Automated processes across banking, financing, insurance and other financial services are dependent on complex infrastructures that span both on-premises data centres and cloud service providers. This dependency on third-party service providers and technology vendors puts financial organisations at significant risk. 

It is therefore a welcome fact that local financial institutions are facing a pressing cybersecurity deadline to help address this issue, with the implementation of the ‘Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience Requirements for Financial Institutions’ (also known as the ‘Joint Standard’) scheduled to come into effect on 01 June this year. 

This is according to Bryan Hamman, regional director for Africa at NETSCOUT, who says: “The deadline comes against a background in which the financial services sector across the continent remains a lucrative target for cybercriminals. The past 18 months have shown an upswing in the activities of geopolitically motivated hacktivists and their coordinated distributed denial of service (DDoS) attack efforts aimed at banking and financial services, underscoring the critical requirement for financial services organisations across the spectrum to address growing cyber risks and IT disruptions.”

Service availability and the protection of data in industries such as banking and insurance is of paramount importance, and disruptions of any type can have far-reaching consequences for both the organisations themselves as well as their clients. 

Hamman adds: “As outlined in NETSCOUT’s most recent DDoS Threat Intelligence Report, DDoS attacks are becoming more sophisticated and harder to mitigate, and across the Europe, Middle East and Africa (EMEA) region we find no exception. 

“Cybercriminals are using advanced techniques to overwhelm financial institutions, often targeting infrastructure components like Domain Name System (DNS) servers that are critical for digital services. The 1h 2024 Threat Intelligence Report showed that South African insurance agencies and brokerages bore the overwhelming burden of incidents EMEA-wide for this particular sector of the financial services industry.”

Legislation to Strengthen and Protect 

Technological advancements have brought many benefits to the financial services industry, including ease of interactions with their clients, but at the same time, as outlined previously, the threat landscape has also evolved. 

Due to the interconnectedness of the financial system, a cyber incident or failure at one connected entity can affect both the safety and soundness of that entity as well as other institutions. “Cyberattacks can therefore pose a major threat to multiple financial institutions and even organisations in other industries,” says Hamman. “The legislation of cybersecurity measures aims to prevent and control risk possibilities.”

The ‘Joint Standard’ is so named because it was published jointly on 16 May 2024 by South Africa’s Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA). The PA looks after the safety of regulated financial institutions and market infrastructures, while the FSCA is responsible for supporting the efficiency and integrity of financial market and protecting financial customers.

The ‘Joint Standard’ applies to various financial institutions, including banks, insurers, retirement funds and administrators, and collective investment scheme managers. It sets out detailed requirements and principles for sound practices and processes relating to cybersecurity and cyber resilience. Some of the principles set out by the ‘Joint Standard’, with which financial institutions must comply, include the following:

• Establishing and maintaining a cybersecurity strategy that is aligned with the overall business strategy and reviewed at least annually.
• Implementing cyber resilience capabilities and practices to prevent, limit and contain the impact of a potential cyber incident.
• Installing network security devices to secure the network.
• Establishing a comprehensive cybersecurity awareness training programme.
• Monitoring and detecting cyber events and cyber incidents.
• Implementing an incident response and management plan.
• Testing control effectiveness.
• Conducting regular vulnerability assessments on its IT systems.
• Implementing malware protection.

Strength in Unity

Hamman clarifies: “The implementation of the ‘Joint Standard’ is aimed at strengthening the IT security of local financial entities, making sure that South Africa’s financial sector is empowered to stay resilient in the event of any severe operational disruption. 

“I believe you could regard this legislation as being similar in nature and end goals to that of the European Union’s so-named ‘DORA’ – in other words, the Digital Operational Resilience Act – which is the new security regulation for financial institutions in the EU that came into effect on 17 January this year, and which seeks to ensure that financial systems in those countries can withstand disruptions or recover quickly.”

He notes further that the financial services sector is a critical arena that affects multiple other economic areas. For threat actors, the sector’s inherent interconnectedness, across both borders and other vertical sectors, only adds to the attraction of disrupting financial services organisations in terms of potential gains.

“With the deadline looming for local financial institutions to ensure that they are compliant, we at NETSCOUT are highly supportive of the legislative measures prescribed by the ‘Joint Standard’ in organising and channelling cyber defence and resilience measures,” says Hamman.

“We anticipate that the implementation of the ‘Joint Standard’ will become a new milestone for cybersecurity and operational resilience in the local financial sector and assist in addressing growing cyber risks and IT disruptions,” he concludes.