This guide helps CISOs, Legal, and GRC teams implement Joint Standard 2 of 2024 with clear steps, timelines, and tools.
Effective date: 1 June 2025
Applies to: Banks, insurers, asset managers, retirement funds, credit rating agencies, and more
Issued by: The Prudential Authority and the Financial Sector Conduct Authority
A step change in regulatory expectations
Joint Standard 2 of 2024 marks a decisive shift in how South African regulators view cyber risk: No longer as a back-office IT matter, but as a systemic risk requiring board-level governance, clear evidence of controls, and resilience planning that spans the entire organisation—and its third parties.
The standard is not prescriptive, but it is demanding. Institutions must show that their approach is proportionate, risk-based, and defensible. This requires maturity in documentation, oversight, testing, and response.
Things to know
1. It’s principle-based, but specific
While the Joint Standard doesn’t dictate which frameworks you must follow, its requirements strongly echo NIST CSF and ISO/IEC 27001. It emphasises:
- Governance: The board is ultimately accountable.
- Strategy: Cyber risk must be embedded into business strategy.
- Resilience: Prevention matters, but recovery is non-negotiable.
2. It applies broadly—and deeply
This is not just for banks and insurers. It applies to retirement funds, CIS managers, OTC derivative providers, and even some Category I FSPs. It also creates indirect obligations for your cloud providers, fintech partners, and outsourced IT vendors.
3. It’s tightly integrated with POPIA and Joint Standard 1 of 2023
If you’re already working on POPIA compliance or IT risk under JS1:2023, there’s overlap. But don’t assume those efforts are enough. JS2:2024 adds specific, mandatory elements like:
- Cyber hygiene enforcement (e.g. MFA, endpoint protection)
- 24-hour material incident notification
- Testing and simulation requirements
Things to do
✅ Map your current maturity
- Use a diagnostic aligned to JS2’s seven domains: Governance, strategy, risk, controls, response, testing, and reporting.
- Review roles and responsibilities. Can you show the board’s involvement?
✅ Update (or create) your documentation
Key artefacts should include:
- A board-approved cyber risk charter
- A cybersecurity strategy linked to business objectives
- A critical asset inventory
- Cyber incident response and notification procedures
- Evidence of third-party due diligence
- A resilience testing calendar
✅ Prepare to report
If a material cyber incident occurs, you may have just 24 hours to notify the FSCA or PA. Ensure your internal incident classification and escalation procedures are fast, accurate, and well-rehearsed.
✅ Align third-party contracts
SLAs must reflect your obligations under JS2:2024. If a third party handles your data or systems, they must implement controls equivalent to your own.
✅ Invest in resilience, not just prevention
The standard assumes that incidents will happen. What matters is how prepared you are to detect them, contain them, communicate effectively, and recover quickly.
✅ Track your testing
You must show that you’ve tested your controls and your ability to respond. This includes vulnerability scans, penetration tests, and simulated incidents.
How we can help
At ITLawCo, we help financial institutions move from intent to evidence. Our support includes:
- A readiness diagnostic aligned to JS2:2024
- Practical artefacts (e.g. cyber risk charters, breach registers, incident playbooks)
- Assistance in aligning your POPIA, JS1:2023 and JS2:2024 frameworks
- Board and executive briefings on cyber governance
- Regulatory response preparation, including notification templates and tracking tools
We also support legal, compliance, and technology teams with strategy development, implementation timelines, and third-party contract reviews.
If you’re unsure where to begin, we’d be happy to help you map a path to confidence and compliance. Contact us today.
Access the Standard here.
