• Navigating The Prudential Authority Joint Standards And The Potential Gaps In Your ISMS And Cyber Controls

Headers Ribbon

In the ever-evolving and rapidly innovating landscape of financial services, the safeguarding of sensitive information against digital crimes and digital threats has become imperative for resilient services and for maintaining digital trust. To address these critical risks, the Financial Sector Conduct Authority (FSCA) and Prudential Authority have introduced the Joint Standards for Information Technology Governance and Risk Management Requirements, as well as the Joint Standard for Cyber Security and Cyber Resilience. These Joint Standards apply to a very broad range of Financial Services Providers (FSPs), including banks, insurers, market infrastructures, managers of collective investment schemes, discretionary FSPs, and administrative FSPs. The Joint Standards require that organisations reassess their IT Strategies, IT Risk Management Framework, IT Governance, and Cyber Security controls so that they can mitigate the risk of a cyber breach.
This article provides an overview of the main differences between these Joint Standards and the controls of a typical Information Security Management System (ISMS) that is based on the ISO 27001 standard and NIST CSF.

CURRENT STATUS AND COMMENCEMENT DATES

The final Joint Standard for Information Technology Governance and Risk Management was signed and published on 10 November 2023, and financial institutions must implement the requirements by the commencement date of 15 November 2024. The Joint Standard for Cybersecurity and Cyber Resilience will commence on 1 June 2025.

OBLIGATIONS OF COMPLIANCE TO THE JOINT STANDARDS

The Prudential Authority Joint Standards are applicable to a broad range of financial services organisations, including banks, insurers, pension funds, and, in general, all Financial Service Providers. Given the pivotal role of the financial sector in the economy and the centrality of Information Technology within these institutions, it has become essential to establish a robust and comprehensive regulatory framework for IT risk management. This framework, encapsulated within the Joint Standards, is designed to address both prudential and conduct perspectives. The Joint Standards aim to ensure that these organisations maintain high levels of integrity and security in their operations. Whilst the requirements span across a range of controls, the obligations are summarised as follows:

-Leadership buy-in and support: Leaders must communicate the importance of the standard, provide the necessary support and resources for compliance projects, provide the necessary training, implement measures for monitoring of compliance and address non-compliance issues.

-The FSP must classify an event as a material incident and the resulting notification of any system failures, malfunctions, delays or incidents within a determined timeframe to the responsible authority of the financial sector law.

-Regulatory reports and assurance of compliance with the Joint Standards must be drafted that detail adherence to the standard, performance metrics, incident reporting, and corrective action taken.

ALIGNMENT TO BEST PRACTICES AND KEY DIFFERENCES

The main differences between the Joint Standard for IT and ISO 27001 include the following requirements that organisations need to consider as an enhancement to their existing ISMS:

Governance and Oversight:

-Joint Standard for IT Risk: The governing body and senior management must establish a robust IT risk management framework with clearly defined roles and responsibilities for overseeing IT risks to ensure compliance.

-ISO 27001: Focuses on implementing an effective Information Security Management System (ISMS) to safeguard sensitive information and ensure legal compliance, emphasising leadership commitment and defined roles.

Strategy Alignment and Review:

-Joint Standard for IT Risk: IT strategy must align with the overall business strategy, receive annual approval from the governing body, and undergo quarterly reviews to address IT risks.

-ISO 27001: Establishing an Information Security Policy and aligning ISMS goals with the organisational strategy through leadership commitment is key to meeting the ISO 27001 standards.

Risk Management:

-Joint Standard for IT Risk: Requires a comprehensive IT risk management framework that includes policies, standards, and procedures for managing IT risks, covering aspects like change and incident management, capacity planning, sensitive information protection, and logical access controls, with periodic updates and independent reviews.

-ISO 27001: Involves conducting risk assessments, setting security objectives, and continuous monitoring through key performance indicators, internal audits, and management reviews to evaluate and improve the ISMS continuously.

The main differences between the Joint Standard for Cyber and NIST CSF (Cyber Security Framework) include the following requirements that organisations need to consider as an enhancement to their existing cyber controls:

Applicability:

– Joint Standard for Cyber: Specifically tailored for financial institutions, focusing on establishing comprehensive cybersecurity requirements that cover strategy, risk management, and operational security within the sector.

-NIST Cybersecurity Framework: Offers guidance applicable across various sectors, providing flexibility for organisations to prioritise cybersecurity efforts based on their specific needs and risk assessments.

Governance and Integration:

-Joint Standard for Cyber: Emphasises governance integration by requiring the development of robust cybersecurity strategies aligned with organisational goals and mandates the integration of cyber risk management into governance structures.

-NIST Cybersecurity Framework: Follows a lifecycle approach structured around five key functions (Identify, Protect, Detect, Respond, and Recover), guiding organisations from initial identification of assets and risks through to incident response, recovery, and continual improvement. Prior to NIST 2.0 governance was not included as part of the framework.

Incident Management:

-Joint Standard for Cyber: Mandates timely incident reporting to authorities within 24 hours of significant system failures or cyber incidents, ensuring regulatory compliance and fostering a proactive approach to incident management.

-NIST Cybersecurity Framework: Focuses on incident response and recovery phases within its framework, outlining procedures for detecting, responding to, mitigating, and recovering from cybersecurity incidents, thereby aiming to minimise disruption and restore operations effectively.

CONCLUSION

Both the Joint Standard for IT Risks and the Joint Standard for Cybersecurity provide alignment to best practices for monitoring and managing the complexities and challenges associated with IT and cybersecurity within the financial sector. The Joint Standard for IT Risks enables financial institutions to align with the ISO 27001 Standard requirements by mitigating IT risks, thereby ensuring Information Security, sustaining operational continuity, and cultivating trust with stakeholders. Similarly, the Joint Standard for Cybersecurity supports alignment with NIST CSF best practices by guiding financial institutions in identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents through structured processes and controls, thereby ensuring compliance with the framework’s requirements and enhancing the overall cybersecurity posture.

However, organisations do need to be aware of the differences and specific requirements of these new standards and make the necessary changes to their Information and Cyber Security governance, policies and controls to address the obligations and ensure compliance.

Key contributors:
Raymond du Plessis
Yolandi Moodley
Candice Jamieson
Robyn Goosen (Baker)
Matthew Tsuen