Cyber Resilience Guidance Note issued by the SARB 



These materials are provided for general information purposes only and do not constitute legal or other professional advice. While every effort is made to update the information regularly and to offer the most current, correct and accurate information, we accept no liability or responsibility whatsoever if any information is, for whatever reason, incorrect, inaccurate or dated. We accept no responsibility for any loss or damage, whether direct, indirect or consequential, which may arise from access to or reliance on the information contained herein.

© Copyright Webber Wentzel. All Rights reserved.

On 15 May 2017, the South African Reserve Bank (SARB), through the Office of the Registrar of Banks (the Office), issued Guidance Note G4/2017 dealing with cyber resilience (the Guidance Note) to banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies (banks). The purpose of the Guidance Note was to bring to the attention of banks the latest international best practice relating to cyber resilience.

In terms of Regulation 39 of the regulations relating to Banks, all banks are required to ensure an adequate and effective process of corporate governance, which includes the maintenance of effective risk management and capital management. These objectives are achieved by requiring that banks have comprehensive risk management processes, practices, procedures, and policies (processes and policies) in place. The Guidance Note affirms that cyber risk should form part of the aforementioned processes and policies.

As such, the Guidance Note requests that banks assess the adequacy and robustness of their current processes and policies against the cyber resilience guidance principles that were issued by the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) for financial market infrastructures on 29 June 2016 (the CPMI/IOSCO cyber resilience guidance).

The Guidance Note states that the following is expected from banks in respect of their operations:

  • that all cyber controls implemented by a bank follow a risk- based approach, in line with the risk appetite of the bank;
  • that banks balance the cost of implementing controls against benefits to be derived, in accordance with the "principles-based" approach of the guidance;
  • that bank recovery time objectives be based on a thorough business impact assessment and that the bank's situational awareness includes cyber threat intelligence; and
  • that banks use reputable external service providers when using third parties for security testing.

The Guidance Note states that the Office will continually review the processes and policies of banks, to assess their appropriateness, against the CPMI/IOSCO cyber resilience guidance. Further, the Office may require relevant banks to strengthen their risk management processes or policies or to hold additional capital. ​​​​​

Webber Wentzel > News > Cyber Resilience Guidance Note issued by the SARB 
Johannesburg +27 (0) 11 530 5000
Cape Town +27 (0) 21 431 7000
Validating email against database, please wait...
Validating email: please wait...
Email verified: Please click the confirmation link sent to your mailbox, also check junk/spam folder. If you no longer have access to this email address or haven't received the verification email then email
Email verified: You are being redirected to manage your subscription
Email could not be verified: Please wait while you are redirected to the Subscription Form
Unanticipated error: Saving your CRM information Subscription Form