https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Legal Briefs / Webber Wentzel RSS ← Back
Business|Financial|Resources|Risk Management|SECURITY|Service|Services|Storage|System|Systems|Technology|Training|Operations
Business|Financial|Resources|Risk Management|SECURITY|Service|Services|Storage|System|Systems|Technology|Training|Operations
business|financial|resources|risk-management|security|service|services|storage|system|systems|technology|training|operations
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Sponsored by

Close

Article Enquiry

Obligations of insurers related to cybersecurity and outsourcing

Close

Embed Video

Obligations of insurers related to cybersecurity and outsourcing

Webber Wentzel

12th November 2024

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have announced that Joint Standard 1 of 2024 (Outsourcing by Insurers) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements), will be effective on 1 December 2024 and 1 June 2025 respectively

Joint Standard 2 of 2024 seeks to address the sector's concerns against evolving cyber threats and aims to enhance cyber risk management and resilience. The FSCA is urging financial institutions to cater for and mitigate cyber security risks and threats in line with the nature, size, complexity and risk profile of the financial institution.

Advertisement

Financial institutions, including banks, insurers and their controlling companies have just over six months to establish and maintain a cybersecurity framework, policies, and procedures that meet industry standards and best practices to adequately address cyber-attacks. 

To the extent that insurers intend to outsource cyber related functions and/or system controls to maintain adequate cyber security frameworks, Joint Standard 1 of 2024 becomes relevant and the outsourcing of these activities will most likely be material. Insurers must, as part of their board approved outsourcing policies, ensure that they comply with the provisions of Joint Standard 1 of 2024 for any material activity outsourced to a third party. 

Advertisement

Joint Standard 2 of 2024 contains several key cybersecurity requirements for financial institutions. These include:

  • Establishing and maintaining a cybersecurity strategy and framework to address changes in the cyber threat landscape, manage cyber risks, allocate resources, identify and remediate gaps.
  • Identifying and classifying business processes and information assets in terms of criticality and sensitivity, which in turn must inform the prioritisation of protective, detective, response and recovery efforts.
  • Carrying out security risk assessments on critical operations and information assets to ensure protection against compromise.
  • Ensuring that access to information assets and associated facilities is limited to users, processes, and devices authorised by the financial institution.
  • Establishing identity management and access control policies and procedures for effective and consistent user administration, accountability and authentication which accounts for remote user access to information assets.
  • Developing comprehensive data loss prevention policies and ensuring that information stored in systems and endpoint devices is encrypted or protected by access control mechanisms commensurate with the exposure of risk faced by the financial institution. Restricting the processing, retrieval, communication, transmission and storage of sensitive information to authorised IT systems, endpoint devices and data storage systems. 
  • Having agreements between the financial institution and third-party service provider which must provide for the secure return, transfer or deletion of data upon termination of services.
  • Conducting a comprehensive cybersecurity awareness training programme at least annually by the governing body and users of the financial institution to raise their awareness of risks associated with the use of technology and enhance understanding of cyber risk management practices. The training programme must be regularly reviewed, considering the financial institution's security policies, prevalent and emerging risks, and the evolving threat landscape.
  • Notifying the responsible authority upon classification of a cyber incident or information security compromise as material incident in accordance with the processes and policies established.
  • If insurers intend to, or have outsourced activities related to data storage systems, IT related support systems, cyber security frameworks and compliance to third party service providers, they must review these agreements, including sub-outsourcing arrangements, to ensure compliance with the provisions contained in Joint Standard 1 of 2024. Any outsourcing arrangement entered into prior to the standard's effective date have 24 months to comply

In the event of outsourcing, insurers must ensure that contractual agreements or Service Level Agreements with third-party service providers explicitly require compliance with stringent cybersecurity and cyber resilience standards.

See our previous update on Joint Standard 1 of 2024 here.

Written by Lenee Green, Partner, Gabi Richards-Smith, Partner & Londiwe Mazibuko, Candidate Attorney, Webber Wentzel

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options

Email Registration Success

Thank you, you have successfully subscribed to one or more of Creamer Media’s email newsletters. You should start receiving the email newsletters in due course.

Our email newsletters may land in your junk or spam folder. To prevent this, kindly add newsletters@creamermedia.co.za to your address book or safe sender list. If you experience any issues with the receipt of our email newsletters, please email subscriptions@creamermedia.co.za