Joint Standard on Cybersecurity and Cyber Resilience

Retirement funds administer a significant amount of personal and financial information. Moreover, they hold about R4.3 trillion in invested assets, about half of the country’s GDP. Introducing the two-pot system adds flexibility and access for members, increasing the number of transactions in retirement funds. This combination of information, assets and flexibility represents a high level of risk when it comes to the technology infrastructure and protocols deployed to process information and transactions safely.

 In this environment, cybersecurity, and keeping information safe, is an increasingly critical concern and risk mitigation area for retirement fund trustees.

Because of this, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements for Financial Institutions (“the Joint Standard”). Retirement funds, and retirement fund administrators, are considered financial institutions in the context of this Joint Standard. Trustees must, therefore, prioritise awareness and proactive measures to safeguard their members’ retirement savings from cyber threats.

Joint Standard

The Joint Standard sets out the minimum standards for sound practices and processes of cybersecurity and cyber resilience for categories of financial institutions. Key components include requirements for implementing security-by-design principles in software development, establishing access controls, and ensuring proper incident response protocols.

Retirement funds will have to implement processes and make sure they have the tools and technology to prepare them for cyber-attacks as well as respond to and recover from such attacks.

The Joint Standard addresses requirements relating to governance, cybersecurity strategy and framework, cybersecurity and cyber resilience fundamentals, cybersecurity hygiene practices, as well as regulatory reporting.

Requirements in the Joint Standard

Joint Standard 2 of 2024 requires financial institutions to:

    • Establish and maintain a cybersecurity strategy and framework to address changes in the cyber threat landscape, manage cyber risks, allocate resources, and identify and remediate gaps.
    • Identify and classify business processes and information assets in terms of criticality and sensitivity, which in turn must inform the prioritisation of protective, detective, response and recovery efforts.
    • Carry out security risk assessments on critical operations and information assets to ensure protection against compromise.
    • Ensure that access to information assets and associated facilities is limited to users, processes, and devices authorised by the fund.
    • Review their privacy policies developed in terms of POPIA to make sure that cybersecurity issues are raised and mitigated.
    • Make sure agreements with service providers provide for the secure return, transfer or deletion of data upon termination of services.
    • Regularly provide training and resources to educate members about cybersecurity risks and safe online practices. Clear communication regarding how to verify requests for personal information or changes in banking details is crucial, especially for less tech-savvy members.
    •  Notify the Authorities of any material systems failure, malfunction, delay or other disruptive event, or any cyber incident, within 24 hours.
    • Engage in information-sharing initiatives with other retirement funds and industry stakeholders to stay updated on emerging threats, trends and effective risk management strategies.

Effective date

The effective date of the Joint Standard is 1 June 2025. However, the Authority has encouraged retirement funds to prepare ahead of the effective date, as requirements significantly impact operational practices.

Take action now to ensure your retirement fund is ready for the Joint Standard 2 of 2024 by June 1, 2025.

COOKIE POLICY

Welcome to our website.

1. Introduction

This Cookie Policy explains how we use cookies and similar technologies on our website axioconsult.com. This policy is designed to help you understand what cookies are, how we use them, and the choices you have regarding their use.

2. What Are Cookies

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.

3. How We Use Cookies

We use cookies for various purposes, including:

    • Essential Cookies: These cookies are necessary for the basic functioning of our website. They enable you to navigate our site, use its features, and access secure areas.
    • Analytical/Performance Cookies: These cookies help us understand how visitors use our website. They provide information about which pages are visited most frequently, how long visitors stay on each page, and whether they encounter any error messages. This data helps us improve the performance and usability of our website.
    • Functionality Cookies: These cookies allow our website to remember choices you make (such as your username, language, or region) and provide enhanced, personalised features.
    • Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are relevant to your interests. They may also limit the number of times you see an ad and help measure the effectiveness of ad campaigns.

 

4. Your Cookie Choices

You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.

5. Third-Party Cookies

We may allow third-party service providers to use cookies on our website for the purposes outlined in Section 3. These providers may also collect information about your online activities over time and across different websites.

6. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our data practices. Any changes will become effective when we post the revised policy on our website.

7. Contact Us

If you have any questions about our Cookie Policy or how we use cookies on our website, please contact us at

By continuing to use our website, you consent to the use of cookies as described in this Cookie Policy.