On 15 May 2017, the South African Reserve Bank (SARB), through the Office of the Registrar of Banks (the Office), issued Guidance Note G4/2017 dealing with cyber resilience (the Guidance Note) to banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies (banks). The purpose of the Guidance Note was to bring to the attention of banks the latest international best practice relating to cyber resilience.
In terms of Regulation 39 of the regulations relating to Banks, all banks are required to ensure an adequate and effective process of corporate governance, which includes the maintenance of effective risk management and capital management. These objectives are achieved by requiring that banks have comprehensive risk management processes, practices, procedures, and policies (processes and policies) in place. The Guidance Note affirms that cyber risk should form part of the aforementioned processes and policies.
As such, the Guidance Note requests that banks assess the adequacy and robustness of their current processes and policies against the cyber resilience guidance principles that were issued by the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) for financial market infrastructures on 29 June 2016 (the CPMI/IOSCO cyber resilience guidance).
The Guidance Note states that the following is expected from banks in respect of their operations:
- that all cyber controls implemented by a bank follow a risk- based approach, in line with the risk appetite of the bank;
- that banks balance the cost of implementing controls against benefits to be derived, in accordance with the "principles-based" approach of the guidance;
- that bank recovery time objectives be based on a thorough business impact assessment and that the bank's situational awareness includes cyber threat intelligence; and
- that banks use reputable external service providers when using third parties for security testing.
The Guidance Note states that the Office will continually review the processes and policies of banks, to assess their appropriateness, against the CPMI/IOSCO cyber resilience guidance. Further, the Office may require relevant banks to strengthen their risk management processes or policies or to hold additional capital.