Abstract
The FCSA’s mandatory Joint Standard 2 for Cyber Security and Resilience has received a mixed reception in the financial sector. From Big Business to SMEs, South Africa’s increasingly complex regulatory environment is increasing costs and straining resources. The flip side of this equation is South Africa’s rising cyber vulnerability and the damaging effect of cyber crime on GDP and consumers. In the absence of any discernible national cyber security interventions, the JS2 regulators would have recognised that for financial sector stability something had to done.
Is the JS2 the answer? It’s probably too soon to tell – but here’s what we know so far.
Beneficial or burdensome?
In May 2024, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the Joint Standard 2 of 2024 - “Cyber Security and Cyber Resilience” (JS2). While this fundamental initiative went largely unnoticed in terms of national headlines, it constituted a quantum leap in South Africa’s cyber security eco-system.
The introduction of the JS2, which came into effect on 1 June 2025, is a sectoral first in terms of mandated sector-wide cyber security standards. The ambit of the JS2 is wide, applying to almost all financial institutions from banks, insurers and pension funds through to credit rating agencies and FSPs. The JS2, which was proceeded by its stablemate, the Joint Standard 1 of 2023 for IT Governance and Risk Management (JS1), are indicative of a concentrated focus on digital risk, resilience and governance by the sector’s Regulators and the SA Reserve Bank.
Why the Joint Standard 2?
Many entities in the financial sector regard the Joint Standards as burdensome, requiring yet more resources to operationalise and maintain. Implementing and meeting the standards is a demanding process, requiring levels of expertise that most companies do not have in-house.
The flip side of the equation is that the regulatory intervention is critical to safeguard consumers, business continuity, protect data assets and build investor confidence. South Africa reflects significant levels of accumulated cyber security risk due to long-term underinvestment in cyber security and strategic deficit outside of the major corporates. This risk is further amplified for both the consumer and companies during an adverse cyber event as there is no national cyber security centre to help or provide remediation advice.
The JS1 and 2 intervention is therefore crucial in building out sectoral cyber security resilience, thereby reducing cyber risk at a systemic level as opposed to purely at an organisational level. The systemic dimension is fuelled by improved sector wide cyber awareness, a mandated minimum cyber security standard across the board, improved security governance and third-party scrutiny.
That being said, it is essential to recognise that, for smaller entities in particular, the deployment and implementation of the JS2 can be onerous and complex, particularly when being rolled out under regulatory time pressures. Hopefully, the regulators are conscious of these challenges and will adopt an empathetic approach during what is turning out to be a protracted period of JS2 adoption on the ground.
Implementing the JS2 – common organisational challenges
The Cyber Security Institute has assisted many entities, ranging from the enterprise level to the micro businesses, in achieving JS1 and JS2 compliance. For CSI, working across the financial sector over the past 15 months on both standards has provided us with specific insights into sectoral level security challenges.
Some of our key takeaways are:
- SMEs experiencing significantly more difficulty in fully implementing the JS2. The overarching reason for this is that SMEs seldom have an in-house security team. Some make use of external security partners – but these are typically for technical and monitoring solutions and not for security governance functions. The introduction of the Joint Standards has changed that, with cyber security risk and compliance now becoming a focus point.
- Many companies genuinely didn’t know how to get started. The JS2 is not straightforward to implement and requires the establishment of measurable security controls.
- Critical security governance is often overlooked, with some companies assuming that the deployment of technical interventions is sufficient. Achieving good governance is further impacted by sub-optimal policy architectures in organisations.
- Security awareness programmes are often lacking in SMEs.
On the upside we found positives too:
- Since embarking on the JS2 pathway, more companies take cyber risk seriously and are willing to go the extra mile to enhance their security and resilience.
- For many entities, increased cyber security expenditure over the medium was probably an unforeseen grudge purchase. However, with the JS2 bringing greater organisational cyber risk awareness and vulnerability visibility, an increase in future expenditure via SMEs is foreseeable.
- Across the board, the people we worked with were dedicated and committed to implementing the JS2. Overall, they demonstrated a keen interest in building their organisation’s security posture.
- While regulatory compliance has driven companies to build out their security programmes, they also displayed a genuine will to grow their cyber security programmes beyond compliance.
The really hard part – third-party risk management
For large or small entities, third-party risk management (TPRM) is undoubtedly the single biggest security hurdle. In terms of building a more secure financial sector eco-system, this is a critical element of the JS2. Each third-party actor presents an unquantified potential liability and risk to an organisation. The regulators have targeted the fact that previous multiple breaches by third-party actors (in this case various credit bureaus) in the sector have resulted in millions of South African citizens’ highly personal data finding a permanent home on the dark web.
Many companies in the sector have hundreds of third-party links. This makes getting to grips with the cyber security maturity of each third-party a very large undertaking - to put it lightly! Implementing a successful TPRM programme therefore takes major time and effort. From our experience, a substantial number of third parties are either unresponsive or minimally responsive, whilst others are naturally guarded, all of which complicate the TPRM process further. Against this background, many companies are finding out that their SLAs with suppliers are woefully insufficient to cover cyber and data risk. Suffice to say that building digital supply chain trust and integrity was always going to be a difficult exercise.
The scale and criticality of TPRM makes it a resource intensive operation for all organisations. Going forward we foresee that the ongoing management of third-party risk and reporting will become a predominant cyber security theme in all sectors with regards to both security and data privacy.
Getting the most from the Independent Review
The Independent Review is the final step towards complying with the JS2. According to CSI’s Director, Prof Elmarie Biermann: “It is vital that entities engage a credible provider with the necessary expertise and proven track record in the implementation of ISO/IEC 27001, the NIST Cyber Security Framework, the JS2 and POPIA for this process.”
The Independent Review entails three major aspects. Firstly, an in-depth review of your company’s governance framework, including policies. The second, an assessment of your cyber security controls and their maturity. The final aspect is your third-party risk assessment. The findings in the review report will highlight areas of strength, weakness and priorities for remediation. An expert assessment will indicate what actions need to be taken to improve the maturity of your cyber security programme. As the assessment is an annual exercise, building a sound relationship with the team conducting the assessment will ensure the annual reviews become an easier, more frictionless process over the ensuing years.
Futureproofing your cyber security programme - the JS2 lowdown
Apart from meeting regulatory prescriptions, being JS2 compliant offers several advantages for organisations. These range from enhanced reputation and stronger client relationships to operational resilience and leveraging competitive advantage through good governance.
The JS2 is, however, not a one and done exercise and the implementation challenges together with third party risk management, ongoing monitoring and reporting requirements demand significant effort and skill. It is therefore advisable to seek expert advice. Timely investment in governance and compliance technologies will streamline and support the processes required to achieve and maintain compliance with both the JS1 and 2 Standards.
Editor's note:
The Cyber Security Institute is a well-established information security company which is renowned for its high levels of expertise and client care. CSI specialises in information security Governance, Risk and Compliance consulting and cyber security training. Our highly regarded security consultancy to the public and private sectors provides expert leadership in ISO 270001, NIST CSF, J1 & JS2 Standards and Data Privacy regulations.
The CSI Academy offers fully accredited, bespoke cybersecurity training programs, offered in partnership with universities. CSI also offers the full range of PECB Certifications.
CSI is the proud host of the annual Southern Africa-Netherlands Cyber Security Talent Accelerator and the Cyber Range partner to the Arctic University of Norway & Stellenbosch University.
Share