Navigating the new cybersecurity reality
Cybersecurity isn’t just an IT issue anymore - it’s a boardroom imperative.
That message came through clearly during Norton Rose Fulbright’s Annual Cybersecurity Webinar where the firm’s South African cybersecurity team unpacked the compulsory cybersecurity rules now governing financial institutions under the Prudential Authority and FSCA’s latest joint standards.
The session offered a practical, insight-driven look at how these regulatory expectations are reshaping risk management, governance and operational resilience across the financial services sector.
“Cybersecurity can feel intimidating - full of jargon, acronyms and tech speak,” the Norton Rose Fulbright team explained. “But at its core, it’s the same as securing your home. You identify your most valuable assets, make sure only those who belong have keys, and ensure everyone in the house understands the rules.”
That analogy set the tone for an engaging session, exploring not only the new regulatory landscape but also the real-world pitfalls that continue to trip up even the most sophisticated financial institutions.
Why the financial sector is in the crosshairs
The financial sector remains one of the most targeted industries globally - and in South Africa, it’s no different.
“Financial institutions hold very juicy data,” the team noted. “It’s information that threat actors can sell, use to impersonate people, or exploit to disrupt critical services. If you hit the financial sector, you hit at the heart of the economy.”
That criticality is precisely why the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) have stepped in with compulsory cybersecurity and cyber-resilience standards. Joint Standard 2, which came into effect in June 2025, sets out detailed requirements for how financial institutions must prepare for, respond to, and report cyber incidents.
These rules reflect a broader shift: regulators now expect resilience, not just compliance.
“Anyone who tells you that you are secure is lying,” the team cautioned. “It changes all the time. What you need to be is resilient. You need to be ready for when something happens - because it’s a ‘when’, not an ‘if’.”
Inside the new regulatory requirements
Under the joint standards, financial institutions must not only have robust controls in place but also be able to demonstrate compliance when called upon.
That means detailed documentation - policies, risk assessments, board minutes and testing evidence - showing how cyber resilience is embedded across the organisation.
“We see most people put measures in place but fail to document them,” the team said. “That’s a major problem. If you can’t show the regulator how you meet the standard, you might as well not have done it.”
Another headline development is the tightened notification requirement. The regulators’ draft notification protocol, released for comment earlier this year, gives institutions just 24 hours to determine whether a cybersecurity event is “material” and report it to both authorities.
“That’s a very tight window, especially when facts are still emerging,” the team explained. “The initial notification isn’t a tick-box exercise either - it requires detailed information about the attack type, exploited vulnerabilities and any third-party implications.”
And is the 24-hour timeline practical? The team was frank: “It’s nuts, to be honest. Even under GDPR, you have 72 hours. Here, you have just one day to make a call, prepare your notification and submit it - while still managing the actual crisis.”
Cybersecurity is a team sport
One of the strongest themes of the webinar was shared accountability. Too often, cybersecurity is left entirely to the IT department - a dangerous assumption that can leave organisations exposed both operationally and legally.
“Cybersecurity is a team sport,” the Norton Rose Fulbright team stressed. “Your IT team might be your star player, but they can’t cover all the positions on the field.”
The team described a recent case where a compromised logging server - initially considered low-risk - turned into a multi-jurisdictional regulatory investigation. Because the misconfiguration was known only to one technical team and never escalated to information security, privacy or legal teams, the issue went undetected until it spiralled.
“On paper, it was a low-impact event,” the team said. “But because teams weren’t talking, it cascaded into a cross-border legal, operational and reputational crisis that took months to resolve.”
That lack of communication, the team warned, remains one of the biggest vulnerabilities in many organisations.
“Board members and legal teams can’t abdicate this to IT. They need to understand enough to ask the right questions and ensure the organisation as a whole is cyber resilient.”
Third-party risks
Cyber risk doesn’t stop at an organisation’s own systems. Increasingly, incidents originate with third-party providers - from IT vendors to data processors and cloud partners.
“Even if your own cybersecurity framework is top of the range, your exposure extends to your service providers,” the team warned. “We’ve seen many incidents this year where breaches happened at third parties, and the financial institution still had to notify regulators and impacted data subjects.”
They stressed the importance of contractual safeguards, continuous monitoring and proper due diligence.
“Something as simple as dark-web monitoring on your third-party providers can give you early warning that something’s wrong,” the team advised. “Basic checks up front can save a lot of pain later.”
Governance starts at the top
Perhaps the most critical message of the webinar was the role of leadership. Under the joint standards, board oversight of cybersecurity isn’t optional - it’s a legal obligation.
“Tone from the top is essential,” the Norton Rose Fulbright team emphasised. “Each director, as part of their fiduciary duties, must ensure the organisation is compliant with cybersecurity law and take the necessary steps to protect the business and its customers.”
That includes having cybersecurity as a standing item on the board agenda, bridging the gap between the CIO, CISO, legal and compliance teams, and ensuring ongoing investment in monitoring, testing and incident response.
“Boards often see big numbers for cybersecurity budgets and balk,” the team observed. “But without context, they don’t understand the true risk. A single breach can become an existential threat.”
Managing incidents through a legal lens
The Norton Rose Fulbright team also highlighted the importance of managing incident response under legal privilege - especially in the high-stakes environment of regulatory reporting, litigation and class actions.
“When we meet you on the worst day of your life - with a ransomware note in your inbox and your systems down - we want you to have managed your compliance and response through a legal lens,” the team said.
Doing so protects sensitive investigations from unnecessary disclosure and ensures communications are consistent across jurisdictions, where privilege rules differ significantly.
“We’ve seen too many cases where internal emails from IT staff admitting fault end up in discovery,” the team cautioned. “You need legal oversight from day one.”
The road ahead
As cyber threats grow more sophisticated - aided by AI and insider risks - compliance alone will no longer be enough. Financial institutions must embed resilience into every layer of their operations, from procurement to board oversight.
“Hackers are ahead of us all the time,” the Norton Rose Fulbright team concluded. “They take pride in finding ways around defences. The only way to stay safe is through continuous monitoring, improvement and collaboration.”
Watch the full webinar
To explore these insights in full and gain practical guidance on the new compulsory cybersecurity rules, watch the full webinar here:
Annual Cybersecurity Webinar 2025 — Norton Rose Fulbright
Writer’s Thoughts
In a rapidly evolving threat landscape, South Africa’s financial institutions can no longer afford to view cybersecurity as a back-office function - it is a strategic, board-level responsibility that underpins trust and resilience. As the Norton Rose Fulbright team reminded attendees, true preparedness lies not in ticking compliance boxes, but in building a culture where security, governance and accountability work hand in hand. Do you agree? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts [email protected]
