What South Africa's new cyber standard means for your board.

What the Standard is

Joint Standard 2 of 2024 — Cybersecurity and Cyber Resilience Requirements for Financial Institutions — is a binding standard issued under the Financial Sector Regulation Act, 2017 by the FSCA and Prudential Authority. It applies to banks, insurers, pension funds, FSPs, market infrastructure, and OTC derivative providers. It came into effect on 1 June 2025, following a commencement notice published by both Authorities on 26 June 2024.

The Standard sets minimum requirements across six domains: governance, cybersecurity strategy and framework, operational security fundamentals, cybersecurity hygiene practices, and incident notification and reporting. Much of sections 7 and 8 — penetration testing, patch management, access controls, vulnerability assessments — addresses technical and operational teams. Sections 4, 5, 6, and 9 address boards and senior management directly.

The governing body is ultimately responsible

Section 4.1 of the Standard is unambiguous: the governing body is “ultimately responsible” for ensuring compliance with the Standard and “the oversight of cyber risk management.” It may delegate primary oversight activities to a committee, but the accountability remains at board level.

The governing body must, together with senior management, ensure that a “sound and robust cybersecurity strategy and framework is established, implemented and maintained.” Governing body members must also undergo training to raise their awareness of cyber risk management practices (Section 7.2.7(iii)).

This is not a technical obligation. It is a governance obligation, and it sits with the board. For listed entities and regulated financial institutions, this means personal accountability, not just organisational compliance.

The problem with how most boards currently oversee cyber risk

Most governing bodies receive cyber risk reporting in the form of maturity scores, traffic light dashboards, and control compliance percentages. A CISO presents: we are at level 3.4 on our NIST controls, or we have remediated 87% of high-severity vulnerabilities this quarter.

These metrics serve a purpose for technically literate audiences. They communicate control posture. What they do not communicate is the information a governing body actually needs to fulfil its obligations under the Standard: what is our financial exposure to a material cyber event, and is that exposure within our risk appetite?

The Standard's specific requirements make the gap concrete.

What the Standard requires, and what it implies

Three provisions are worth reading carefully.

Section 6.1.6 requires financial institutions to “define and reassess regularly business risk tolerance relative to cybersecurity and ensure that it is consistent with the business strategy and risk appetite.”

Section 6.1.7 requires them to “establish metrics to track and manage cybersecurity risks and to inform related reporting from both a technical and business context.”

Section 6.2.3 requires the cybersecurity framework to “clearly articulate how a financial institution will identify cyber risks and determine the controls required to keep those risks within acceptable limits.”

The language here is familiar to financial risk managers. Risk tolerance, risk appetite, acceptable limits, metrics: these are the terms that govern how boards oversee credit risk, market risk, and operational risk. The implication is that cyber risk governance is expected to reach the same level of analytical rigour.

You cannot define a risk appetite without a number. You cannot determine whether risks are “within acceptable limits” without knowing what those risks cost you in financial terms. You cannot establish meaningful metrics that speak to both a technical and a business context without a model that translates control posture into financial exposure.

Framework assessments and maturity scores are not built to produce these outputs. They tell you where your controls sit relative to a standard. They do not tell you what your residual risk costs.

The question your regulator is now entitled to ask

Section 9 of the Standard requires financial institutions to notify the responsible authority after classifying a cyber event as a “material incident”, defined as a disruption that “has, or is likely to have, a severe and widespread impact on the financial institution's operations, services to its customers, or the broader financial system and economy.”

That classification requires a threshold. A threshold requires a number. Arriving at that number — what financial impact constitutes a “severe” impact for your specific institution — requires a structured methodology for quantifying cyber risk in financial terms.

Implicit in the Standard's architecture is a question that regulators and auditors are now entitled to ask: what is your organisation's financial exposure to a material cyber event? If you cannot answer that question with a number — not a maturity score, not a traffic light — your governing body's oversight of cyber risk is not complete in the terms the Standard defines.

What this requires of boards and CFOs

The Standard's governance requirements demand that boards engage with cyber risk the way they engage with every other material financial risk: by understanding the financial exposure, setting a risk appetite expressed in financial terms, and monitoring performance against that appetite with metrics that mean something to a financial decision-maker, not only to a security analyst.

For CFOs, this means cyber risk can no longer be treated as a technology cost centre. It is a financial risk with a quantifiable expected loss, a tail distribution, and a direct relationship to insurance purchasing, capital allocation, and regulatory disclosure.

For CISOs, it means the format of board reporting needs to change. Maturity dashboards and vulnerability remediation rates serve their purpose. A governing body fulfilling its obligation under Joint Standard 2 of 2024 needs to know: what is our expected annual loss from a material cyber event? What is our tail risk? Which controls, if we invest in them, reduce that exposure most efficiently per rand spent?

These are questions that cyber risk quantification is designed to answer. They are not currently answerable with the tools most South African financial institutions rely on for board reporting.

The Standard is already in effect

Joint Standard 2 of 2024 came into effect on 1 June 2025. South African financial institutions are already subject to its requirements. The question is no longer whether to prepare, but whether your current governance framework genuinely satisfies what the Standard requires — or whether it satisfies the appearance of compliance without the substance.

A board that receives maturity dashboards and signs off on an annual cybersecurity policy review has the appearance of cyber risk oversight. Whether it has defined a risk appetite in terms the Standard contemplates, established metrics that speak to both a technical and a business context, and built a framework that keeps risks within quantified acceptable limits is a different question.

The Standard does not prescribe how institutions must quantify cyber risk. It prescribes the outcomes: a defined risk appetite, meaningful metrics, controls calibrated to keep risk within acceptable limits, and a governing body that can genuinely oversee all of the above. The methodology for getting there is a risk management decision, not a compliance checkbox.