• Home
  • /
  • Fintech
  • /
  • SARB cracks cyber security whip on payments firms

SARB cracks cyber security whip on payments firms

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 23 May 2024
Payment institutions and operators must have written cyber governance arrangements.
Payment institutions and operators must have written cyber governance arrangements.

With local organisations facing a barrage of cyber attacks, the South African Reserve Bank (SARB) has taken measures to protect the national payment system (NPS).

Last week, the central bank issued a directive in respect of cyber security and cyber resilience within the NPS – a set of instruments, procedures and rules that enable funds to be transferred from one financial institution to another.

This, as cyber criminals increasingly target financial services providers, motivated by the financial gains they may derive from the institutions.

According to the SARB, the NPS is a primary component of the country’s monetary and financial system, as it enables the circulation of money and assists transacting parties in making payments and exchanging value.

The Payments Association of South Africa (PASA) is recognised by the SARB as a payment system management body, to organise, regulate and manage its members in the payment system.

ITWeb’s several attempts to reach out to the PASA for comment on the directive were unsuccessful.

The central bank explains the payment landscape has evolved significantly over the past two decades, with digitisation, financial technology, automation and artificial intelligence changing the manner in which payments are effected.

Double-edged sword

It says the rapid growth in digitisation and automation has introduced alternative payment solutions that are faster, more cost-effective and more efficient.

However, the SARB notes these technologies also increase cyber risk in the NPS, as payment institutions become more dependent on computer networks and third-party IT service providers.

“This requires an increased level of resilience against cyber incidents, as cyber attacks on IT infrastructures, particularly those that are critical, could lead to a disruption that might develop into systemic events in the NPS, thus impacting negatively on the soundness, integrity, safety and efficiency of the NPS.

“The cyber environment exposes payment institutions, operators as well as payment, clearing and settlement systems to potential operational, legal and reputational risks, including business interruptions, data loss, fraud, breach of privacy and network failures, which may result in financial losses,” says the bank.

It notes that cyber security and cyber resilience contribute positively to the operational resilience of payment institutions, operators, as well as payment, clearing and settlement systems and payment systems, financial management information systems (FMIs), and further contribute to the overall resilience of the broader NPS.

The central bank is of the view that the resilience of payment institutions, operators as well as payment, clearing and settlement systems will minimise disruptions within the NPS and contribute to maintaining the confidence of consumers in payment systems and services.

Furthermore, it adds, it is vital that payment system FMIs, as essential platforms in the NPS, are also secure from, and resilient to, cyber threats and cyber attacks.

“A lack of security controls and recovery from cyber attacks and cyber threats may lead to low levels of cyber security protection and the failure to settle obligations in the settlement system by the end-of-value date, trigger a systemic event and/or cause financial instability,” the central bank notes.

Way forward

The SARB, therefore, directs payment institutions and operators to have written effective cyber governance arrangements and be able to identify critical operations and information assets.

They have also been directed to ensure cyber security frameworks include security controls, processes and systems that effectively protect and safeguard the confidentiality, integrity and availability of services provided, as well as the information handled by payment institutions, operators, payment, clearing or settlement systems, or payment system FMIs.

“These measures should, however, be proportionate to the threat landscape, risk tolerance and systemic role of the payment institution, operators, payment, clearing or settlement systems or payment system FMIs in the NPS,” says the central bank.

The directive also propels the industry to have arrangements in place designed to enable the resumption of critical operations safely and swiftly after a cyber incident.

Payment institutions or operators must report material cyber incidents to the SARB within 24 hours and provide the SARB with a report within 48 hours of the cyber attack, the regulator says.

The SARB says it may, at any time, conduct a supervisory onsite or offsite inspection on payment institutions or operators, in a form and manner that it may determine, to promote compliance.

This directive will be effective three months after its publication, the SARB concludes.