skip to Main Content

In February 2021, The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the draft Joint Standard: Information Technology Risk Management (Joint Standard) for consultation. The deadline for submitting comments on the draft Joint Standard closed on 26 July 2022.

The Joint Standard sets out the principles for information technology (IT) risk management that financial institutions must comply with to achieve sound practices and processes in managing IT risks.

The draft Joint Standard is prepared and published in terms of section 98 of the FSRA (Financial Sector Regulation Act 9 of 2017).

The draft Joint Standard sets out the proposed commencement date as 1 January 2022. However, the Joint Standard is still before Parliament. The Authorities will notify all stakeholders as soon as the final Joint Standard is published. We are monitoring this development and will update this summary as soon as the final version of the Joint Standard is published.

Principle-based

The objectives of the Joint Standard are to:

  • Ensure that financial institutions establish a sound and robust IT risk management framework.
  • Assist financial institutions in integrating technology risk management into their overall management system.
  • Ensure that financial institutions implement information security controls for the information held on IT systems.

application’ means a computer program or set of programs that performs the processing of records for a specific function. Examples of application software include Microsoft software such as MS Office, PowerPoint, Word, Excel, and Outlook for e-mail;

software’ means a set of programs and supporting documentation that enable and facilitate use of the computer. An example is the Windows operating system;

hardware’ means physical components of a computer system;

IT’ means information technology;

IT asset’ means an asset of either software or hardware that is found in the business environment;

IT environment’ means the components which comprise the internal and external networks, hardware, software, applications, systems interfaces, operations and human elements of a financial institution;

IT infrastructure’ means a set of hardware, software, network or other IT components that integrate an enterprise’s IT assets;

IT programme and project’ means any project or programme, or part thereof, where IT systems and services are changed, replaced, dismissed or implemented. IT projects can be part of wider IT or business transformation projects or programmes;

IT system’ means any hardware, software, network or other IT component which is part of an IT infrastructure;

The draft Joint Standard applies to:

  • All Banks and bank controlling companies (banks) registered under the Banks Act 94 of 1990.
    [Explanatory note: A bank, a branch, a branch of a bank and a controlling company as respectively defined in section 1 of the Banks Act 94 of 1990).]
  • All Mutual banks registered under the Mutual Banks Act 24 of 1993.
    [Explanatory note: A mutual bank as defined in section 1 of the Mutual Banks Act 24 of 1993.]
  • All insurers and insurance groups (insurers) licensed under the Insurance Act 18 of 2017.
    [Explanatory note:  An insurer and a controlling company as defined in section 1 of the Insurance Act 18 of 2017.]
  • All market infrastructures licensed under the Financial Markets Act 19 of 2012.
    [Explanatory note:  A market infrastructure as defined in section 1 of the Financial Markets Act 19 of 2012.]
  • All managers of collective investment schemes licensed under the Collective Investment Scheme Control Act 45 of 2002.
    [Explanatory note: A manager as defined in section 1 of the Collective Investment Scheme Control Act 45 of 2002.]
  • A discretionary FSP per the Code of Conduct for Administrative and Discretionary FSPS, 2003.
    [Explanatory note: A discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category II)]; and
  • An administrative FSP per the Code of Conduct for Administrative and Discretionary FSPS, 2003.
    [Explanatory note: An administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 (Category III)].

The Authorities will in future, as part of their supervisory programmes, review and assess the adequacy of financial institution’s policies, processes, and practices related to IT risk concerning financial institutions covered in terms of this proposed Joint Standard as well as the financial institutions not covered by the Joint Standard.

Please note: We’ve added “explanatory notes” to this section to help readers understand the different stakeholders better. The explanatory notes are not part of the draft Joint Standard.

When the Joint Standard comes into operation, governing bodies at financial institutions will be responsible for complying with the Joint Standard. The Joint Standard places several obligations on financial institutions to ensure that they:

  • Establish a sound and robust IT risk management framework.
  • Integrate technology risk management into their overall management system.
  • Implement information security controls for the information held on IT systems.

A financial institution must establish an IT risk management framework to manage IT risks in a systematic and consistent manner. The governing body must review the framework at least once a year.

A financial institution’s IT risk management framework must have the following attributes:

  • IT policies, standards, and procedures in managing IT risks and safeguarding IT assets (software or hardware) in the organisation.
  • The ability to detect, control and limit all major risk.
  • Ensuring that effective internal controls and risk management practices are implemented to achieve security, reliability, resiliency and recoverability.
  • Identification and assessment of impact and likelihood of current and emerging threats, risks, and vulnerabilities in terms of which financial institutions must:
    • perform an analysis and quantification of the potential impact and consequences of any identified risks on the overall business and operations; and
    • develop a threat and vulnerability matrix to assess the impact of the threat on its IT environment. The matrix should also assist the financial institution in prioritising IT risks.

Financial institutions must:

  • Implement appropriate information security solutions at the data, application, database, operating systems, and network layers to adequately address and contain all forms of security vulnerabilities.
  • Configure IT systems and devices with security settings that are consistent with the expected level of protection.
  • Obtain reviews of the information security framework from independent audit assessments, and the results of the review must be reported to the governing body.

Financial institutions must conduct independent reviews, annually, to assess compliance with its privacy policies. In addition, independent reviews may be used to identify vulnerabilities in compliance processes that can undermine confidential and sensitive information on its systems.

Financial institutions must identify, monitor and mitigate risks deriving from their portfolio of IT programmes and projects.

There are several clauses in the Joint Standard that require financial institutions to ensure business continuity through robust IT Risk Management practices. For example, financial institutions must:

  • Establish a sound IT continuity management process to maximise its abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption.
  • Develop IT continuity plans. The IT continuity plans must specifically consider risks that could adversely impact IT systems and services; and
  • Test and review its IT continuity plans.

Financial institutions must notify the Authorities of any material systems failure, malfunction, delay or other disruptive event, or any breach of IT security, integrity, or confidentiality, within 24 hours of classifying the event as material.

The Authorities may, through ongoing supervisory review and evaluation processes, request specific information or reports as well as assurance in terms of compliance with the Joint Standard.

The Joint Standard is not in operation yet and it does not list any penalties for non-compliance. However, financial institutions are encouraged to put measures in place to comply with the Joint Standard so that they are well-prepared when it comes into effect.

When the Joint Standard comes into operation, the Authorities will review and assess the adequacy of financial institutions’ policies, processes, and practices related to IT Risk Management as part of their supervisory programmes.

By obtaining and/or implementing the products provided by test.armd.digital, financial institutions can demonstrate compliance with the Joint Standard.

Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help institutions:

 

IT Risk Management Framework

  • Assess IT policies, standards, and procedures to manage the IT risks related identified vulnerabilities;
  • Enable the ability to detect, control and limit major risk associated to the IT environment;
  • Ensure that the governing body and senior management are aware of additional effective internal controls and risk management practices which can be implemented to achieve security, reliability, and resiliency;
  • Identify and assess current risks and vulnerabilities.

Information security

  • Implement appropriate security solutions across its IT environment to adequately address and contain security vulnerabilities;
  • Configure IT systems with security settings that are consistent with the expected level of protection;
  • Obtain an independent audit if its information security framework.

Sensitive or confidential information

  • Obtain an annual independent review to identify vulnerabilities in compliance processes that can undermine confidential and sensitive information on its systems.

IT programme and/or project management

  • Identify, monitor and mitigate risks deriving from their portfolio of IT programmes and projects by running a scan after any major system, organisation, or infrastructure change (network changes, new system configurations, new user groups).

Reporting

  • Provide assurance in terms of compliance by providing a copy of the CyberProfiler scan report along with the remediation recommendations which have been implemented.

Implementing DMARC on the company’s email domain helps institutions to:

 

IT Risk Management Framework

  • Determine and implement IT policies, standards, and procedures to manage the IT risks related to e-mail;
  • Enable the ability to detect, control and limit all major risk associated to e-mail spoofing;
  • Ensure that effective internal controls and risk management practices are implemented to achieve security, reliability, and resiliency.

Information security

  • Implement an appropriate security solution on its e-mail application to adequately address and contain the vulnerabilities associated to e-mail spoofing;
  • Configure IT systems with security settings that are consistent with the expected level of protection;
  • Obtain an independent audit if its information security framework.

Sensitive or confidential information

  • Affirm compliance with its privacy policy related to protecting confidential and sensitive information by obtaining a DMARC Certificate of Compliance.

Reporting

  • Provide confirmation of compliance in regard to its e-mail application by providing a copy of your DMARC Certificate of Compliance;
  • Provide a detailed analysis report on your e-mail domain.
Back To Top
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.