In May 2024, The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the Joint Standard: Cybersecurity and Cyber Resilience Requirements for Financial Institutions (Joint Standard).
The Joint Standard sets out the minimum standards for financial institutions to implement best practices and processes to identify and guard against risks relating to cybersecurity and cyber resilience.
This Joint Standard is made under section 107 read with sections 105, 106 and 108 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017).
The Joint Standard is envisaged to commence on 1 June 2025. However, the FSCA and PA envisages that the Joint Standard will likely take effect after 12 months.
Principle-based
The objective of the Joint Standard is to:
- Strengthen cybersecurity defences to protect financial institutions from cyber threats and vulnerabilities;
- Enhance cyber resilience to ensure institutions can detect, respond to and recover from cyber incidents, maintain critical operations; and
- Standardise cybersecurity practices across financial institutions to reduce systemic risk and protect the financial institutions integrity.
The Joint Standard applies to:
- A bank, a branch, a branch of a bank and a controlling company as respectively defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990);
- A mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993);
- An insurer and a controlling company as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017);
- A manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002);
- A market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012);
- A discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category II);
- A category 1 FSP as contemplated in section 3(a) of the Determination of Fit and Proper Requirements for FSPs, 2017, that provides investment fund administration services;
- An administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category III);
- A pension fund registered under the Pension Funds Act, 1956 (Act No. 24 of 1956);
- An OTC derivative provider as defined in the Financial Markets Act Regulations;
- An administrator approved in terms of Section 13B of the Pension Funds Act, 1956 (Act No.24 of 1956) and
- A registered credit rating agency as defined in section 1 of the Credit Rating Services Act, 2012 (Act No 24 of 2012)
‘Act’ in this Joint Standard means the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017);
‘attack surface’ means the sum of an IT system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to a financial institution;
‘Authorities’ means the Prudential Authority as established in terms of section 32 of the Act and the Financial Sector Conduct Authority as established in terms of section 56 of the Act;
‘compromise’ means the violation of the security of an IT system or information asset;
‘critical or criticality’ means a measure of the degree to which an organisation depends on the IT system or information asset for the success of a mission or of a business function;
‘cyber’ means relating to, within, or through the medium of the interconnected information infrastructure of interactions among persons, processes, data and IT systems;
‘cyber-related information’ includes cyber incident, cyber threat intelligence and information on system vulnerabilities;
‘cyber event’ means any observable occurrence in an IT system. Cyber events sometimes provide indication that a cyber incident is occurring;
‘cyber incident’ means a cyber event that (a) jeopardises the cybersecurity of an IT system or the information processed, retrieved, stored or transmitted by the system; or (b) violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not;
‘cyber resilience’ means the ability of a financial institution to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents. It involves people, process and technology;
‘cyber risk’ means the combination of the probability of cyber incidents occurring and their impact;
‘cyber threat’ means a cyber event with the potential to exploit one or more vulnerabilities that adversely affect cybersecurity;
‘data’ means electronic representations of information in any form as defined in section 1 of the Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002);
‘independent review’ means a review conducted by an internal or external audit function or an independent control function;
‘information asset’ means any piece of data, device or other component of the environment that supports information-related activities. In the context of this Joint Standard, information assets include IT asset and excludes paper-based information;
‘information security’ means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide—
- integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
- confidentiality, which means preserving authorised restrictions on access and disclosure, including the protection of personal privacy and proprietary information; and
- availability, which means ensuring timely and reliable access to and use of information;
‘IT’ means information technology;
‘IT asset’ means an asset including software, hardware, internal and external facing network system that are found in the business environment;
‘IT environment’ means the IT components which comprise the IT assets, operations and human elements of a financial institution;
‘IT programme and project’ means any project or programme, or part thereof, where IT systems and services are changed, replaced, dismissed or implemented. IT projects can be part of wider IT or business transformation projects or programmes;
‘IT system’ means the integration of IT assets within the IT environment;
‘material incident’ means a disruption of a business activity, process or function which has, or is likely to have, a severe and widespread impact on the financial institution’s operations, services to its customers, or the broader financial system and economy;
‘security’ means both cyber and information security;
‘security controls’ means a prevention, detection or response measure to reduce the likelihood or impact of a cyber event or cyber incident;
‘sensitive information’ means information or data where loss, misuse, unlawful disclosure or unauthorised access to or modification of could adversely affect the public interest or a financial institution or the privacy to which persons are entitled;
‘threat intelligence’ means threat information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes;
‘vulnerability’ means a weakness in an information asset or security control that could be exploited to compromise cybersecurity;
‘vulnerability assessment’ means a systematic examination of an IT system, and its controls and processes, to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures and confirm the adequacy of such measures after implementation;
Governing bodies at financial institutions are responsible for complying with the Joint Standard. The Joint Standard places several obligations on financial institutions to ensure that they establish:
- Establish, maintain and review a cybersecurity strategy that is approved by the governing body and aligned with its overall business strategy;
- Metrics to gather information that enables reporting at both a technical and executive-level across all aspects of its cyber risk management implementation programme;
- A cybersecurity framework that demonstrates how a financial institution will identify cyber risks and determine the controls required to keep those risks within acceptable limits; and
- Appropriate and effective cyber resilience capabilities and cybersecurity practices to prevent, limit or contain the impact of a potential cyber event.
Financial institutions must:
- Identify and classify critical business processes and information assets, including those managed by third parties, based on their criticality and sensitivity;
- Use this classification to prioritize protection, detection, response, and recovery efforts;
- Conduct security risk assessments on critical operations and assets to prevent compromise;
- Maintain and regularly update an inventory of all information assets, detailing their location, ownership, and management roles, with reviews at least every two years.
A financial institution must implement appropriate and effective cyber resilience capabilities and cybersecurity practices to prevent, limit and/or contain the impact of a potential cyber event or cyber incident.
A financial institution must:
- Develop comprehensive data loss prevention policies for sensitive information;
- Implement measures to prevent, detect, and respond to unauthorized access, modification, copying, transmission, or theft of data across systems;
- Ensure third-party service providers protect information assets to the same standard;
- Encrypt or secure sensitive data based on risk, ensuring only authorized systems and devices process or store it;
- Prevent unauthorized internet services from handling sensitive data;
- Implement controls to manage access and prevent data.
A financial institution must:
- Adopt a security-by-design approach, integrating security into every phase of software development to minimize vulnerabilities and reduce attack risks;
- Determine the required security level based on business needs and assess potential threats and risks to applications and systems;
- Specify security requirements for access control, authentication, transaction authorization, data integrity, logging, audit trails, event tracking, and exception handling early in system development or acquisition;
- Review and test changes to business-critical applications to ensure they do not negatively impact operations or security.
Financial institutions must:
- Review its network architecture, including the network security design; as well as systems and network interconnections on a periodic basis to identify potential vulnerabilities;
- Implement network access controls to detect and prevent unauthorised devices from connecting to its network. Network access control rules in network devices must be reviewed on a regular basis to ensure they are kept up-to-date.
A financial institution must maintain effective cyber resilience by:
- Monitoring and detecting cyber events and incidents across IT systems, information assets, and business services, while effectively responding to attacks;
- Regularly evaluating the effectiveness of controls through network monitoring, testing, and audits;
- Establishing or acquiring security monitoring capabilities, such as a security operations centre or managed security services, to enable continuous monitoring and prompt detection of and response to cyber incidents.
A financial institution must understand the threat landscape and its implications in an environment within which it operates as well as the adequacy of its cyber risk mitigation measures.
A financial institution must:
- Establish a process to collect, review, and retain IT system logs for security monitoring;
- Configure IT system events or alerts to provide early warnings of potential security issues, with active monitoring to enable prompt response;
- Correlate multiple events from IT system logs to detect suspicious or abnormal activity patterns;
- Implement a process for timely escalation of suspicious or abnormal system activities or user behaviour to relevant stakeholders.
Financial institutions must:
- Establish a process to conduct regular vulnerability assessments on its IT systems and information assets to identify security vulnerabilities and ensure that vulnerabilities are addressed in a timely manner; and
- Ensure that the frequency of vulnerability assessments is commensurate with the criticality of the IT system and information assets and the security risk to which it is exposed.
Financial institutions run the risk of having their licenses suspended if they do not comply with the requirements of the Joint Standard. Depending on the severity of the non-compliance, financial institutions could also be liable for administrative penalties.
It is worth noting that in the future, the FSCA and the PA will review and assess the adequacy of financial institutions’ policies, processes, and practices related to cybersecurity and cyber resilience as part of their supervisory programs.
By obtaining and implementing the products provided by ARMD.digital, financial institutions can demonstrate compliance with the Joint Standard.
Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help you to:
Identification
Identify vulnerabilities and prioritise remediation based on risk exposure.
Protection
Address identified security risks and enable proactive prevention of cyber incidents. Reducing the attack surface enhances overall cyber resilience.
Data Security
Identify where sensitive data is exposed through insecure protocols or DNS misconfigurations.
Application and system security
Identifying weaknesses supports a security-by-design approach by integrating security remediation measures early. It also ensures ongoing operational and security integrity.
Network security
Identification of risks and access points for attackers such as insecure protocols, DNS misconfigurations, and expired certificates.
Detection
Enables the institution to monitor and detect potential cyber risks across its IT systems. Supports regular evaluation of controls by revealing areas prone to attacks.
Situational awareness
Understanding the threat landscape by revealing exposures that could be exploited by cybercriminals. This provides insight into the implications of these threats in the operational environment, allowing the institution to align its security posture with its risk environment.
Threat intelligence and information sharing
By revealing potential attack vectors like expired certificates and associated domains, the assessment helps improve the institution’s process for collecting, reviewing, and retaining IT system logs, ensuring they can be protected.
Vulnerability assessment
CyberProfiler scan provides a quick and efficient solution to conduct regular vulnerability assessments on an institution’s IT systems and information assets. It identifies security vulnerabilities enabling the remediation of these vulnerabilities in a timely manner. With the ability to conduct scans as a one-time purchase with no ongoing subscription, the institution can conduct assessments commensurate with the frequency of their needs.
Implementing a properly configured DMARC policy on your company’s domain, and getting access to the easy-to-understand reporting provided by the Sendmarc platform, helps you to:
Identification
DMARC protects a critical business asset—the company’s domain—against spoofing and phishing attacks, ensuring its secure use in email communications. Visibility provided by DMARC reports helps with ongoing identification and monitoring of domain usage, ensuring it remains secure and up to date.
Protection
By blocking unauthorized emails, DMARC helps to prevent, limit, and contain the impact of potential cyber incidents, strengthening overall cyber resilience.
Data Security
By preventing domain spoofing, the risk of unauthorized access, data theft, and phishing attacks are reduced.
Application and system security
Implementing a strict DMARC policy aligns with a security-by-design approach by minimizing vulnerabilities and reducing the risks of attacks associated with emails. The visibility provided by the DMARC reports help to ensure that any changes to email systems (additions or deletions of authorised senders) do not negatively impact operations or security.
Network security
DMARC assists in enforcing network access controls, ensuring that unauthorized senders cannot exploit the domain for malicious purposes. Regular DMARC reporting ensures that network access control rules remain up-to-date and effective in preventing unauthorized connections to the institution’s network.
Detection
Visibility provided by DMARC reports supports continuous monitoring and detection of cyber events by identifying unauthorized attempts to use the domain. Regular DMARC data also aids in evaluating the effectiveness of this control.
Situational Awareness
DMARC reports offer insight into how the domain is being used or potentially misused, allowing the institution to assess the implications of these threats in its operational environment. Continuous monitoring helps to stay proactive in identifying and addressing potential cyber threats.
Threat intelligence and information sharing
The reports generated by DMARC can be integrated into the institution’s security monitoring processes. Email activities are reported and provide early warnings of potential spoofing attempts. By correlating DMARC-related events with other system logs, the institution can detect suspicious patterns and escalate abnormal activities to relevant stakeholders, ensuring timely action is taken to mitigate risks.
Vulnerability Assessment
Institutions can quickly assess their security vulnerabilities to fraudulent email practices with the “Know your score” tool here: https://armd.digital/dmarc/.
The DMARC reports provide details and insight into attempted spoofing attacks, providing institutions with an overview of their risk profile.
- Download the Joint Standard from the South African Reserve Bank Prudential Authority
- Link to the Financial Sector Conduct Authority (FSCA)