LEGAL NOTE AUGUST 2024 – Joint Conduct Standard 2 0f 2024 ‘Cybersecurity and Cyber Resilience’

In conjunction with the Prudential Authority (PA), the Financial Sector Conduct Authority (FSCA) on 16 May 2024, published Joint Standard 2 of 2024 titled “Cybersecurity and Cyber Resilience”. The joint standard applies to various financial institutions, including (but not limited to) banks, insurers, retirement funds (and fund administrators) and collective investment scheme managers. It sets out detailed requirements and principles for sound practices and processes relating to cybersecurity and cyber resilience.

Background

The PA has the mandate to promote and enhance the safety, and soundness of regulated financial institutions and market infrastructures. The FSCA has a responsibility to enhance and support the efficiency and integrity of financial markets as well as protect financial customers.

With increased digitalization, the manner in which financial institutions interact with their clients has changed drastically over recent years, using advanced technology. Besides creating various efficiencies, this advanced technology has created many unexpected risks to businesses in general. Cyber-attacks frequently target the financial sector which compromises their sustainability.

The Joint Standard sets out the minimum standards for sound practices and processes of cybersecurity and cyber resilience for categories of financial institutions. Financial institutions will have to implement processes and have tools and technology which will prepare them for cyber-attacks as well as respond to and recover from such attacks. The Joint Standard addresses requirements relating to governance, cybersecurity strategy and framework, cybersecurity and cyber resilience fundamentals, cybersecurity hygiene practices, as well as regulatory reporting.

The requirements

The Joint Standard aims to:

• ensure that financial institutions establish sound and robust processes for managing cyber risks;

• promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;

• ensure that financial institutions undertake systematic testing and assurance regarding the effectiveness of their security controls;

• ensure that financial institutions establish and maintain cyber resilience capability, to be adequately prepared to deal with cyber threats; and

• provide for notification by the regulated entities of material cyber incidents to the Authorities.

It sets out detailed principles that financial institutions must comply with, including but not limited to:

• establishing and maintaining a cybersecurity strategy that is aligned with its overall business strategy and reviewed at least annually;

• implementing cyber resilience capabilities and practices to prevent, limit and/or contain the impact of a potential cyber event or cyber incident;

• installing network security devices to secure the network;

• establishing a comprehensive cybersecurity awareness training programme;

• monitoring and detecting cyber events and cyber incidents;

• implementing an incident response and management plan;

• testing control effectiveness;

• conducting regular vulnerability assessments on its IT systems; and

• implementing malware protection.

It also includes a reporting requirement in terms whereof financial institutions are required to notify the responsible Authority of a material cyber incident or information security compromise.  The Authorities’ consultation report on the Joint Standard provides that this notification must occur within 24 hours of classifying the event as material. 

Responsibilities

The governing body is ultimately responsible for ensuring that the financial institution complies with the Joint Standard, which would be the board of trustees in a retirement fund. This oversight function can be delegated to an existing or new committee. The trustees must ensure that a sound and robust cybersecurity strategy and framework is established, implemented and maintained, collaborate with other stakeholders, and ensure that the roles and responsibilities for security are clearly defined in a services agreement with third-party service providers. Cyber risk management should be incorporated into the governance and risk management structures, processes and procedures of a financial institution.

Conclusion

The Joint Standard is envisaged to commence on 1 June 2025. Notwithstanding the fact that the Joint Standard will likely take effect after 12 months, the Authorities have urged the industry to start preparing for its implementation.

REFERENCE:  Joint Conduct Standard 2 0f 2024 ‘Cybersecurity and Cyber Resilience’