The Financial Sector Regulation (FSCA) and the Prudential Authority (PA) published Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience Requirements on 17 May 2024.
The Joint Standard 2 of 2024 (Joint Standard) applies to all financial institutions as defined in the Joint Standard. It sets out the requirements for sound practices and processes relating to cybersecurity and cyber resilience for financial institutions. The Joint Standard is expected to commence on 1 June 2025. The FSCA and PA will formally publish the effective date by publishing a notice on their websites.
The Joint Standard requires financial institutions to:
- Mitigate and cater for any risks relating to cybersecurity and cyber resilience from juristic persons structured under a bank, the insurer, or the insurance group when applying the requirements of the Joint Standard.
- Notify the responsible authority of cyber incidents or information security comprises they classify as a material incident. The specific format and manner for reporting these incidents are yet to be determined.
- Establish and maintain a regularly reviewed cybersecurity strategy to manage cyber risks and address changes in the cyber threat landscape.
- Identify business processes and information assets that support business and the delivery of services, conduct risk assessments on its critical operations and information assets and maintain an inventory of all its information assets. Implement appropriate and effective cybersecurity practices to prevent the impact of potential cyber incidents.
- Ensure that access to information is limited to authorised users and devices only. Develop data loss prevention policies and measures to prevent and detect unauthorised use of sensitive data and information. Implement a cybersecurity awareness programme to maintain a high level of awareness among all users.
- Maintain effective cyber resilience capabilities to monitor, detect, respond and recover from cyberattacks on IT systems. Establish a data backup strategy to ensure that any sensitive information stored in the backup media is secured.
- Regularly test all elements of its cyber resilience capacity and security controls to assess vulnerabilities and determine its overall effectiveness.
- Establish a regularly reviewed access control policy and process to enforce strong password security controls for users to access IT systems and information assets. Secure administrative accounts and grant privileged access only when necessary.
- Implement multi-factor authentication for all users with access to critical system functions, including user accounts utilised to access applications containing sensitive information. Protect the network from unauthorised access and disruption through the implementation of security controls at its network perimeter.
- Test and apply security patches to address vulnerabilities in IT assets. Maintain written security standards for hardware and software configurations to minimise exposure to cyber threats. Implement endpoint protection to prevent malware infection.
The Joint Standard strengthens the financial sector's cyber defences. Financial institutions have one year to comply, requiring proactive measures for a smooth transition and a more secure future.