Navigating the SARB Cybersecurity Directive and Joint Standards for Financial Institutions

Background and Overview

The South African Reserve Bank (SARB) has issued directives and Joint Standards that impact IT and Cybersecurity, setting a comprehensive regulatory framework to enhance the security and resilience of financial institutions. On May 17, 2024, the SARB issued Directive No. 01 of 2024, titled “Directive in Respect of Cybersecurity and Cyber-Resilience within the National Payment System.” This directive, along with Joint Standard 1 of 2023 (IT Governance and Risk Management Requirements for Financial Institutions) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements for Financial Institutions), establishes a regulatory framework for strengthening cybersecurity and resilience within South Africa’s financial sector. These regulations mandate financial institutions to adopt stringent cybersecurity controls, ensure robust IT governance, conduct risk assessments, and develop resilience frameworks to mitigate cyber threats. They also require institutions to maintain compliance with industry best practices, safeguard critical financial infrastructure, and implement strict oversight mechanisms for third-party service providers.

Impacted Businesses

The directive and standards apply to a broad range of entities, including:
• Financial Institutions: Banks, mutual banks, insurers, investment fund managers, pension funds, credit rating agencies, and discretionary FSPs.
• Payment Institutions: Clearing system participants, settlement system participants, third-party payment providers, and system operators.
• Market Infrastructure Entities: Financial market infrastructures, pension fund administrators, and over-the-counter (OTC) derivative providers.
• Third-Party IT Service Providers: Entities that provide IT services to financial institutions and payment operators.

Key Implications for Businesses

1. Strengthened Cybersecurity and Risk Management

   Entities must implement cybersecurity frameworks incorporating governance, risk management, and resilience strategies in compliance with Joint Standard 1 of 2023 and Joint Standard 2 of 2024. This includes IT risk assessments, monitoring cyber threats, and implementing defense mechanisms such as multi-factor authentication (MFA) and encryption.

2. Regulatory Compliance and Accountability

   • Board and Senior Management Responsibilities: Institutions must establish clear governance structures where the board and senior management oversee cybersecurity risk management.
   • Compliance Monitoring and Reporting: Regular cybersecurity audits and incident reports must be submitted to regulatory bodies.

3. Cyber Resilience and Business Continuity

   Businesses must develop disaster recovery and resilience strategies, ensuring that they can detect, respond to, and recover from cyber incidents within defined timelines. SARB Directive 01 of 2024 requires critical financial systems to resume operations within two hours of disruption, with a maximum recovery time of eight hours.

4. Enhanced Third-Party Risk Management

   Under Joint Standard 2 of 2024, institutions must conduct due diligence and risk assessments on third-party vendors and cloud service providers, ensuring compliance with data security and privacy regulations.

5. Cybersecurity Testing and Incident Response

   • Institutions must perform regular penetration testing and vulnerability assessments to proactively identify security gaps.
   • A structured incident response plan is required, ensuring rapid containment, mitigation, and recovery from cyberattacks.

Emerging Cybersecurity Trends and Statistics

• Rising Cyber Threats: 2023 saw a 20% increase in cyber-attacks on financial institutions globally, with many targeting payment systems.
• Digital Transformation: Over 70% of payment transactions in South Africa are now digital, making cybersecurity a top priority.
• Financial Impact: The average cost of a financial sector data breach in 2023 was $5.85 million, underscoring the importance of robust security frameworks.
• Regulatory Evolution: Over 80 countries have introduced new cybersecurity laws in the last five years, reflecting a global move towards stricter financial sector regulations.

Compliance Requirements for Businesses

To comply with the directive and standards, financial institutions must:

1. Develop a Cybersecurity Strategy – Establish governance frameworks and align cybersecurity strategies with business risk tolerance.
2. Conduct Regular Risk Assessments – Identify vulnerabilities in IT systems and third-party services.
3. Implement Security Controls – Deploy MFA, encryption, access control policies, and security information and event management (SIEM) systems.
4. Maintain Incident Response Plans – Define cyber event detection, response, and recovery mechanisms.
5. Continuous Monitoring and Employee Training – Ensure staff is trained on cybersecurity risks, phishing detection, and secure data handling.

How we can help

Our cybersecurity advisory services assist businesses in complying with SARB and FSCA regulations, offering:

• Cybersecurity Maturity Assessments – Evaluate your organization’s security posture and identify gaps.
• Regulatory Compliance Support – Assist with aligning cybersecurity frameworks with Joint Standards 1 and 2 of 2024 and SARB Directive 01 of 2024.
• Penetration Testing & Vulnerability Assessments – Identify security weaknesses before attackers do.
• Cybersecurity Training Programs – Educate employees on best practices for managing cyber risks.
• Incident Response Planning & Testing – Develop and test response strategies for cyber incidents.

Partner with us to build a secure and resilient financial ecosystem that complies with evolving cybersecurity regulations.