In recent years, South Africa has experienced an increase in cybercrimes, cyberattacks, and security breaches, with banks and financial institutions being prime targets. Reports have found that stolen or compromised credentials and phishing scams are the primary attack vectors used to perform cybercrimes. Consequently, there is an imminent need for the financial sector to reassess security strategies, safeguard financial data, increase cyber resilience, and manage and mitigate the potential risks associated with personal and confidential information. In response to these potential threats to the financial sector, the Financial Sector Conduct Authority and the Prudential Authority published the Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institution.
It aims ensure that financial institutions, including insurers, have the necessary governance and risk management structures, as well as processes and procedures related to IT risk management in place. Additionally it ensures that financial institutions regularly conduct risk assessments, identify potential threats, and implement mitigation measures.
Following the newsflash that we published at the end of 2023, we have been inundated with queries from organisations regarding the Joint Standard and have put together a comprehensive Q&A below.
The Joint Standard will apply to your organisation if it constitutes any of the following:
- a bank, a branch, a branch of a bank or a bank controlling company defined in Section 1 of the Banks Act, 1990;
No. The Joint Standard commences on 15 November 2024, giving financial institutions sufficient time to ensure that they are compliant.
The governing body (as defined in the Financial Sector Regulation Act, 2017) of the financial institution is ultimately responsible to ensure that the requirements of the Joint Standard are continuously met. The “governing body” is the board of directors of the organisation.
The Joint Standard focuses on various areas of compliance, specifically:
The Joint Standard prescribes governance, documents, processes and policies that need to be implemented in each of these areas.
The minimum requirements and principles set out in this Joint Standard are for the sound practices and processes of IT governance and risk management and must be implemented to reflect the nature, size, complexity and risk profile of the relevant organisation.
The Joint Standard does not specify any separate penalties for non-compliance with its requirements. The Authorities may, through ongoing supervisory review and evaluation processes, request for specific information or regulatory reports as well as assurance in terms of compliance with the Joint Standard. The Authorities’ powers are quite wide under the respective financial sector laws, and non-compliance may depend on the financial sector law in terms of which the relevant financial institution is licensed or registered.
Both the FSCA and the PA.
Yes. The Joint Standard is quite prescriptive on what governance, documents, policies and processes need to be implemented. To the extent that your organisation has these in place already, it is a great start to ensuring compliance with the Joint Standard and your organisation will likely need to align such documents with the requirements of the Joint Standard. This may mean updating or supplementing existing processes and policies, and/or implementing new processes and policies.
No, unless directed otherwise by the FSCA and the PA.
Your board of directors is ultimately accountable for ensuring that the organisation complies with the Joint Standard. Your board should therefore be made aware and even trained on the Joint Standard and all the relevant documents and processes that you have in place to be compliant.
Your legal team both internally and externally should work with your IT team to devise a gap analysis and compliance programme and implement any remediations identified to ensure compliance by 15 November 2024.
Considering the amount of time and effort required in ensuring compliance with the Joint Standard, it is recommended that financial institutions prioritise their Joint Standard compliance journey sooner rather than later. ENS’ TMT team has established a Joint Standard offering to guide financial institutions through each requirement in order to be compliant.
Our offering includes:
Given that the Joint Standard has expanded the duties and accountability of the board of directors, this offering extends to board empowerment and support. This includes training for the board on the Joint Standard, consultation on the impact of the Joint Standard to existing roles and responsibilities, and guidance on establishing separate board committees to implement the governance requirements from the Joint Standard.
--
Read the original publication at ENS