The FSCA and the Prudential Authority (PA) have issued a revised version of their draft joint standard on cybersecurity and cyber resilience for public comment.
The draft joint standard sets out the minimum requirements and principles for sound practices and processes of cybersecurity and cyber resilience for specified financial institutions. These institutions include banks, mutual banks, insurers, collective investment schemes, market infrastructures, discretionary and administrative FSPs, retirement funds and over-the-counter derivative providers.
The first version of the draft standard was published for comment in December 2021.
The revised version proposes to extend the scope of the standard to Category I FSPs that provide investment fund administration services, retirement fund administrators and credit rating agencies.
The regulators said the proposed joint standard seeks to:
- Ensure that financial institutions establish sound and robust processes for managing cyber risks;
- Promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;
- Ensure that financial institutions undertake systematic testing and assurance regarding the effectiveness of their security controls;
- Ensure that financial institutions establish and maintain cyber resilience capability, to be adequately prepared to deal with cyber threats; and
- Provide for notification by the regulated entities of material cyber incidents to the authorities. (Click here to download the proposed notification template.)
Cost implications for small firms
Comments received on the first draft raised concerns about the cost implications of the joint standard on smaller financial entities.
According to the responses, the joint standard “sets a high baseline for smaller institutions which on its own has cost and capacity implications, as smaller institutions would need to contract with IT security firms or IT infrastructure to ensure compliance”, the updated Statement of Need says.
“The authorities do acknowledge this concern and have sought to address it by ensuring that the minimum requirements and principles set out in the joint standard must be implemented in a proportional manner that reflects the nature, size, complexity, and risk profile of a financial institution,” the Statement of Need says.
“Furthermore, the implementation of the relevant requirements contained in the joint standard will also be assessed in consideration of the nature, size, complexity and risk profile of a financial institution. In light of this, the expectation is that the costs that will be incurred by the smaller institutions will be commensurate with their size.
“The authorities also note that smaller non-systemic institutions would not have the same control environment compared to larger financial institutions. Supervisory discretion will be applied during compliance assessments, and the authorities will also be monitoring any unintended consequences as the joint standard is implemented.”
The FSCA has also opened the door to the possibility that small institutions can be exempted from specific requirements.
“As an additional mechanism to facilitate proportionality – for example, if there are still instances where a specific requirement is too onerous on a small financial institution despite the application of the aforementioned principle of proportionality – an exemption from a specific requirement of the joint standard might be considered, on application,” the statement says.
Deadline to comment
The deadline to comment on the revised joint standard is Tuesday, 28 February.
Comments on the documentation must be made using the template (Word document) and emailed to FSCA.RFDStandards@fsca.co.za for the attention of Mr Andile Mjadu and PA-Standards@resbank.co.za for the attention of Ms Kalai Naidoo.
Any enquiries may also be sent to Mjadu and Naidoo.