With the Joint Standard on Cybersecurity and Cyber Resilience set to take effect in less than six months, a leading law firm has cautioned that retirement fund trustees could face substantial penalties for non-compliance, including personal liability for losses resulting from a data breach.
Joint Standard 1 of 2023: IT Governance and Risk Management came into effect in November last year. Its counterpart, Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience will take effect on 1 June this year.
Billy Seyffert, the chief operating officer of Moonstone Compliance, explains that these standards complement, rather than replace, the existing requirements under the Fit and Proper Requirements (Board Notice 194 of 2017).
“Trustees are already subject to operational requirements, including risk management, security, and backup provisions. These two Joint Standards add to those obligations,” Seyffert says.
Joint Standard 1 is primarily about compliance and governance.
“It’s about having a strategy, risk management plans, and policies in place. While the ultimate goal is to ensure cybersecurity, resilience, customer protection, and secure network environments, Joint Standard 1 emphasises governance. Financial institutions must document their plans, gain board approval, and detail how they will implement and monitor these measures.”
Joint Standard 2 focuses more specifically on technical controls.
“Where Joint Standard 1 creates a regulatory framework for governance and policy requirements, Joint Standard 2 outlines the minimum technical controls that must be implemented to support those policies,” Seyffert noted.
The Joint Standard applies to the following financial institutions:
- banks and mutual banks;
- insurers;
- market infrastructures – that is, a licensed stock exchange, central securities depository, clearing house, or trade repository;
- discretionary FSPs (as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs);
- Category I FSPs that provide investment fund administration services;
- administrative FSPs;
- retirement funds registered under the Pension Funds Act (PFA);
- over-the-counter derivative providers;
- administrators approved in terms of section 13B of the PFA; and
- registered credit rating agencies.
Responsibility lies with the board
In an interview with Ebnet editor Nathalie Burrows, Vanessa Jacklin-Levin, a partner at Bowmans, underscores the responsibilities outlined in paragraph 4.1 of the Joint Standard.
She explains the governing body of a financial institution – for example, the board of a retirement fund – is ultimately responsible for ensuring that the institution complies with the requirements set out in the Joint Standard and the oversight of the cyber risk management.
“They may delegate primary oversight activities to an existing or a new committee, but ultimately, the buck stops with them. It’s their responsibility.”
Jacklin-Levin also highlights that, even when retirement funds outsource certain administrative activities to administrators or investment managers, trustees remain fully responsible for ensuring compliance with the Joint Standard as part of their legal fiduciary duties.
Trustees have a fiduciary duty to act in the best interests of all their beneficiaries. This responsibility includes managing and safeguarding the trust’s assets as if they were their own. It also involves making informed decisions, ensuring compliance with all applicable legislation and Joint Standards, and effectively managing and mitigating risks, including cyber risks and cyberattacks.
Jacklin-Levin notes the serious consequences of failing to fulfil these duties.
“Failure to perform a duty not only undermines the purpose of the trust but also can lead to severe legal consequences. For example, you could be removed from the trust as a trustee – effectively fired – if you fail to comply with your duties.”
Trustees could face financial penalties and be held personally liable for losses suffered by the trust due to their actions. This could include compensation or damages for any loss of profits or illegal personal gains they made through your position as a trustee.
She adds, “You could also be required to repay profits because of the breach of trust. In severe cases involving evidence of theft or fraud, trustees can face criminal charges resulting in fines and/or imprisonment, depending on the severity of the offence.”
Additionally, there’s the threat of civil lawsuits.
“Beneficiaries are entitled to institute civil lawsuits against trustees for breaches of their fiduciary duties, which can lead to substantial damages being paid by the trustees to the beneficiaries, so the penalties are severe.”
Personal liability of trustees in case of data breach
When asked whether trustees could be held financially responsible if a retirement fund’s systems were hacked and its data held for ransom, Jacklin-Levin confirmed that this is indeed a possibility.
“If they were involved in any kind of negligence, particularly gross negligence, in failing to comply with the standard or in not putting reasonable measures in place, they could be held personally liable for their actions. Or, if they were part of a decision-making committee that made negligent or incorrect decisions regarding cybersecurity, they could also be held liable.”
Jacklin-Levin says she recently dealt with a matter where a business was the victim of a cyberattack.
“We acted for them in suing the service provider who had neglected their duties in putting in the required security firewalls and data recovery.”
She said the most significant failure was the lack of data recovery.
“As a result of the cyberattack, our client’s business suffered substantial damages and never recovered the data that was lost. This led to a damages claim running into millions and millions of rand, which was ultimately paid to our client in the arbitration proceedings. So, there are substantial consequences, particularly financial consequences.”
Setting good industry standards
Seyffert notes that the goal of implementing the Joint Standard is to establish industry-acceptable standards.
“The outcome here is not that you’re not hackable. It’s about setting good industry standards. And if something is lost, that you can recover it. If something breaks, that you can fix it,” he says.
He also notes that the more comprehensive the cybersecurity measures, the more positive the impact on insurance premiums.
“When you’re looking at cyber insurance, cyber insurance is exposed to the expensive, and the more you can evidence in terms of both policy procedure and important technical controls, the more you are going to save on premium.”
Seyffert points out that businesses, not just financial institutions, face these risks.
“The amount of business email compromise that takes place on a weekly basis is absurd,” he says. “And you don’t want to be on the wrong side of that, because if you comply with Joint Standard 1 and Joint Standard 2, the chances of being found negligent are very, very low.”
He acknowledges that, in most cases, the issue lies outside the financial institution itself. “We accept that nine times out of ten, it’s the client’s Gmail that’s been hacked, not the financial institution’s. But you want to be in a position to say, ‘Everything is in place that I need to have in place. It’s unlikely that this took place at my business.’”