA applied on all administrative accounts, network perimeter defence protocols and malware protection measures in line with industry standards.

Unless a reporting obligation exists in another financial sector law, the Draft Joint Standard proposes a mandatory duty on financial institutions to report any cyber incident, material systems failure, malfunction, delay or disruptive event within 24 hours of the event being classified as ‘material’.

What constitutes ‘material’ however is not currently defined in the Draft Joint Standard, and therefore must be determined with reference to the risk profile of the financial institution.

Comments

The Draft Joint Standard demonstrates the PA and FSCA’s joint commitment to encouraging financial institutions to implement an effective and resilient cyber framework that is able to effectively respond to cyber risks and resolve cyber incidents when they occur.

The Draft Joint Standard follows from draft Joint Standard 1 of 2021 ‘Information Technology Risk Management’ which was published on 9 June 2021. Although there have been no further developments in relation to draft Joint Standard 1 of 2021, the Draft Joint Standard also includes similar principles and obligations for financial institutions to adopt cyber resilient frameworks, which can combat heightened IT risks and cyber incidents which are prevalent in the South African financial services sector.

All interested parties are encouraged to provide their comments using the comment template (marked Annexure C to the Draft Joint Standard). This includes a questionnaire which the PA and FSCA will be considering in order to identify unintended consequences or potential risks if the Draft Joint Standard is implemented in its present form.

Written submissions on the Draft Joint Standard may be sent via e-mail to PA-Standards@resbank.co.za for the attention of Mrs Kalai Naidoo or Mr Andile Mjadu, on or before 15 February 2022.

After the conclusion of the consultation process, the PA and FSCA have indicated that they will issue a revised proposed Joint Standard for another round of public comment and consultation, for a period of at least six weeks.

Should you require assistance in considering the comments template, wish to assess your company’s cybersecurity framework against the proposed minimum requirements or would like to conduct cyber resilience training, please reach out to Clyde & Co’s Cyber and Regulatory teams for support.

For a copy of:

1. Joint Communication 6 of 2021 announcing the Draft Joint Standard, please click here.
2. The Statement of the Need which accompanied the Draft Joint Standard, please click here.
3. The Comments Template, please click here.