Cybercrimes Act: Cybercrimes are enforceable criminal offences in South Africa with effect from 1 December 2021
On 15 December 2021, the Prudential Authority (PA) and Financial Sector Conduct Authority (FSCA) jointly published a proposed Joint Standard titled “Cybersecurity and Cyber Resilience Requirements” in terms of section 107 and 108(1) of the Financial Sector Regulation Act, 9 of 2017.
The objective of the Draft Joint Standard is to ensure that financial institutions have adequate cybersecurity and cyber resilience practices and processes. We enclose a copy of the Draft Joint Standard here.
It is proposed that the Draft Joint Standard will apply to the following financial institutions:
The proposed requirements set out in the Draft Joint Standard facilitate proportional application by providing that the requirements must be implemented commensurate with the risk appetite, nature, size and complexity of a financial institution.
Oversight and management of a financial institution’s cybersecurity strategy and framework will rest with the governing body of a financial institution. A governing body may delegate these responsibilities to a committee. Notably, governance of information security must be sufficiently segregated and independent to mitigate potential conflicts of interest.
Governing bodies together with senior management must ensure that service level agreements are in place with third party cybersecurity service providers and that there is collaboration and engagement with relevant stakeholders (such as technical experts) to ensure cyber resilience in their framework.
A financial institution must assess its risk tolerances annually and regularly review policies, procedures and practices implemented to mitigate cyber threats. The Draft Joint Standard proposes a number of cyber resilience fundamentals that should be implemented by financial institutions. Some of the notable fundamentals are listed below, namely:
The Draft Joint Standard focuses on access management and proposes that financial institutions have password policies, MFA applied on all administrative accounts, network perimeter defence protocols and malware protection measures in line with industry standards.
Unless a reporting obligation exists in another financial sector law, the Draft Joint Standard proposes a mandatory duty on financial institutions to report any cyber incident, material systems failure, malfunction, delay or disruptive event within 24 hours of the event being classified as ‘material’.
What constitutes ‘material’ however is not currently defined in the Draft Joint Standard, and therefore must be determined with reference to the risk profile of the financial institution.
The Draft Joint Standard demonstrates the PA and FSCA’s joint commitment to encouraging financial institutions to implement an effective and resilient cyber framework that is able to effectively respond to cyber risks and resolve cyber incidents when they occur.
The Draft Joint Standard follows from draft Joint Standard 1 of 2021 ‘Information Technology Risk Management’ which was published on 9 June 2021. Although there have been no further developments in relation to draft Joint Standard 1 of 2021, the Draft Joint Standard also includes similar principles and obligations for financial institutions to adopt cyber resilient frameworks, which can combat heightened IT risks and cyber incidents which are prevalent in the South African financial services sector.
All interested parties are encouraged to provide their comments using the comment template (marked Annexure C to the Draft Joint Standard). This includes a questionnaire which the PA and FSCA will be considering in order to identify unintended consequences or potential risks if the Draft Joint Standard is implemented in its present form.
Written submissions on the Draft Joint Standard may be sent via e-mail to PA-Standards@resbank.co.za for the attention of Mrs Kalai Naidoo or Mr Andile Mjadu, on or before 15 February 2022.
After the conclusion of the consultation process, the PA and FSCA have indicated that they will issue a revised proposed Joint Standard for another round of public comment and consultation, for a period of at least six weeks.
Should you require assistance in considering the comments template, wish to assess your company’s cybersecurity framework against the proposed minimum requirements or would like to conduct cyber resilience training, please reach out to Clyde & Co’s Cyber and Regulatory teams for support.
For a copy of: