As digital transformation accelerates across South Africa’s financial sector, the regulator has moved to fortify the industry against an increasingly sophisticated wave of cyber threats. At the heart of this regulatory push is Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience. It is a landmark regulatory framework issued jointly by the FSCA and the Prudential Authority. This standard introduced mandatory cybersecurity and resilience requirements for certain financial institutions. In addition, the FAIS Act requires ALL financial services providers (FSPs) to maintain a comprehensive risk management framework, which now extends to how these licensed entities manage cyber risk.
Why this standard matters now
South Africa’s financial services sector is among the most targeted industries for cybercrime on the continent, with increasing ransomware, phishing, and fraud incidents representing major business and systemic risks. National data shows that cybercrime costs the South African economy an estimated R2.2 billion annually, with the average cost of a data breach hovering around R44 million per incident. Statistics show that 60% of SMEs close within six months of a cyberattack or breach.
Joint Standard 2 addresses this reality by requiring regulated institutions to adopt comprehensive cybersecurity strategies aligned with their business objectives and risk profiles, establish strong governance and oversight mechanisms, and implement proactive practices for threat detection, response, and recovery.
Key requirements for FSPs
FSPs are obliged to demonstrate that they have the following in place:
- Governance and accountability;
- Continuous cyber risk monitoring and assessments;
- Incident management and resilience;
- Protection of digital assets and information; and
- Cybersecurity awareness programme for employees.
Intermediaries often rely on digital platforms to save and access client data, facilitate transactions, communicate with clients, and manage investments. The Joint Standard 2 obligations mark a major shift from advisory and sales compliance to the full integration of cyber risk management into their core operations.
The stakes of non-compliance
The consequences of failing to meet the cyber resilience requirements extend far beyond regulatory sanctions and fines, but also include possible:
- Reputational damage;
- Operational disruptions; and
- Legal and civil liability.
Building resilience and trust
For many FSPs, compliance with Joint Standard 2 is not merely a regulatory checkbox; it is an opportunity to embed cyber resilience into their business’s DNA. As South African organisations increasingly recognise cybersecurity as a competitive differentiator, enhancing cyber controls can also protect customer data, strengthen operational continuity, and support long-term business success.
However, the clock is ticking. With the compliance deadline looming, FSPs must accelerate investments in governance and technology. Those that act decisively will not only adhere to regulation but also position themselves as trusted custodians of digital finance in an era where cyber risk is among the most pervasive threats to economic stability.
In the interconnected world of digital finance, cyber resilience is no longer optional; it is foundational to survival and growth. Joint Standard 2 ensures that South Africa’s financial ecosystem rises to meet this reality.
The cyber compliance countdown has started. Are you ready?
“We are here to help!” says Simon Campbell-Young, CEO at Digimune. “Our cloud-based platform will continuously monitor the cyber posture of your organisation, identify vulnerabilities, and scan the dark web for potential breaches. It also has a built-in employee cyber awareness programme and is backed up by a team of cyber experts that are available 24/7 to help you reach cyber compliance in no time. All of this at a price that won’t break the bank and endorsed by Moonstone.”
Secure being FAIS compliant and protect your clients’ data.
Click HERE to find out more and take your first step to cyber compliance TODAY!
I find your article misleading.
This joint standard does not apply to all “FSP’s” as suggested in your article.
It only applies to those financial institutions listed in the joint standard itself.
Perhaps you did not notice this part of the article;:The add is very clear about that:” In addition……. and states “certain”
This standard introduced mandatory cybersecurity and resilience requirements for certain financial institutions. In addition, the FAIS Act requires ALL financial services providers (FSPs) to maintain a comprehensive risk management framework, which now extends to how these licensed entities manage cyber risk.
Good day
Digimune responds as follows:
You are 100% correct that Joint Standard 2 does not apply to all FSPs. The article clearly states that “It is a landmark regulatory framework issued jointly by the FSCA and the Prudential Authority. This standard introduced mandatory cybersecurity and resilience requirements for certain financial institutions”. Also, as per our article, the FAIS Act, however, “requires ALL financial services providers (FSPs) to maintain a comprehensive risk management framework, which now extends to how these licensed entities manage cyber risk”.
The FAIS Act and section 11 of the General Code of Conduct require ALL financial services providers (FSPs) to have a comprehensive risk management framework and must implement control measures that include appropriate technological systems to eliminate as far as reasonably possible the risk that clients or product suppliers will suffer financial loss through theft or fraud. In addition, POPIA’s Condition 7 (Security Safeguards) is the most explicit cybersecurity requirement in POPIA, and it requires that Responsible parties must implement “appropriate, reasonable, technical and organisational measures” to prevent: Loss of personal information and Damage or unauthorised destruction.
Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience does not specifically apply to FSPs that do not fall under the strict definitions of “financial institutions” listed in the standard, namely Category I FSPs that do not provide investment fund administration services and Category IV Assistance Business FSPs (which administer funeral insurance policies).
Broader FAIS Act Requirements for All FSPs
Even if an FSP does not fall under the specific categories listed in the Joint Standard (such as some Category I FSPs that only provide advice), they are still bound by the general requirements of the FAIS Act and the General Code of Conduct:
Section 11 of the General Code of Conduct: Mandates that every FSP must employ “appropriate technological systems” to eliminate risk to clients as far as reasonably possible.
Comprehensive Risk Management: All FSPs must maintain a framework that encompasses cyber risk to protect client data and ensure operational integrity.
Governing Body Responsibility: The “governing body” (directors or owners) is held personally accountable for ensuring these security measures are effective.
Key Compliance Obligations
For those required to comply, the governing body must demonstrate:
Governance: Active board oversight of cyber resilience and a board-approved cybersecurity strategy.
Incident Reporting: Notification of “material” cyber incidents to the FSCA or PA within 24 hours.
Technical Controls: Implementation of Multi-Factor Authentication (MFA), encryption, and network security perimeters.
Regular Testing: Mandatory annual penetration testing and vulnerability assessments.
Employee Awareness: Continuous training programs to maintain high levels of security awareness among staff.