On 17 May 2024, the South African Reserve Bank (SARB) issued Directive No. 01 of 2024, targeting cybersecurity and cyber-resilience within the National Payment System (NPS). As digital payment solutions become more integral to financial systems, this directive is a critical step to fortify the security and resilience of payment institutions against cyber threats.
Who does the directive apply to?
The Directive No. 01 of 2024 applies to the following entities within the National Payment System (NPS):
- Payment institutions, including persons designated, authorised, registered, or regulated under the National Payment System Act 78 of 1998 (NPS Act). This includes clearing system participants, settlement system participants, third-party payment providers, and system operators.
- Operators of payment systems, including payment clearing house system operators, operators of settlement systems, and operators of payment system financial market infrastructures (FMIs).
Essential requirements and practical steps for compliance
1. Develop robust cyber-governance frameworks
Payment institutions and operators must establish comprehensive cyber-governance arrangements. These arrangements include:
- Defining clear cybersecurity and cyber-resilience objectives.
- Outlining the necessary people, processes, and technology to manage cyber-risks.
- Ensuring board and senior management oversight on cybersecurity policies and strategies.
Actionable step: Assign a dedicated team to draft and review your cybersecurity policies annually. Ensure your board or senior management regularly discusses and updates these policies to align with evolving cyber threats and compliance requirements.
2. Identify critical operations and information assets
Institutions must identify and protect critical technology, operations, processes, and information assets from cyber-compromise.
Actionable step: Conduct a thorough risk assessment to classify and prioritise your technology and information assets based on their criticality and sensitivity. This will facilitate timely protective, detective, and recovery efforts.
3. Implement comprehensive cybersecurity measures
The directive mandates the implementation of security controls and systems to safeguard the confidentiality, integrity, and availability of services.
Actionable step: Incorporate multi-factor authentication (MFA), encryption, and regular security patch updates into your cybersecurity framework. Additionally, ensure continuous staff training on cybersecurity awareness and best practices.
4. Establish effective response and recovery plans
Institutions must have measures in place to rapidly resume critical operations following a cyber-attack.
Actionable step: Develop and test your incident response and recovery plans quarterly. Include scenarios for extreme cyber events to ensure your institution maintains operations and meets settlement obligations within the prescribed timelines.
5. Enhance situational awareness and information sharing
Organisations must understand the cyber-threat landscape and actively engage in information sharing with regulators and cybersecurity agencies.
Actionable step: Join information-sharing groups like the Cybersecurity Hub and Computer Incident Response Teams. Establish processes for gathering, analysing, and sharing cyber-threat intelligence to enhance your situational awareness and proactive defence mechanisms.
Compliance monitoring and reporting
The SARB may conduct supervisory onsite or offsite inspections to ensure compliance with the directive. Payment institutions must report material cyber incidents to the SARB within 24 hours and provide detailed reports within 48 hours.
Actionable step: Implement a robust incident reporting protocol that ensures timely communication with the SARB. Regularly update your incident response team on compliance requirements and reporting procedures.
How ITLawCo can assist
Navigating the complexities of the SARB directive can be challenging. ITLawCo offers specialised services to help payment institutions and operators achieve compliance efficiently:
- Policy development and review: We can help you draft and refine your cybersecurity policies and governance frameworks.
- Risk assessments and audits: Our experts provide comprehensive assessments and audits to identify vulnerabilities and ensure robust cyber-resilience measures.
- Incident planning, response investigation and recovery: We help develop and test incident plans tailored to your organisation’s needs.
- Training and awareness programmes: Our training programmes ensure your staff is well-versed in cybersecurity best practices and compliance requirements.
For more information on how we can support your compliance journey, get in touch with us today.