Deadline approaches for retirement funds to meet cybersecurity standards
With the June 2025 deadline looming, South African financial institutions, including retirement funds, must swiftly implement robust cybersecurity measures to comply with the new Joint Standard 2 regulations, ensuring the protection of customers and the integrity of the financial system.
Image: File photo.
South African financial institutions, including retirement funds, are racing against time to comply with Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience before the deadline of June 1, 2025.
This regulatory framework, published in May 2024 by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority, aims to establish robust cybersecurity protocols across the financial sector.
Vanessa Jacklin-Levin, partner at Bowmans, clarifies the scope of the regulation: "The Joint Standard applies to ‘financial institutions’ as defined in the Joint Standard, such as retirement funds registered under the Pension Funds Act 1956 (PFA)." She says the regulation is designed to enforce a standardised approach to cybersecurity risk management, setting clear minimum requirements and principles for financial institutions to adopt.
The regulation mandates financial institutions to bolster their cybersecurity defences and align them with their risk appetite, taking into account the nature, complexity, and size of their financial operations. Jacklin-Levin says: "The Joint Standard requires financial institutions to adopt robust cybersecurity and resilience against cyberattacks and expects financial institutions to implement security controls that are commensurate with their risk appetites."
Financial institutions are expected to establish comprehensive cybersecurity policies, including a Cybersecurity Strategy and Framework, Cybersecurity Policy, Data Loss Prevention Policy, Cryptographic Key Management Policy, Cyber Incident Management Policy, and Security Access Control Policy.
Deirdre Phillips, another partner at Bowmans, highlights the significance of cybersecurity within the broader regulatory framework. "In its recently published Regulatory Strategy for 2025-2028, the FSCA stated that it remains focused on what matters most—‘protecting customers and strengthening the integrity and resilience of the financial system’. Cybersecurity and cyber resilience remain among some of the key risks and vulnerabilities in the financial system."
Retirement funds must ensure they meet these cybersecurity standards, even when outsourcing cybersecurity-related administrative activities. Jacklin-Levin says: "The board of trustees of a retirement fund is ultimately responsible for ensuring compliance with the requirements set out in the Joint Standard. Accordingly, where a retirement fund outsources cybersecurity administrative activities to administrators of retirement funds or other service providers, the relevant retirement fund’s board of trustees retains the full responsibility for ensuring compliance."
With the June 1, 2025, deadline fast approaching, retirement funds must act swiftly to implement the necessary cybersecurity and cyber resilience measures to safeguard their operations and maintain compliance with South Africa’s evolving financial regulations.
PERSONAL FINANCE