South Africa’s financial regulators are raising the bar for cyber resilience. With the publication of Joint Standard 1 of 2023 (IT Governance & Risk Management) and Joint Standard 2 of 2024 (Cybersecurity & Cyber Resilience), the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) have set out clear expectations: financial institutions must implement robust IT governance, ensure board-level oversight and respond decisively to cyber threats.

A cornerstone of this framework is the requirement to report material IT and cyber incidents defined as:

“a disruption of a business activity, process or function which has, or is likely to have, a severe and widespread impact on the financial institution’s operations, services to customers, or the broader financial system and economy.”

This definition sets a high threshold for regulatory engagement and places significant responsibility on institutions to assess and escalate incidents appropriately.

Joint Communication 3 of 2025, issued on 3 September 2025, introduces a draft Joint Notice and proposed Reporting Template that aim to operationalise the notification obligations under the Joint Standards once a financial institution has classified an event as a material incident. These drafts are open for public comment until 5 October 2025. 

Joint Communication 3 of 2025 – Joint Determination – Notification of Material IT and Cyber Incidents

The consultation package includes three key annexures:

1. Annexure A – Draft Joint Notice titled ‘Determination of notification requirements for material IT and/or cyber incidents’

Outlines the form, manner, and timeframe for reporting material incidents. Notifications must be submitted via:

• The Umoja Portal (for banks, insurers, and market infrastructures), or
• The FSCA website/email (for other regulated entities, including financial service providers, collective investment scheme managers, pension funds and their administrators, OTC derivative providers and registered credit ratings agencies).

It also specifies who must be notified, ensuring consistent and accountable communication with the regulators.

2. Annexure B: Draft Excel File titled ‘Material Incident Report Form for IT Governance and Risk Management, and Cybersecurity’

This is the heart of the consultation and includes the proposed Reporting Template with a tiered reporting structure:

• Immediate Initial notification (within 24 hours): Key facts, detection method, contact details and incident status as well as cybersecurity information tabs outlined as Section A across tabs 2 to 4 of the proposed Reporting Template. 
• Follow-up update (within 14 days): A detailed questionnaire is provided at Section B (see tab 5) of the proposed Reporting Template and is expected to be answered and submitted. Required details such as business disruption, client impact, financial loss, reputational damage, legal exposure, technical analysis relating to affected systems, attack vectors, investigation and resolution as well as details regarding mitigation efforts must be provided. 
• Comprehensive incident report (timelines to be agreed with the responsible authority): All tabs (2 to 5) of the proposed Reporting Template must be completed, and a final investigation report must be submitted. No detail is provided at this stage as to what the final investigation report should include.

3. Annexure C – Comment Template

Interested stakeholders have until 5 October 2025 to submit written comments and feedback via the prescribed channels.

Strategic Implications for Financial Institutions

By aligning the proposed template with governance frameworks, institutions can demonstrate active board oversight, cross-functional coordination and regulatory preparedness for cyber risk events.

Institutions are encouraged to integrate the template into internal tracking systems, enabling legal, governance, and technical teams to respond in a coordinated, timely and accountable manner.

To meet the expectations set out in the draft Joint Notice and proposed Reporting Template, financial institutions should:

• Ensure immediate board and senior management visibility from the moment an incident is detected. Escalation protocols must define clear roles, responsibilities, and decision-making authority.
• Align IT, security, legal, and compliance functions to ensure seamless incident detection, investigation and reporting. Coordination across these teams is essential for timely and accurate disclosures.
• Conduct simulations, tabletop exercises, and independent reviews to validate that reporting protocols are operationally sound and resilient under pressure.
• Use the consultation period strategically to refine cyber incident response frameworks, test escalation procedures and prepare for the finalisation of the reporting requirements.

Institutions that act promptly to embed the reporting template into their governance and technical protocols will be positioned to demonstrate compliance, resilience, and proactive engagement in response to the regulators’ expectations.

Clyde & Co’s Cyber team provides tailored guidance on implementing the draft requirements and supports clients in enhancing their cyber readiness through incident response planning, board and leadership training, tabletop exercises and cyber incident simulations. For more information, please feel free to reach out to us.

The documents in relation to Joint Communication 3 of 2025 are available on the FSCA’s website under ‘Documents for Consultation’ here.