Joint Communication 6 of 2021: Draft Joint Standard on Cybersecurity and Cyber Resilience Requirements

Financial Sector Regulation Act, 2017 Joint Communication 6 of 2021 The Financial Sector Conduct Authority and the Prudential Authority (Authorities) today published the draft Joint Standard: Cybersecurity and Cyber Resilience Requirements (Joint Standard) for consultation as provided for in section 101 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) (FSR Act). The draft Joint Standard sets out the minimum standards for sound practices and processes of cybersecurity and cyber resilience for categories of specified financial institutions. The draft Joint Standard seeks to ensure that these financial institutions implement processes and have tools and technology which will prepare them for cyber-attacks as well as respond to and recover from such attacks. The draft Joint Standard applies to: (a) a bank, a branch, a branch of a bank and a controlling company as respectively defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990); (b) a mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993); (c) an insurer and a controlling company as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017); (d) a manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002); (e) a market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012); (f) a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; (g) an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; (h) a pension fund registered under the Pension Funds Act, 1956 (Act No. 24 of 1956); and (i) an OTC derivative provider as defined in the Financial Markets Act Regulations. The Authorities are unable, at this stage, to ascertain the full extent of the expected impact of the draft Joint Standard on the specific financial institutions covered by the draft Joint Standard. As part of the consultation process, the Authorities have also prepared a set of questions to solicit industry inputs on the expected impact of implementing the proposed Joint Standard. The questions are in section C of the comments template and the Authorities welcome responses from all the affected financial institutions.

2 In this regard, the following documentation are published for comment:

1. the draft Joint Standard - Annexure A;
2. the draft statement of need for, expected impact and intended operation of the draft Joint Standard (Statement) – Annexure B; and
3. the comments template providing for the manner in which comments must be submitted to the Authorities as well as questions, under section C, to ascertain the potential impact of the draft Joint Standard – Annexure C. The documents released for the public consultation process can be accessed on the websites of the Authorities at: www.resbank.co.za and www.fsca.co.za . Comments on the draft Joint Standard and accompanying documents must be submitted, using the comments template attached as Attachment 3, to PA-Standards@resbank.co.za for the attention of Mrs Kalai Naidoo and Mr Andile Mjadu, on or before 15 February 2022. Any enquiries on this Joint Communication may also be sent to the aforementioned e- mail address. Following the consultation process, the Authorities will make any necessary changes to the draft Joint Standard and the Statement to better reflect the expected impact of the draft Joint Standard, based on the submissions received. The revised draft Joint Standard and Statement will then be released for consultation, in terms of the provisions of section 98 of the FSR Act for a period of at least six weeks. Unathi Kamlana Kuben Naidoo Commissioner Deputy Governor and CEO: FINANCIAL SECTOR CONDUCT AUTHORITY PRUDENTIAL AUTHORITY DATE: 15.12.2021 DATE: 15/12/2021