South Africa’s financial services companies, including insurers, have until 15 November 2024 to comply with the requirements of the new Joint Standard for IT Governance and Risk Management, issued by the Financial Sector Conduct Authority and the Prudential Authority.
This latest amendment to the Financial Sector Regulation Act, 2017 aims to update the minimum requirements for IT governance and risk management that financial institutions must meet. The Joint Standard puts the onus on the governing bodies of financial institutions to ensure compliance.
While South African financial services companies may not all be ready to meet the upcoming requirements, the amendments to the regulations will not be coming as much of a surprise. From banking to investments and insurance, every aspect of a modern consumer’s financial affairs is powered by technology and primarily conducted in the digital realm.
IT in the financial services sector has rapidly come out of the back room to occupy the forefront of operations at banks, asset managers and insurers as they escalate digital transformations to meet customer expectations. What’s come along for the ride with customer-pleasing digital innovations, is a wild west of new and amplified IT risks.
Across the world regulatory bodies are responding to this ever-evolving risk environment. It’s not just about reducing opportunities for bad actors to loot and hold to ransom. Financial services companies, including insurers have become deeply dependent on third-party software to conduct day-to-day business, creating new vulnerabilities and real threats to business continuity.
Guy Krige, executive risk consultant at EscrowSure, says: “We have been serving the Financial Services market for over 20 years, and what we have seen lately is a sudden wave of new global regulations that have been ushered in to shore up business continuity and update vital IT risk management protocols.
“Typically, South Africa follows the lead of developed nations when it comes to regulations. What is notable is that this regulation includes mitigating the business continuity risks associated with dependence on third-party software vendors who can fail to deliver on the agreed services, suddenly go out of business or get bought out by your competition.”
Software escrow is a customised legal agreement between the software provider, the user, and the software escrow agent that safeguards the software source code and makes it available to the user in the case of clearly defined trigger events that threaten business continuity.
Krige points out that over the last few years, the European Union has introduced the Digital Operational Resilience Act (DORA) which enforces new cyber security and resilience requirements on European financial institutions and their critical suppliers.
In the US, the Office of the Controller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve Board (FRB) issued a joint statement with revised guidance for Financial Services companies that includes new requirements for outsourcing and third-party risk management for banking institutions and highlights software escrow as an important consideration.
The UK has promulgated the Prudential Regulation Authority (PRA) SS2/21 which requires review of third-party arrangements and evaluation of the need for software escrow.
“What we are seeing is these types of regulations becoming more detailed and more prescriptive when it comes to an internationally recognised best practice such as software escrow,” says Krige. “It’s important to keep in mind that all regulatory roads are leading to the same destination.
“In markets such as Singapore and India, there are already regulations that explicitly prescribe software escrow as an essential part of business continuity and IT risk management and governance.
“The new South African regulations coming into force on 15 November 2024 urge compliance with global best practices. So, South African banks and insurers can clearly see the road ahead.
“What the regulators want to see are more comprehensive business continuity plans which include stressed exit plans when it comes to mission-critical software agreements.”
Rigard de Wet, CIO at Guardrisk, says: “Ultimately, the upcoming IT Joint Standard is not something new. It is a progressive journey working with the regulators in ensuring that we protect ourselves and our customers. This will be a continuous process and we require the mindset and ability to implement while we do business.
“The success in implementing changes like this lies in the ability of a company to accept the change and work together with all parties, including the regulator, while fostering strong positive relationships, built on trust and open communications.
“What we need to manage well is the financial impact, the ability to deliver business solutions, internal and customer-facing, while we ensure adherence to the joint standard.”
The advantage to South African financial services companies striving to meet the new regulation from 15 November 2024 is that software escrow is both a cost-effective and fast-acting solution to shore up business continuity plans and boost IT disaster recovery.
A particular benefit is the inclusion of thorough software testing services which ensures that in the case of an unexpected stress exit, the source code your escrow provider safeguards is exactly what you currently use in your organisation.
Krige concludes: “Compliance with the new joint standard shows that the South African Financial Sector is keeping pace with the global resilience movement. Adopting international best practices means reaching important compliance milestones and making sure that business is not set back by penalties from the regulators.”