South African financial services organisations have around 15 months to comply with the new Joint Standard: Cybersecurity and Cyber Resilience by the Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB) Prudential Authority.
This is according to experts participating in a webinar hosted by Rubrik last week on the Joint Standard for Cyber Resilience.
The SARB expects the new Joint Standard to be passed in around three months’ time, after which financial sector organisations will have 12 months to comply.
However, organisations will have to move now to become compliant, as many are still in the early stages of preparing, it emerged. A poll of participants revealed that only 2% are 100% prepared to implement the Joint Standard and an audit. 22% said they had completed a gap analysis and were swiftly moving to prepare for it. 28% were investigating the policy with a view to preparing and a further 28% had not yet investigated the policy. 18% responded ‘What are the Joint Standards?’
Noting that boards would be held accountable, Dr Sizwe Gwala, head of data governance at ABSA Group Compliance, outlined the Joint Standard's requirements. He said they applied to all financial sector organisations, including banks and mutual banks, insurers, collective investment schemes, market infrastructures, discretionary and administrative FSPs, and retirement funds and derivative providers.
The Joint Standard was drafted to enhance and support the efficiency and market integrity of financial markets as well as protect financial customers. It outlines measures to mitigate cyber risk, and also states that financial institutions have a responsibility to recover and continue operations in the event of a cyber attack.
Panellists noted that cyber resilience was also required to build trust in local financial systems and enable international trade and integration.
Gwala said: “The South African financial system is large, concentrated and interconnected, with cross-border linkages and six systematically important financial market infrastructures – four payment systems, CDS/SSS.STRATE, and the CCP:JSE clearing house. Information technology is key for these systems, therefore we have to build and embed adequate cyber security and cyber resilience in these systems.”
He said financial institutions needed to ensure adequate cyber security and cyber resilience measures, including establishing robust processes for managing cyber risks and promoting the adoption of cyber security fundamentals and hygiene practices to preserve the confidentiality, integrative and availability of data and IT systems. They also had to undertake systematic testing and assurance of the effectiveness of their security controls. The Joint Standard also provides for notification of material cyber incidents to the authorities, he said.
Graham Vorster, MD of Black Swan Technology Consulting, said the Joint Standard came at a time when cyber attacks on organisations in Africa were being ramped up. “Some statistics say attacks on South Africa increased by 800% quarter over quarter. For integration and competitiveness in international economies, trust is a key pillar, and a lack of cyber resilience undermines trust,” he said.
If national and transnational economies aren’t trusted, we will miss global opportunities.Lloyd Timcke, SA country manager, Rubrik.
He also noted: “Only some of the costs of an attack on a financial sector organisation are direct and related costs. What we don’t measure is the effect on the entire ecosystem, our economy, and our ability to compete on the international stage.
Scott Timcke, senior research associate at Research ICT Africa, added: “It’s important to think about the pushes to market integration taking place on the African continent, where many countries don’t even have a national cyber incident response plan in place. If national and transnational economies aren’t trusted, we will miss global opportunities, he noted.
Lloyd Timcke, country manager: South Africa at Rubrik, said that in addition to mitigating the risk of financial losses, it was important to boards to avoid the reputational impact of ransomware. He said the ability to recover from an attack was crucial for resilience.
Eric Badenhorst, field CTO – SSA at Rubrik, echoed this, saying: “Organisations invest a lot of time in various security practices and solutions, but backup and recovery are often seen as a grudge purchase and approaches haven’t moved with the times. Many companies are falling short in that they have implemented key areas of data security, with air gapped, online or offline versions of data, but they haven’t modernised those environments. They need to understand where data is being backed up, if any personal identifiable information is exposed, and where the safe recovery points are. The last known good might not be the best recovery point as the malware may have been in the environment for some time, and could reinfect the environment.”
Lloyd Timcke and Badenhorst outlined Rubrik’s approach to data security, which ensures backups are immutable and cannot be edited, encrypted or deleted.