Financial institutions have until 1 June 2025 to comply with South Africa’s Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience, published by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (Authorities) in May 2024.
“The Joint Standard applies to ‘financial institutions’ as defined in the Joint Standard, such as retirement fund registered under the Pension Funds Act 1956 (PFA),” explains Vanessa Jacklin-Levin, partner at law firm Bowmans.
She notes that the purpose of the Joint Standard is to set and enforce a standard for financial institutions to manage and mitigate cybersecurity risks. It sets out minimum requirements and principles for sound practices and processes of cybersecurity and cyber resilience for financial institutions to adopt.
“The Joint Standard requires financial institutions to adopt robust cybersecurity and resilience against cyberattacks and expects financial institutions to implement security controls that are commensurate with their risk appetites based on the nature, complexity, risk profile and size of their financial operations,” Jacklin-Levin explains.
Deirdre Phillips, partner at Bowmans, explains that financial institutions are required to, among other things, establish a Cybersecurity Strategy and Framework, Cybersecurity Policy, Data Loss Prevention Policy, Cryptographic Key Management Policy, Cyber Incident Management Policy and a Security Access Control Policy.
Phillips notes that “In its recently published Regulatory Strategy for 2025-2028 (available here), the FSCA stated that it remains focused on what matters most, ‘protecting customers and strengthening the integrity and resilience of the financial system’. Cybersecurity and cyber resilience remain among some of the key risks and vulnerabilities in the financial system.”
Jacklin-Levin adds: “The board of trustees of a retirement fund is ultimately responsible for ensuring compliance with the requirements set out in the Joint Standard. Accordingly, where a retirement fund outsources cybersecurity administrative activities to administrators of retirement funds or other service providers, the relevant retirement fund’s board of trustees retains the full responsibility for ensuring compliance with the Joint Standard.”