On 10 November 2023, the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) (collectively, the Authorities) published the ‘Information Technology Governance and Risk Management Requirements for Financial Institutions’ Joint Standard (“the Joint Standard”).
The Joint Standard applies to all financial institutions (including insurers, banks and financial service providers). These entities must ensure the effective management and mitigation of IT-related risks. The Joint Standard will commence 12 months after its official commencement on 15 November 2023.
We briefly summarise the key implications of the Joint Standard for financial institutions to consider below.
The governing body is ultimately accountable for compliance with the Joint Standard
The Joint Standard mandates that a governing body must approve the IT strategy and exercise comprehensive oversight (governance) over the execution of internal controls and risk management practices by senior management. This is crucial in light of the substantial disruptions that cyber incidents can pose to the operational integrity of financial institutions. The governing body is also responsible for ensuring that the IT strategy and processes aligned with the Joint Standard undergo a comprehensive review at least annually.
Any deviation of the Joint Standard must be reported to the Authorities within a reasonable period. The reporting and notification obligation under this Joint Standard should be included within any financial institution's IT risk management protocols to ensure compliance.
IT policies, processes and plans required to be implemented
Financial institutions are required to consider the nature, scale and complexity of their operations when establishing compliance with the Joint Standard.
The Authorities encourage financial institutions to apply the Joint Standard’s requirements at the group and subsidiary levels to demonstrate that each entity has complied with the Joint Standard.
Financial institutions must demonstrate that the following policies and processes are in place, namely:
- an IT strategy in terms of which action plans are established and appropriate IT measures are identified;
- an IT risk management framework to systematically handle IT issues including reporting procedures for IT assurance and the safeguarding of IT assets;
- IT service management policies, standards, processes and procedures to support IT systems, operations and incidents to ensure stability of the IT environment;
- appropriate measures to safeguard sensitive or confidential information and mitigate IT risks in relation to such information (e.g. data loss and data theft) as well as IT risks associated with the types of financial products or services offered; and
- business impact assessments to analyse exposure to severe business disruptions and disaster recovery protocols.
Reasonable measures must also be implemented by financial institutions to protect IT users, including customers, who engage with the financial institution via online systems. Customer awareness programmes detailing these security measures must also be implemented to protect customers.
The Joint Standard requires policies and procedures relating to the IT risk management framework and the handling of sensitive or confidential information (amongst others) be independently reviewed. The Joint Standard identifies internal, and external audit functions of the financial institution or an independent control function as having the capability to conduct independent reviews.
Relationship with other cyber and data privacy legislation (such as POPIA)
The FSCA and PA have indicated that there is an urgent need to ensure that minimum regulatory requirements against digital and cyber risks are introduced by financial institutions.
The Protection of Personal Information Act, 4 of 2013 (POPIA) is expressly referenced within the Joint Standard. This means that compliance with the Joint Standard should be read together with the obligations set out under POPIA (and any other applicable legislation) when personal information is processed or technical measures are implemented.
It is advisable to assess compliance with both the Joint Standard and POPIA simultaneously, given the likelihood of an overlap in these compliance requirements.
- Governing bodies, senior management and IT departments need to work closely when developing a strategy to adequately demonstrate compliance with this Joint Standard.
- Financial institutions are provided 1 year to establish their policies and strategies giving effect to the Joint Standard. We recommend that financial institutions start considering the gaps that may be present within their current IT strategy and IT risk management framework to demonstrate compliance with the Joint Standard by 15 November 2024.
- This Joint Standard is one of a few standards focusing on cyber risk that is expected to be released by the Authorities in the coming years. In particular, the Authorities are expected to publish requirements relating to information security which further underpin the importance of cyber risk mitigation as a priority for financial institutions.
Please reach out to Clyde & Co’s Cyber and Regulatory teams should you require any support in navigating the Joint Standard and its requirements.
The relevant documents in relation to the Joint Standard can be accessed here.