Second take: Joint Standard on IT governance and risk management

Posted on

As we reported last week, the FSCA and the Prudential Authority (PA) published Joint Standard 1 of 2023: Information Technology Governance and Risk Management.

The Joint Standard applies to banks, insurers, market infrastructures, managers of collective investment schemes, discretionary FSPs, and administrative FSPs.

The Joint Standard becomes effective 12 months after the commencement date of 15 November 2023. This means financial institutions have until 15 November next year to demonstrate compliance with the Joint Standard.

Legal experts from Clyde & Co, which specialises in insurance law, have summarised the key implications of the Joint Standard for financial institutions as follows.

1. The governing body is ultimately accountable for compliance

The Joint Standard mandates that a governing body must approve the IT strategy and exercise comprehensive oversight (governance) over the execution of internal controls and risk management practices by senior management. The governing body is also responsible for ensuring that the IT strategy and processes aligned with the Joint Standard undergo a comprehensive review at least annually.

Any deviation from the Joint Standard must be reported to the Authorities within a reasonable period. The reporting and notification obligation under the Joint Standard should be included in a financial institution’s IT risk management protocols to ensure compliance.

2. Implementation of IT policies, processes, and plans

Financial institutions must consider the nature, scale, and complexity of their operations when establishing compliance with the Joint Standard.

The Authorities encourage financial institutions to apply the Joint Standard’s requirements at the group and subsidiary levels to demonstrate that each entity has complied with the Joint Standard.

Financial institutions must demonstrate that the following policies and processes are in place:

  • An IT strategy in terms of which action plans are established and appropriate IT measures are identified.
  • An IT risk management framework to handle IT issues systematically, including reporting procedures for IT assurance and the safeguarding of IT assets.
  • IT service management policies, standards, processes, and procedures to support IT systems, operations, and incidents to ensure the stability of the IT environment.
  • Appropriate measures to safeguard sensitive or confidential information and mitigate IT risks in relation to such information (for example, data loss and data theft), as well as the IT risks associated with the types of financial products or services offered.
  • Business impact assessments to analyse exposure to severe business disruptions and disaster recovery protocols.

A financial institution must also implement reasonable measures to protect IT users, including customers, who engage with the financial institution via online systems. Customer awareness programmes detailing these security measures must also be implemented to protect customers.

The Joint Standard requires that policies and procedures relating to the IT risk management framework and the handling of sensitive or confidential information are independently reviewed. The Joint Standard identifies the internal and external audit functions of the financial institution, or an independent control function, as having the capability to conduct independent reviews.

3. Relationship with other cyber and data privacy legislation

The FSCA and PA have indicated there is an urgent need to ensure that minimum regulatory requirements against digital and cyber risks are introduced by financial institutions.

The Joint Standard expressly refers to the Protection of Personal Information Act (POPIA). This means the Joint Standard should be read with the obligations set out under POPIA (and any other applicable legislation) when personal information is processed or when technical measures are implemented.

Compliance with the Joint Standard and POPIA should be assessed simultaneously because it is likely there is an overlap in the compliance requirements.

More related standards

Clyde & Co says the Authorities are expected to release further standards focusing on cyber risk in the coming years.

At the beginning of this year, the FSCA and the PA issued a revised version of their draft joint standard on cybersecurity and cyber resilience.

Disclaimer: This article provides information of a general nature and does not constitute legal advice that is appropriate to every individual’s or organisation’s needs and circumstances.