The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have announced that Joint Standard 1 of 2024 (Outsourcing by Insurers) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements), will be effective on 1 December 2024 and 1 June 2025 respectively.
By Lenee Green, partner, Gabi Richards-Smith, partner and Londiwe Mazibuko, candidate attorney at Webber Wentzel
Joint Standard 2 of 2024 seeks to address the sector’s concerns against evolving cyber threats and aims to enhance cyber risk management and resilience. The FSCA is urging financial institutions to cater for and mitigate cyber security risks and threats in line with the nature, size, complexity and risk profile of the financial institution.
Financial institutions, including banks, insurers and their controlling companies have just over six months to establish and maintain a cybersecurity framework, policies, and procedures that meet industry standards and best practices to adequately address cyber-attacks.
To the extent that insurers intend to outsource cyber related functions and/or system controls to maintain adequate cyber security frameworks, Joint Standard 1 of 2024 becomes relevant and the outsourcing of these activities will most likely be material. Insurers must, as part of their board approved outsourcing policies, ensure that they comply with the provisions of Joint Standard 1 of 2024 for any material activity outsourced to a third party.
Joint Standard 2 of 2024 contains several key cybersecurity requirements for financial institutions. These include:
- Establishing and maintaining a cybersecurity strategy and framework to address changes in the cyber threat landscape, manage cyber risks, allocate resources, identify and remediate gaps.
- Identifying and classifying business processes and information assets in terms of criticality and sensitivity, which in turn must inform the prioritisation of protective, detective, response and recovery efforts.
- Carrying out security risk assessments on critical operations and information assets to ensure protection against compromise.
- Ensuring that access to information assets and associated facilities is limited to users, processes, and devices authorised by the financial institution.
- Establishing identity management and access control policies and procedures for effective and consistent user administration, accountability and authentication which accounts for remote user access to information assets.
- Developing comprehensive data loss prevention policies and ensuring that information stored in systems and endpoint devices is encrypted or protected by access control mechanisms commensurate with the exposure of risk faced by the financial institution. Restricting the processing, retrieval, communication, transmission and storage of sensitive information to authorised IT systems, endpoint devices and data storage systems.
- Having agreements between the financial institution and third-party service provider which must provide for the secure return, transfer or deletion of data upon termination of services.
- Conducting a comprehensive cybersecurity awareness training programme at least annually by the governing body and users of the financial institution to raise their awareness of risks associated with the use of technology and enhance understanding of cyber risk management practices. The training programme must be regularly reviewed, considering the financial institution’s security policies, prevalent and emerging risks, and the evolving threat landscape.
- Notifying the responsible authority upon classification of a cyber incident or information security compromise as material incident in accordance with the processes and policies established.
- If insurers intend to, or have outsourced activities related to data storage systems, IT related support systems, cyber security frameworks and compliance to third party service providers, they must review these agreements, including sub-outsourcing arrangements, to ensure compliance with the provisions contained in Joint Standard 1 of 2024. Any outsourcing arrangement entered into prior to the standard’s effective date have 24 months to comply,
In the event of outsourcing, insurers must ensure that contractual agreements or Service Level Agreements with third-party service providers explicitly require compliance with stringent cybersecurity and cyber resilience standards.