Navigating regulatory waves: Strengthening cyber security in the evolving financial landscape

As financial services providers increasingly integrate advanced technologies and grow more reliant on interconnected ecosystems, the prevalence of cyber threats and attacks has escalated exponentially.

• The financial services sector faces new regulations from the SARB and FSCA to strengthen cybersecurity amidst rapid technological advancements.
• Financial institutions must navigate unique requirements of the regulations, ensuring board-level accountability, demonstrating compliance and maintaining a risk-based approach to control practices.
• EY recommends practical steps for compliance, while avoiding common pitfalls like a tick-box approach and neglecting the full ecosystem.

Navigating regulatory waves: Strengthening cybersecurity in the evolving financial landscape

The financial sector is undergoing rapid transformation, driven by the rise of digital channels, automation, artificial intelligence, the cloud, and other advanced technologies. As financial services providers increasingly integrate advanced technologies and grow more reliant on interconnected ecosystems, the prevalence of cyber threats and attacks has escalated exponentially.

To address the challenges of digital acceleration and an evolving threat landscape, the SARB and FSCA have introduced a series of regulations. These aim to empower the financial sector to leverage new technologies safely, responsibly, and resiliently.

Three interrelated regulations

Two ‘joint standards’ were released in collaboration between the SARB’s Prudential Authority and the Financial Services Conduct Authority:

• Joint Standard 1: IT Governance and Risk Management
• Joint Standard 2: Cybersecurity and Cyber Resilience
• Additionally, the SARB issued regulation specifically to protect the National Payment System (NPS):
• Directive in respect of cybersecurity and cyber-resilience

While these regulations share key similarities and overlaps, each also presents unique requirements that financial institutions must carefully navigate.

It is important to understand the similarities, overlaps, and unique components of the regulations. This will help ensure organisations implement them in the most practical and efficient ways. At the same time, organisations must demonstrate they are fully compliant with the requirements of each of the individual regulations.

Practical steps

It is important that organisations see the regulations as an opportunity to review and enhance their existing practices and capabilities as they navigate the evolving digital and threat landscape. This is the intention of the regulations - to prepare the financial sector for the next generation of technology advancements in a safe and resilient manner.

With these regulations at the forefront, EY recommends the following five practical steps to help organisations navigate compliance effectively:

1. Board-level positioning and awareness. Ensure that the board understands the requirements of the regulations and its responsibilities. The tone from the top is important in building a culture of good governance and resilience.
2. Start with discovery and prioritisation. Start with discovery and prioritisation processes to ensure that the organisation has a complete understanding of its critical assets and processes. This includes all suppliers and ecosystem partners. It also helps ensure that the business controls are commensurate with the risk.
3. Refresh existing practices and overlay requirements. Approach the three regulations holistically by refreshing existing policies and procedures to include any additional requirements or to enhance or change any systems and processes. In addition, overlay the requirements into an existing control framework (or create one if the organisation does not have an existing control framework) to demonstrate compliance.
4. Clarify roles and responsibilities across the ecosystem. It is vital that all stakeholders understand their roles and responsibilities in executing the requirements. They must also be able to demonstrate compliance in this regard. This includes stakeholders across the ecosystem and throughout the organisation.
5. Build mechanisms to gain visibility on a continuous basis. Compliance with the regulations is not a once-off exercise. To be effective and add value continuously, it is important to build a mechanism to have ongoing visibility regarding the organisation’s posture and compliance status. This could be done through dashboards that provide a ‘single pane of glass’ to management and the board.

Pitfalls to avoid

Organisations are taking different approaches to the regulations. However, our observations at EY reveal several  common pitfalls that institutions should avoid:

1. Tick box approach to compliance. Compliance for compliance’s sake seldom adds value to an organisation and rarely results in sustainable (‘sticky’) improvements in controls and processes. As such, institutions should consider the standards as an opportunity to ensure that their IT governance and cybersecurity practices are prioritised, risk-based, aligned to best practices, and embedded throughout the ecosystem.
2. Relying on existing frameworks and self-assessments. Institutions could be doing many good things from IT governance and cyber resilience perspectives. However, if they cannot demonstrate to an external or independent body that their processes and practices are effective, then they will not be compliant with the regulations. Building up a portfolio of evidence to demonstrate compliance can take time. It is important to start with this early and build the collection of evidence into the processes rather than a scramble at the time of an audit.
3. Once-off exercise to appease the regulatory bodies. Approaching the regulations as a once-off exercise, will not add value to the organisation as it will not result in meaningful improvements. Moreover, it means that every time an organisation needs to demonstrate compliance, it will need to conduct further assessments and gather additional evidence and data points.
4. One-size-fits-all approach. The regulations are risk-based. This means that they allow organisations to apply appropriate and fit-for-purpose safeguards in line with any potential loss or impact. Taking a one-size-fits-all approach means that organisations may be over-controlling certain areas while not applying sufficient safeguards in others. This results in inefficient, costly and/or inadequate safeguards.
5. Forgetting about the full ecosystem. Organisations are increasingly interdependent with a wide spectrum of ecosystem entities. These range from software suppliers to third-party vendors, partners, and distribution channels. Ignoring these ecosystem entities means that even the most robust and effective controls within the organisation may still not result in the organisation being compliant with the regulations.

Download the Cybersecurity report

Summary

EY advises institutions to ensure board awareness, prioritise critical assets, update practices, clarify roles, and maintain continuous oversight to comply effectively. Institutions should avoid superficial compliance and aim for meaningful, sustainable cybersecurity enhancements.