Navigating the Joint Standard on cybersecurity and cyber resilience requirements


Muhammad Ali Bhikhan, CIO – Absa Regional Operations, discusses the Joint Standard on cybersecurity and cyber resilience requirements, CIOs need to know, and strategies for maintaining resilience.

To better understand the Joint Standard set to commence on 1 June 2025, which gives financial institutions one year to ensure compliance, CIO South Africa connected with Muhammad Ali Bhikhan, CIO of Absa Regional Operations. He discussed what this means for the financial services sector and, more importantly, its implications for CIOs and their priorities.

 Q: What is the Joint Standard on cybersecurity and cyber resilience requirements? 

A: The Joint Standard on cybersecurity and cyber resilience requirements as published by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA), is specifically for financial institutions operating in South Africa. It establishes a comprehensive set of responsibilities for CIOs, necessitating a proactive, strategic and collaborative approach to managing the organisation’s cybersecurity posture. This ensures the organisation can effectively protect its information assets and maintain operational continuity in the face of cyber threats. 

Key highlights include: 

  • Risk mitigation: requires financial institutions to proactively address and manage cyber risks. 
  • Incident reporting: mandates notification of material cyber incidents to the relevant authority. 
  • Cybersecurity strategy: emphasises the development and maintenance of a regularly reviewed cybersecurity strategy. 
  • Additional requirements: e4. encompasses data protection, access controls, network security and vulnerability management. 

The Joint Standard is set to commence on 1 June 2025, giving financial institutions one year to ensure compliance. 

Q: How does it affect CIOs? 

A: CIOs in the financial sector will be significantly impacted by the Joint Standard, as they’ll be responsible for leading compliance efforts to ensure their organisations meet all requirements, tailored to the nature, size and complexity of their organisation. This includes conducting thorough risk assessments to identify and prioritise critical business processes and information assets, and maintaining a detailed inventory. 

CIOs will need to fortify their existing security measures by implementing robust cybersecurity practices to safeguard information assets and prevent cyber incidents. A crucial aspect of their role will be nurturing a strong security culture by promoting cybersecurity awareness throughout the organisation. 

While many organisations are already addressing these areas due to the rise in cybercrime, the Joint Standard formalises these expectations and may necessitate additional resources, budget allocation and a strategic shift in priorities for CIOs. 

Q: What is your advice for CIOs in other sectors on incorporating cybersecurity and cyber resilience into IT strategies?

A: Cybersecurity is not exclusive to the financial sector. CIOs in all sectors should:

  • Prioritise cybersecurity: make it a fundamental component of the overall IT strategy.
  • Conduct regular risk assessments: iIdentify vulnerabilities and implement appropriate controls. 
  • Invest in employee training: educate employees about cybersecurity risks and best practices. 
  • Adopt a proactive approach: stay updated on emerging threats and technologies. 

Q: What regulatory/governance changes do you foresee over the next few years in cybersecurity?

A: Stricter data protection regulations: governments and regulatory bodies around the world are expected to implement stricter data protection regulations. 

More stringent regulations and standards will likely be introduced to address evolving cyber threats. 

Enhanced incident reporting and information sharing: regulatory bodies are expected to introduce more stringent requirements for incident reporting and information sharing. Organisations may be required to report cybersecurity incidents within a shorter timeframe and provide more detailed information about the nature and impact of the incidents. There will also be greater emphasis on collaboration and information sharing between public and private sectors to enhance collective cybersecurity resilience. 

Emergence of AI and machine learning regulations: with the increasing use of artificial intelligence (AI) and machine learning (ML) in cybersecurity, regulatory frameworks will need to address the ethical and security implications of these technologies. Regulations may focus on ensuring transparency, accountability, and fairness in AI/ML algorithms, as well as mitigating potential risks associated with their deployment in cybersecurity defences. 

In the coming years, we can expect a heightened focus on cultivating a skilled cybersecurity workforce. This will involve promoting continuous learning and development, emphasising both technical proficiency and soft skills such as communication, collaboration, and adaptability to effectively address the ever evolving landscape of cyber threats. 

To meet the increasing demand for cybersecurity expertise, governments, corporates and regulatory bodies are likely to invest more in cybersecurity education and workforce development initiatives. This may include increased funding for training programmes, certifications, and partnerships with educational institutions to build a sustainable pipeline of cybersecurity talent. 

Q: Can you share statistics on cybersecurity and cyber attacks targeting South African banks, and explain the extent of the harm to the industry?

In South Africa, the Digital Banking Crime Statistics highlight the following:

  • Significant increase in mobile banking incidents – there is a growing vulnerability of mobile platforms and the need for heightened security measures. 
  • Phishing remains a primary threat – the report emphasises that despite the sophistication of banking security protocols, criminals continue to successfully target individuals through social engineering tactics like phishing. This underscores the importance of educating customers on identifying and avoiding phishing scams, as they are often the weakest link in the security chain.

In Africa, The KPMG Africa Cyber Security Outlook 2022 survey, drawing insights from 300 respondents across various industries and company sizes in Africa, highlights the dynamic and rapidly evolving cybersecurity landscape on the continent. This landscape is driven by widespread digitisation and economic growth, with 74 percent of large African companies reporting a relatively mature approach to cybersecurity and privacy. 

The survey identifies key areas for improvement, including integrating cybersecurity into core business strategies, strengthening regulation, proactive threat defence, and addressing the cyber talent shortage. 

At Absa, safeguarding the security of our customers’ and clients’ information is paramount. We recognise the critical role cybersecurity plays in today’s digital world and are committed to maintaining a vigilant and proactive stance. This includes implementing robust measures to ensure cyber resilience, managing cyber risks effectively, and promoting best practices in cybersecurity fundamentals and hygiene. 

This commitment extends to substantial investments in both educating our employees and addressing the cybersecurity skills gap. In South Africa, our Cybersecurity Academy actively engages the youth, empowering them with the knowledge and expertise needed to thrive in this vital industry. Our ambition is to establish Africa as the hub for global cybersecurity skills and we plan to extend the programme across the continent over time, as it has the potential to grow exponentially and change many lives.

Related articles