Editor's Note
Over the past two issues we have looked at POPIA's technical requirements and the threat of social engineering. Both apply to every business that handles personal data, regardless of industry.
This issue is for a specific segment of our readership: anyone operating in or alongside the South African financial services sector. That includes banks, insurers, retirement funds, asset managers, and financial services providers of all categories.
A regulatory deadline passed on 1 June 2025 that many businesses in this space are still unprepared for. If that includes you, here is what you need to understand, and what you need to do.
THE STANDARD IS NOW LIVE: What Joint Standard 2 of 2024 Means for your financial service business
What Changed on 1 June 2025
Joint Standard 2 of 2024 was published jointly by the Financial Sector Conduct Authority and the Prudential Authority on 17 May 2024, with a compliance deadline of 1 June 2025. The standard sets minimum cybersecurity and cyber resilience requirements for financial institutions across South Africa.
This is not a guideline or a recommendation. Non-compliance will not only attract penalties but may also compromise licensing status and lead to board-level accountability. The regulators have been explicit: compliance must be demonstrated through evidence, not intention.
Who It Applies To
The standard applies to banks, insurers, CIS managers, FSPs, retirement funds and their administrators. If you operate as a financial services provider of any category, the broader obligations of the FAIS Act also apply. Section 11 of the General Code of Conduct requires all FSPs to employ appropriate technological systems to eliminate risk to clients as far as reasonably possible, and the governing body is held personally accountable for ensuring these measures are effective.
Board-level accountability is not a theoretical risk. It is written into the standard.
What the Standard Actually Requires
The requirements are broad and interconnected. At a practical level, financial institutions must identify business processes and information assets that support operations, conduct risk assessments on critical assets, and maintain an inventory of all information assets. They must implement appropriate cybersecurity practices, limit access to authorised users only, maintain a cybersecurity awareness programme, and regularly test all elements of their cyber resilience capacity and security controls to assess vulnerabilities.
Three requirements in particular carry direct operational weight for smaller financial services businesses:
Regular penetration testing and vulnerability assessments are mandatory to validate security controls, with swift remediation of weaknesses. This is not an annual exercise, it is an ongoing obligation with documented evidence of findings and remediation.
If a material cyber incident occurs, institutions may have just 24 hours to notify the FSCA or the Prudential Authority. That clock starts from the moment the incident is classified as material, not from when you have completed your investigation. Your internal classification and escalation procedures must be fast and well-rehearsed before an incident happens.
Third-party risk management is also a key obligation, clear roles, responsibilities, and cybersecurity control requirements must be included in contracts with vendors and service providers, and regular independent assurance of third-party security practices is expected. If your IT provider, cloud platform, or any external system handles your data or connects to your network, they are within scope.
The Gap Most Businesses Have
The most common failure point is not the absence of security measures, it is the absence of documentation that proves those measures exist and are working. The standard is not prescriptive about which frameworks you must follow, but it is demanding. Institutions must show that their approach is proportionate, risk-based, and defensible. This requires maturity in documentation, oversight, testing, and response.
A verbal assurance that "we have antivirus software and a firewall" does not satisfy Joint Standard 2. What satisfies Joint Standard 2 is a documented vulnerability assessment with dated findings, a remediation log, an incident response plan that has been tested, and evidence that your staff have received cybersecurity awareness training.
The Bottom Line
The deadline has passed. The standard is in force. If your business operates in financial services and you cannot produce evidence of a documented cybersecurity framework, regular vulnerability testing, a staff awareness programme, and a tested incident response plan, you are exposed. Not theoretically exposed. Practically, legally, and reputationally exposed.
The good news is that getting to a defensible position does not require an enterprise-level budget. It requires a structured approach, the right assessment tools, and documentation that holds up under scrutiny. That is exactly what a risk-based vulnerability management programme is designed to produce.
