FSCA-PA Joint Communication 4 of 2022

1 Financial Sector Regulation Act, 2017 Joint Communication 4 of 2022 Notice of invitation to comment – Joint Standard – Cybersecurity and Cyber Resilience Requirements In December 2021, the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA) (the Authorities) published the draft Joint Standard on Cybersecurity and Cyber Resilience Requirements (draft Joint Standard) for public consultation in terms of section 101 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) (FSR Act). The consultation process also provided an opportunity for input from the financial sector on the potential impact of the requirements on financial institutions in order for the Authorities to finalise the Statement of need for, intended operation and expected impact (Statement). The draft Joint Standard sets out the minimum requirements and principles for sound practices and processes of cybersecurity and cyber resilience for categories of specified financial institutions. The draft Joint Standard will apply to: (a) a bank, a branch1 , a branch of a bank and a controlling company as respectively defined section 1 of the Banks Act, 1990 (Act No. 94 of 1990); (b) a mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993); (c) an insurer and a controlling company as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017); (d) a manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002); (e) a market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012); (f) a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; (g) a Category I FSP as contemplated in section 3(a) of the Determination of Fit and Proper Requirements for Financial Services Providers, 2017, that provides investment fund administration services; (h) an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; (i) a pension fund registered under the Pension Funds Act, 1956 (Act No. 24 of 1956); (j) an OTC derivative provider as defined in the Financial Markets Act Regulations; (k) an administrator approved in terms of section 13B of the Pension Funds Act, 1956 (Act No 24 of 1956); and (l) a registered credit rating agency as defined in section 1 of the Credit Rating Services Act, 2012 (Act No 24 of 2012). The Authorities have published today, for public consultation in terms of section 98 of the FSR Act, the following documents: 1 Commonly referred to as a ‘branch of a foreign institution’.

2 • The revised Joint Standard based on comments received from the public consultation process – Annexure A; • The Statement – Annexure B; • The comment matrix from the public consultation process – Annexure C; • The draft notification template – Annexure D; and • The comment template – Annexure E. Comments on the documentation must be made using the comment template and submitted via email to FSCA.RFDStandards@fsca.co.za for the attention of Mr Andile Mjadu and PA-Standards@resbank.co.za for the attention of Ms Kalai Naidoo. Comments are due on or before 28 February 2023. Any enquiries on this Joint Communication may also be sent to the aforementioned e-mail addresses. FINANCIAL SECTOR CONDUCT AUTHORITY PRUDENTIAL AUTHORITY DATE: 09.12.2022 DATE: