Caught off guard by Sunday’s cybersecurity standard
If your weekend was disrupted by a sense of unease, or a nagging feeling that there was something amiss, then FAnews may know the cause. Sunday, 1 June 2025 is the day from which South African financial services providers (FSPs) have to comply with the new rules contained in Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements.
The standard was issued by the Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) in May last year; but it was in the pipeline far longer than that. In fact, your writer covered it way back in 2023 in an article titled: Do you have R1.5m plus for cybersecurity compliance? In other words, you had a year of the standard being debated, and then another year to get your house in order.
COFI will have to wait
Insurers, intermediaries, and underwriting management agencies (UMAs) were reminded of the implementation date for the standard during a financial sector regulatory overview presentation to the 2025 SAUMA Conference, held in Johannesburg recently. Those unable to attend the in-person-only event should pay close attention to the views shared by the FSCA’s Lezanne Botha.
“The Cybersecurity and Cyber Resilience Standard is not just another compliance tick-box exercise; cyber threats pose a fundamental risk to your business, your reputation, and the broader financial system,” Botha said. Much of her presentation focused on the FSCA’s evolving regulatory strategy, including the forthcoming Conduct of Financial Institutions (COFI) Bill, cross-sectoral conduct themes such as culture and governance and outsourcing, and the broader effort to simplify and harmonise South Africa’s fragmented regulatory framework. FSPs can probably ‘park’ COFI for now because this cybersecurity standard is more pressing.
The standard outlines detailed minimum requirements for cybersecurity preparedness and information technology (IT) resilience across the financial sector. It aims to embed a proactive, strategic approach to cybersecurity, applicable to all regulated institutions. FAnews readers, many of whom own or work in smaller advice firms, should note that the standard does not allow for leniency on account of size. Of equal importance is that your compliance responsibility cannot be outsourced; if your critical systems are managed by third-party providers, the obligation to ensure cybersecurity remains yours.
Guidance for cybersecurity compliance
So, what do you have to do to ensure compliance? At its heart, the joint standard calls for you to adopt a comprehensive cybersecurity framework appropriate to your business’s risk profile. The onus is on your leadership team, including the board, executive team and senior management, to ensure the business is equipped to detect, identify, protect against and respond to cybersecurity threats. As such, cybersecurity is no longer an IT afterthought but a governance priority. It is also clear that compliance cannot be delegated to a single department. Everyone, from client-facing staff to the C-suite, must understand their role in the cybersecurity chain.
Restated, compliance with the standard requires an institution-wide response that encompasses the systems used in your business to the employee behaviours embedded across it. The standard also emphasises awareness, training, and testing. Employees at all levels should be able to recognise and respond to threats such as phishing emails, social engineering attempts, and unauthorised access attempts to name a few. Botha emphasised this during her presentation, hinting that the framework extends way beyond technology.
The joint authority’s approach aligns with the cybersecurity lexicon developed by the Financial Stability Board (FSB). The lexicon sets out common definitions and terminology to support global regulatory coordination, and to encourage the treatment of cyber risk as a systemic threat rather than a niche concern. Locally, this is especially relevant given the interconnectivity of the financial sector, where a weakness in one part of the system can create ripple effects across the industry.
The time to act is now
Some local institutions may already have mature cybersecurity policies in place, but the standard requires that these be formalised and continuously tested and improved. For many smaller businesses, the May 2024 arrival of the joint standard may have been the first time you became aware of just how serious the regulators are about mitigating cyber threats. Assuming you have done nothing over the past 12 months, FAnews suggests you move swiftly to establish the frameworks, policies, and procedures indicated to address the key risks.
One of the more critical aspects of the regulation is the mandatory notification requirement. From 1 June, if you experience what is defined as a material incident, then you are obliged to report it to both the FSCA and PA without delay. A material incident is defined as “a cyber incident or an information security compromise that materially affects the confidentiality, integrity, or availability of the information assets or information systems of the entity.” This move brings South African regulations in line with global best practice, where timely disclosure is seen as essential to managing systemic risk.
Materiality, in this context, is not only about financial impact. Data loss, operational disruption, and reputational harm may all trigger the reporting threshold. That makes it vital for FSPs to have not just detection mechanisms in place, but also a clearly documented and well-practised incident response plan. Why vital? Because section 11.1 of the Joint Standard 2 of 2024 states that failure to comply may result in “administrative sanctions, penalties or other enforcement action, as provided for in the Financial Sector Regulation (FSR) Act.”
Implementation remains a major challenge
The practical challenge is in the implementation. Many intermediaries outsource parts of their IT infrastructure, rely on cloud-based applications, or share systems with other service providers. While the standard acknowledges this reality, it makes clear that accountability cannot be outsourced. Intermediaries must ensure that third-party providers are contractually bound to meet the required standards and must retain oversight of these arrangements. For those unsure where to begin, several industry resources are already available.
Cyber risk consultancy Wolfpack Information Risk has released frameworks and assessment tools to help financial institutions align with the standard. In fact, their offering featured in a FAnews article, ‘Cybercriminals do not care how small your business is’, which explores how intermediaries can close the gap between regulatory expectations and practical implementation. Legal firms like Michalsons have also unpacked the standard in plain English, helping smaller businesses translate regulatory language into action. You are welcome to Google for the legal write-up.
The joint standard was published with a 12-month lead time. From 1 June 2025 the expectation is full compliance; or, at minimum, you need to have a credible plan that sets out how you intend to achieve it. The FSCA and PA have given no indication of their near-term enforcement approach, but the messaging has been consistent: cyber risk is well understood, and delays in compliance expose institutions, the broader financial system, and your clients (consumers) to unnecessary risk.
Yes, this just happened, like yesterday
Any hopes of a last-minute implementation date deferment have been dashed. And remember, this regulatory development is not a once-off event. The standard will evolve alongside the cyber threat landscape. So, if you treat Joint Standard 2 of 2024 as a compliance hurdle to clear and then forget, you are missing the point. It is a catalyst for strategic change and will demand a reassessment of how you use technology across your business.
For intermediaries, this moment represents both a challenge and an opportunity. The challenge is to align your processes, systems, and staff with a demanding new standard. The opportunity lies in building trust with clients, outsource partners, and suppliers. Those who demonstrate resilience and maturity in this area will stand out in an industry where operational integrity matters more than ever. As Lezanne Botha put it: “The Joint Standard on Cybersecurity and Cyber Resilience Requirements is very important; the risks are fundamental.”
Writer’s thoughts:
The clock has run out on the deadline to ensure that your advice practice or brokerage is cybersecure. How prepared is your business, and do you believe your internal and external systems are up to scratch? Please comment below, interact with us on X at @fanews_online or email us your thoughts [email protected].
