By James George, Compli-Serve
Cyber threats are no longer hypothetical risks or technical annoyances. In South Africa, the rise in ransomware attacks, data breaches, and system failures has placed cyber resilience at the forefront of regulatory scrutiny and boardroom agendas. The Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience, effective 1 June 2025, marks a watershed moment in South Africa’s financial regulatory regime.
Where traditional cybersecurity focused on prevention, cyber resilience is a broader strategic capability: it encompasses preparedness, response, recovery, and adaptive learning. For South African financial institutions, it is no longer a matter of if a breach occurs, but how well you recover when it does.
Why Cyber Resilience Now?
1. An Escalating Threat Landscape
South African firms—large and small—are now routinely targeted by increasingly sophisticated threat actors. Local estimates place the average breach cost between R6.5–R12 million, excluding reputational harm. Whether it’s the TransUnion hack or ongoing phishing campaigns targeting FSPs, the urgency is clear: reactive measures are no longer enough.
2. Digital Transformation Has Expanded the Attack Surface
The COVID-accelerated shift to digital has introduced widespread vulnerabilities. Remote work, cloud services, API integrations, and mobile-first services have outpaced most firms’ ability to secure them effectively. As a result, cyber risk is now existential in nature.
3. Regulatory Pressure Is Mounting
Following the release of Joint Standard 2 of 2024, co-issued by the FSCA and Prudential Authority, regulated entities are compelled to comply with a minimum set of cybersecurity and cyber resilience requirements. This applies to:
Banks
Insurers
CIS managers
FSPs (particularly Category II & Crypto Asset FSPs)
Retirement funds and their administrators
Non-compliance will not only attract penalties, but may also compromise licensing status and lead to board-level accountability.
What Joint Standard 2 of 2024 Demands
Effective 1 June 2025, all regulated financial institutions must demonstrate the following:
Cyber governance oversight: The board must own and oversee cyber risk strategies.
Formalised cybersecurity frameworks: Including defined policies, controls, and metrics.
Incident response protocols: Firms must maintain tested and auditable IR plans.
Third-party risk management: Outsourced vendors and digital service providers must be assessed for cyber exposure.
Operational resilience planning: Recovery time objectives and critical business service identification are required.
This regulation is not optional, and the FSCA has already begun onsite visits and desktop audits to assess readiness.
The Four Pillars of Cyber Resilience for South African FSPs
Prepare and Protect
Conduct formal cyber risk assessments.
Implement baseline protections: firewalls, MFA, encryption, and staff awareness training.
Appoint a Cybersecurity Officer (distinct from the IT manager).
Detect and Respond
Deploy intrusion detection and SIEM tools.
Establish 24/7 monitoring or contract with a Managed Security Service Provider (MSSP).
Maintain a tested incident response plan with executive involvement.
Recover and Learn
Maintain offsite and encrypted backups.
Document post-incident reviews (PIRs).
Integrate lessons learned into policy updates and training.
Adapt and Evolve
Conduct biannual cyber resilience assessments.
Update incident playbooks and recovery plans.
Benchmark against international standards (ISO 27001, NIST CSF, etc.).
Best Practices from the South African Market
Create a Cyber Resilience Framework
Compli-Serve recommends firms maintain a standalone cyber resilience framework that aligns with the Joint Standard 2 of 2024, FICA, and PoPIA obligations.
Establish SLA-Based Vendor Controls
Ensure vendors meet your cybersecurity expectations through Service Level Agreements (SLAs) and regular third-party risk reviews.
Conduct Tabletop Exercises
Run simulated cyber incidents involving key executives, KIs, and board members. Regulatory expectations are shifting toward proving these exercises are being held.
Board-Level Cyber Accountability
Educate directors about their fiduciary duties regarding cyber oversight. Boards can no longer claim ignorance.
Turning Cyber Risk into Strategic Advantage
Forward-looking institutions are using cyber resilience to differentiate themselves in the market:
Client Trust: Demonstrable resilience earns loyalty in high-trust industries like finance and healthcare.
Regulatory Favourability: Resilient firms face less scrutiny during FSCA inspections.
Operational Excellence: Cyber disciplines improve business continuity and internal controls across departments.
Digital Enablement: A secure digital foundation allows rapid, confident innovation.
Key Takeaways for South African Financial Institutions
South African financial institutions should prioritise the finalisation of a comprehensive Cybersecurity and Cyber Resilience Policy by no later than 1 June 2025, under the joint responsibility of the IT and Compliance functions.
A formal Cyber Resilience Readiness Assessment should be conducted during the first and second quarters of 2025, with oversight by the Risk and Governance Committee to identify and close any material gaps in current systems.
The Incident Response and Recovery Plan must be properly documented and formalised within Q2 2025, led by the Executive Team, to ensure preparedness for real-world cyber events.
The Board of Directors must approve all cyber-related frameworks and participate in Cyber Oversight Training by the second quarter of 2025, with coordination managed by the Company Secretary.
Financial institutions are expected to implement robust third-party risk management controls on an ongoing basis, ensuring all vendors and service providers meet defined cybersecurity standards. This responsibility lies with both Procurement and Compliance teams.
Lastly, entities required to do so must submit their regulatory returns in accordance with Joint Standard 2 of 2024, following the format, manner, and frequency stipulated by the FSCA, under the responsibility of the appointed Compliance Officer.
The time for casual cyber awareness is over. South African regulators, cybercriminals, and customers are all aligned in their expectations: demonstrable cyber resilience, not theoretical protection.
The 1 June 2025 deadline under Joint Standard 2 of 2024 is more than just a regulatory milestone. It is a clear signal that the FSCA and PA are holding financial institutions to a higher operational standard—one that protects not only investors but the national economy.
