Do you have R1.5m plus for cybersecurity compliance?
The latest joint standard issued by the Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) suggests that regulators are out of touch with the operational realities of South Africa’s small, medium and micro-enterprises (SMMEs). Financial services providers (FSPs) that employ between 50 and 100 employees would have to spend around ZAR1.5 million annually to have any hope of full compliance with the revised draft of the Joint Standard: Cybersecurity and Cyber Resilience Requirements for Financial Institutions, 2023, issued in December 2022. More on the costs later; first the background.
Dozens of FSPs on the hit-list
The first draft of this joint standard was issued in December 2021to set out “the minimum requirements and principles for sound practices and processes of cybersecurity and cyber resilience for categories of specified financial institutions”. And the joint regulators have shared a long list of these specified financial institutions including banks; mutual banks; insurers; asset managers; discretionary FSPs; Category I FSPs; administrative FSPs; registered pension funds; OTC derivative providers; pension fund administrators; and registered credit rating agencies. We leave it to you, dear reader, to determine whether your operation will have to comply with this joint standard. If yes, then you had best review and comment on the draft, available for download from the General FSCA Legislation page.
The regulators set out the objectives of this regulatory intervention in section 4 of Annexure B, which boasts the wordy title: ‘Statement of the need for, expected impact and intended operation of the proposed joint standard on cybersecurity and cyber resilience requirements for financial institutions’. Per this document, “financial institutions must have adequate cybersecurity and cyber resilience measures; the proposed joint standard sets out the requirements for sound practices and processes of cybersecurity and cyber resilience for financial institutions”. Specifically, affected financial institutions will have to:
- Establish sound and robust processes for managing cyber risks;
- Promote the adoption of cybersecurity fundamentals and hygiene practices to preserve confidentiality, integrity and availability of data and IT systems;
- Undertake systematic testing and assurance regarding the effectiveness of their security controls;
- Establish and maintain cyber resilience capability, to be adequately prepared to deal with cyber threats; and
- Provide for notification by the regulated entities of material cyber incidents to the authorities.
Regulation fit for billion-dollar budgets
The 15-page Annexure A is where the rubber really hits the road, with the authority describing a long list of best practice requirements to ensure cybersecurity and cyber resilience from regulated institutions. These requirements, dear reader, look like something the largest banks or insurers with billion-dollar budgets might struggle to pull off, and include requirements like establishing and maintaining a cybersecurity strategy that is approved by a governing body and aligned with overall business strategy (7.1.1); review this strategy annually (7.1.2); establishing a cyber security framework (7.1.3); and establish cybersecurity policies, standards and procedures that are informed by industry standards and best practices (7.1.5), to name a few. Triggered yet?
The requirements soon escalate from tough to near impossible. In addition to the administration and planning, financial institutions must put in place a range of measures to increase systems security and ensure that their staff are up to speed on all matters cybersecurity. The bulk of costs will stem from compliance with section 8.2 of the draft joint standard, titled protection. As proposed, the authorities will require firms to implement strict identity and access management (8.2.2); data security (8.2.3); application and system security (8.2.4); and network security (8.2.5), among others. Financial institutions will also have to ensure that their staff receive cybersecurity awareness training. Significant costs will also attach to the vulnerability testing (8.6.2) and penetration testing (8.6.3) requirements.
How much will this grand cybersecurity design cost?
We spoke to Shane Visscher, Business Development Lead at Barefoot Cyber to get a sense for what the regulators might expect and figure out what compliance with the proposed joint standard might run a small firm. Based on a company with 50-100 employees, and 50 seats, we came up with a total cost of around ZAR1.5 million per annum. Of course, the eventual price tag will vary from one firm to the next depending on existing infrastructure and IT expenditure.
A typical SMME could easily blow ZAR150 000,00 on consultants just to create and maintain the required cybersecurity framework and strategy. Software tools that might assist SMMEs to comply with the regulation are costly too, easily running to ZAR420 000,00 per annum on fees and licenses to protect, detect and respond to cybersecurity threats. This excludes another ZAR180 000,00 in annual consulting fees to ensure the that the software is optimally deployed and used, and another ZAR45 000 in employee cybersecurity awareness training, annually.
You can then add another ZAR150 000,00 for vulnerability assessments and penetration testing and ZAR400 000 to comply with a range of cybersecurity hygiene practices. The latter amount includes around ZAR14 250 per month for comprehensive malware protection for 50 users, at ZAR285,00 per user per month. Overall, Visscher estimates an SMME could incur ZAR2 500 per employee per month in additional costs to fully comply with the proposed joint standard. And that is a staggering number given the financial burden of compliance with a range of other regulations, especially in the financial services sector.
Simpler solutions make more sense
Visscher’s suggestion is to carefully consider the impact of the proposed regulation, and perhaps take a leaf from the United Kingdom’s National Cyber Security Centre (NCSC), a government initiative that advises businesses on their cybersecurity journeys, offering best practice advice for both individuals and businesses of varying scale.
The central message in today’s article is that local financial institutions in the SMME segment will find it incredibly difficult to comply with the joint cybersecurity standard as currently proposed. And the last thing that South Africa needs is another complex piece of financial sector regulation that is difficult or financially impossible for regulated entities to comply with.
Writer’s thoughts:
South African businesses are under tremendous financial pressure which means they often compromise on best practice solutions in favour of affordability. Unfortunately, this compromise falls away when best practice becomes part of the regulatory environment. Could you find another ZAR2 500,00 per employee, per month and still run your practice properly? Please comment below, interact with us on Twitter at @fanews_online or email us your thoughts editor@fanews.co.za.
Comments
Its getting to a point where I no longer want to take on any new clients unless they are going to make me a profit, and they are few and far between these days. Report Abuse
I have been reading, studying, and testing lots of systems and implementing systems for a very long time. Now my average spend per employee is around R950-00 per month.
Then you have system standard Digital Filing and Cybersecurity Systems with the focus on business continuity and securing business and customer personal information. Report Abuse