The cybersecurity deadline: How to prepare for the Joint Standard

FSIs must urgently review and align cybersecurity measures with the new Joint Standard, ensuring compliance and integrating cyber risk into business strategy.

In brief:

• South Africa’s financial institutions review cybersecurity to align with the new Joint Standard
• Cybersecurity accountability requires boards and executives to integrate cyber risk into overall business strategy and risk appetite

The new Joint Standard on Cybersecurity and Cyber Resilience comes into effect on 1 June 2025. For South Africa’s financial institutions, this marks a decisive regulatory moment that demands more than giving lip service to best practice. Instead, it calls for a practical, measured response that refreshes what is already in place and ensures that everything aligns with a very specific set of regulatory expectations.

Of course, there will always be the natural temptation to assume that existing policies and protocols are good enough. After all, many institutions believe they are already compliant with international best practices. But here is the reality: best practice is not always the same as regulatory compliance. If you have premised your readiness on the draft version of the Joint Standards, note that the final version introduces approximately 60 distinct material changes, refining requirements following the consultation process. The introduction of the Joint Standard is not just an extension of what you have been doing. It is a shift in approach. And for regulated entities, failure to comply could have serious consequences, including hefty penalties or suspension of licenses.

First steps

The most immediate step is to conduct a practical, detailed review of your current environment. What is in place? What aligns with the new requirements? Perhaps more importantly, what does not? Never assume the business is compliant. Prove it to yourself. Overlay what exists with the actual language and intent of the Joint Standard and map out the gaps. This due diligence process should be organisation-wide. Cybersecurity is too often relegated to the IT department, when in fact, the responsibility sits with everyone. The Joint Standard squarely places accountability with leadership. Boards and executives must take ownership—not just of compliance, but of integrating cyber risk into overall business strategy and risk appetite. This is where many institutions are still operating in silos, missing the bigger picture. Importantly, aligning cybersecurity measures with business objectives is not just a compliance tick-box. It makes good business sense. The financial sector is more interconnected than ever before, and a cyber incident at one organisation can ripple through the entire ecosystem. Building resilience goes beyond avoiding fines. Think of it as protecting your institution’s ability to operate and serve clients in a digital-first world.

Compliance is not about size

For smaller institutions, the reality of resource constraints is very real. But that does not mean you are exempt. The regulators have provided a transition window—use it wisely. Leverage external support where needed, focus on high-impact areas first, and adopt a risk-based, fit-for-purpose approach. Finally, do not underestimate the human factor. Training and awareness are critical components of a resilient organisation. Everyone has a role to play—from frontline staff to leadership—and that awareness must be baked into your day-to-day operations. With just weeks to go, the priority now is clear: refresh what you think you know, verify your assumptions, and act decisively. Institutions that do this well will be able to meet the regulatory deadline while also strengthening their posture in an increasingly hostile digital landscape.

In summary

South Africa’s financial institutions must act decisively to ensure compliance. Conduct a thorough review of your current cybersecurity measures, align them with the new requirements, and integrate cyber risk into your overall business strategy. Refresh your assumptions, verify your readiness, and take immediate action to protect your institution and meet the regulatory deadline