Enhanced cybersecurity standards for financial institutions
Home >> Economic >> Financial sector reforms >> Enhanced cybersecurity standards for financial institutions

Individual Reform: Enhanced cybersecurity standards for financial institutions 2026 - 2027

New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

No data available for the deliverable: New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

No data available for the deliverable: New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

No data available for the deliverable: New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

No data available for the deliverable: New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

No data available for the deliverable: New requirements for cybersecurity resilience, eg, all financial institutions to adopt robust cybersecurity, risk management and incident response frameworks

Summary

The Joint Standard on Cybersecurity and Cyber Resilience (effective June 2025) sets minimum requirements for governance, incident response, employee training, and third-party risk.

Canvas not supported.

Is it working?

The reform is highly effective, with improved data protection and faster breach response, but ongoing vigilance is required. Full compliance is expected by June 2025 with ongoing supervision and updates.

Actions

The sector is progressing rapidly, with large institutions compliant and smaller firms upgrading systems. The standard is comprehensive and aligns with global best practice.

Are there plans?

Joint Standard 2 of 2024 was published, with audits, readiness reviews and penalties for non-compliance. Sector-wide application is enforced.

Is it on the agenda?

The FSCA, SARB and Prudential Authority have made this a top priority, with compliance required by June 2025.

Goals

To ensure robust, mandatory cybersecurity and resilience across all financial institutions, protecting data and consumer trust, through ongoing guidance audits and incident reporting. The reform includes the implementation of the Joint Standard on Cybersecurity and Cyber Resilience (Joint Standard 2 of 2024).

References

Departments / Govt Institutions

Department of Justice and Constitutional Development Financial Intelligence Centre (FIC) Financial Sector Conduct Authority (FSCA) South African Reserve Bank (SARB)

Summary

The Joint Standard on Cybersecurity and Cyber Resilience (effective June 2025) sets minimum requirements for governance, incident response, employee training, and third-party risk. SARB/FSCA action ensures upgraded cybersecurity risk management, incident response and regulatory reporting for financial institutions; sector-wide standards updated in Q4 2025. Mandatory cybersecurity policy guidelines adopted, periodic regulatory audits and incident reporting protocol live.

Canvas not supported.

Is it working?

The reform is highly effective, with improved data protection and faster breach response, but ongoing vigilance is required. Full compliance is expected soon with ongoing supervision and updates as standards mature, sector resilience improves.

Actions

The sector is progressing rapidly, with large institutions compliant and smaller firms upgrading systems. The standard is comprehensive and aligns with global best practice. Industry is meeting regulatory minimum, sector-wide standards are in place, incident response is rapid.

Are there plans?

Joint Standard 2 of 2024 was published, with audits, readiness reviews and penalties for non-compliance. Sector-wide application is enforced. Policy mandates, compliance testing, cyber-resilience, regulatory reviews are being monitored.
rn

Is it on the agenda?

The FSCA, SARB and Prudential Authority have made this a top priority, with compliance required by June 2025. Cabinet cluster for law/finance, FSCA/PA ongoing compliance audit schedule as well as SARB sector stress tests.

Goals

To ensure robust, mandatory cybersecurity and resilience across all financial institutions, protecting data and consumer trust, through ongoing guidance audits and incident reporting. The reform includes the implementation of the Joint Standard on Cybersecurity and Cyber Resilience with the objective of strengthening sector resilience, address cyber risks and unify incident standards.

References

Departments / Govt Institutions

Department of Justice and Constitutional Development Financial Intelligence Centre (FIC) Financial Sector Conduct Authority (FSCA) South African Reserve Bank (SARB)

Summary

The Joint Standard on Cybersecurity and Cyber Resilience (effective June 2025) sets minimum requirements for governance, incident response, employee training, and third-party risk.SARB, the Prudential Authority and FSCA have rolled out updated cybersecurity requirements for regulated institutions, covering governance, risk assessment, controls, incident detection and reporting. Sector‑wide standards were upgraded in late 2025, and Budget Review 2026 underscores the importance of operational resilience and cyber‑risk management as digitalisation, open‑finance initiatives and payments‑system modernisation expand their coverage areas.

Canvas not supported.

Is it working?

Baseline cyber‑hygiene and incident‑response capabilities have improved materially and major institutions generally meet regulatory expectations. The main ongoing risks are increasingly sophisticated attacks, concentration in key service providers and the need for smaller firms to match the resilience of larger peers, which will test the robustness of the framework over time.

Actions

Regulators have issued guidelines and standards, conducted cyber‑risk assessments and stress tests, launched audit and supervisory programmes focused on cyber‑risk management and incident response, and established reporting channels for significant cybersecurity events.

Are there plans?

The authorities are planning ongoing compliance testing, sector‑wide cyber‑scenario exercises and regular updates of guidance to reflect evolving threats and technologies, while integrating cyber‑risk considerations into broader prudential and conduct supervision.
rn

Is it on the agenda?

Cyber‑resilience is a standing item in Cabinet law‑and‑finance cluster discussions and in SARB, PA and FSCA strategic plans. This is referenced in Budget Review 2026’s financial‑sector section as a key pillar of financial stability and consumer protection in an increasingly digital system.

Goals

Strengthen sector resilience, address cyber risks and unify incident standards by ensuring robust, mandatory cybersecurity and resilience across all financial institutions, protecting data and consumer trust. This will monitored through ongoing guidance audits and incident reporting. The reform includes the implementation of the Joint Standard on Cybersecurity and Cyber Resilience, with the objective of strengthening sector resilience, addressing cyber risks and unifying incident standards.

References

Departments / Govt Institutions

Department of Justice and Constitutional Development Financial Intelligence Centre (FIC) Financial Sector Conduct Authority (FSCA) South African Reserve Bank (SARB)

Summary

The Joint Standard on Cybersecurity and Cyber Resilience (effective June 2025) sets minimum requirements for governance, incident response, employee training, and third-party risk.SARB, the Prudential Authority and FSCA have rolled out updated cybersecurity requirements for regulated institutions, covering governance, risk assessment, controls, incident detection and reporting. Sector‑wide standards were upgraded in late 2025, and Budget Review 2026 underscores the importance of operational resilience and cyber‑risk management as digitalisation, open‑finance initiatives and payments‑system modernisation expand their coverage areas.

Canvas not supported.

Is it working?

Baseline cyber‑hygiene and incident‑response capabilities have improved materially and major institutions generally meet regulatory expectations. The main ongoing risks are increasingly sophisticated attacks, concentration in key service providers and the need for smaller firms to match the resilience of larger peers, which will test the robustness of the framework over time.

Actions

Regulators have issued guidelines and standards, conducted cyber‑risk assessments and stress tests, launched audit and supervisory programmes focused on cyber‑risk management and incident response, and established reporting channels for significant cybersecurity events.

Are there plans?

The authorities are planning ongoing compliance testing, sector‑wide cyber‑scenario exercises and regular updates of guidance to reflect evolving threats and technologies, while integrating cyber‑risk considerations into broader prudential and conduct supervision.
rn

Is it on the agenda?

Cyber‑resilience is a standing item in Cabinet law‑and‑finance cluster discussions and in SARB, PA and FSCA strategic plans. This is referenced in Budget Review 2026’s financial‑sector section as a key pillar of financial stability and consumer protection in an increasingly digital system.

Goals

Strengthen sector resilience, address cyber risks and unify incident standards by ensuring robust, mandatory cybersecurity and resilience across all financial institutions, protecting data and consumer trust. This will monitored through ongoing guidance audits and incident reporting. The reform includes the implementation of the Joint Standard on Cybersecurity and Cyber Resilience, with the objective of strengthening sector resilience, addressing cyber risks and unifying incident standards.

References

Departments / Govt Institutions

Department of Justice and Constitutional Development Financial Intelligence Centre (FIC) Financial Sector Conduct Authority (FSCA) South African Reserve Bank (SARB)

Analyst: Tinashe Kambadza
Status: in-progress
Last Updated:
Next Update:
Got an Update? Follow this reform
Reform Area:
Reform:

    If you would like to alert our analysts to an update you are aware of in this particular reform area, please complete the form below and submit it to us. Please ensure you include links to any press releases or other documents to confirm the reforms and provide detail to allow our analysts to assess the changes. Our team will review it.