JOINT STANDARD ON CYBERSECURITY AND CYBER RESILIENCE
Joint Standard on Cybersecurity and Cyber Resilience
Retirement funds administer a significant amount of personal and financial information. Moreover, they hold about R4.3 trillion in invested assets, about half of the country’s GDP. Introducing the two-pot system adds flexibility and access for members, increasing the number of transactions in retirement funds. This combination of information, assets and flexibility represents a high level of risk when it comes to the technology infrastructure and protocols deployed to process information and transactions safely.
In this environment, cybersecurity, and keeping information safe, is an increasingly critical concern and risk mitigation area for retirement fund trustees.
Because of this, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements for Financial Institutions (“the Joint Standard”). Retirement funds, and retirement fund administrators, are considered financial institutions in the context of this Joint Standard. Trustees must, therefore, prioritise awareness and proactive measures to safeguard their members’ retirement savings from cyber threats.
Joint Standard
The Joint Standard sets out the minimum standards for sound practices and processes of cybersecurity and cyber resilience for categories of financial institutions. Key components include requirements for implementing security-by-design principles in software development, establishing access controls, and ensuring proper incident response protocols.
Retirement funds will have to implement processes and make sure they have the tools and technology to prepare them for cyber-attacks as well as respond to and recover from such attacks.
The Joint Standard addresses requirements relating to governance, cybersecurity strategy and framework, cybersecurity and cyber resilience fundamentals, cybersecurity hygiene practices, as well as regulatory reporting.
Requirements in the Joint Standard
Joint Standard 2 of 2024 requires financial institutions to:
- Establish and maintain a cybersecurity strategy and framework to address changes in the cyber threat landscape, manage cyber risks, allocate resources, and identify and remediate gaps.
- Identify and classify business processes and information assets in terms of criticality and sensitivity, which in turn must inform the prioritisation of protective, detective, response and recovery efforts.
- Carry out security risk assessments on critical operations and information assets to ensure protection against compromise.
- Ensure that access to information assets and associated facilities is limited to users, processes, and devices authorised by the fund.
- Review their privacy policies developed in terms of POPIA to make sure that cybersecurity issues are raised and mitigated.
- Make sure agreements with service providers provide for the secure return, transfer or deletion of data upon termination of services.
- Regularly provide training and resources to educate members about cybersecurity risks and safe online practices. Clear communication regarding how to verify requests for personal information or changes in banking details is crucial, especially for less tech-savvy members.
- Notify the Authorities of any material systems failure, malfunction, delay or other disruptive event, or any cyber incident, within 24 hours.
- Engage in information-sharing initiatives with other retirement funds and industry stakeholders to stay updated on emerging threats, trends and effective risk management strategies.
Effective date
The effective date of the Joint Standard is 1 June 2025. However, the Authority has encouraged retirement funds to prepare ahead of the effective date, as requirements significantly impact operational practices.Take action now to ensure your retirement fund is ready for the Joint Standard 2 of 2024 by June 1, 2025.
JOINT STANDARD ON CYBERSECURITY AND CYBER RESILIENCE Read More »