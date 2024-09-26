In the dynamic world of financial services, cybersecurity and IT governance are no longer just about protecting data, they are about ensuring regulatory compliance.
Many financial institutions have aligned themselves with global industry standards for cybersecurity and IT governance , such as the National Institute of Standards & Technology’s Cybersecurity Framework, the International Organisation for Standardisation (ISO) and Centre for Internet Security (CIS). They are optional but developed by global industry bodies and largely accepted as best practice.
But now new regulations issued jointly by the Reserve Bank’s Prudential Authority and the Financial Sector Conduct Authority are pushing the envelope further. These regulations include standards for cybersecurity and IT governance, introducing several critical requirements that demand a deeper integration of cybersecurity and IT governance practices into the fabric of the organisation.
The first shift is the emphasis on board-level accountability. Cybersecurity isn’t just an IT issue any more; it’s a governance issue. Boards are now expected to embed cybersecurity and IT governance practices into the organisation’s culture, ensuring it’s not just a policy on paper but a living, breathing part of daily operations.
There’s also a requirement for demonstrable compliance. It’s not enough to say you’re following best practices; you must prove it. This means regular reporting on how systems are tested and improved, and how quickly material incidents are reported. Compliance is now about showing, not just claiming.
Independent assurance is crucial. Self-assessment is out; external validation is in. Whether through internal audits or third-party assessments, there must be an impartial confirmation that the controls in place are working as intended. The scope of these regulations extends to the entire ecosystem, including third parties and suppliers. This holistic approach ensures that no part of the chain is weak, as cybersecurity is only as strong as its weakest link.
Finally, there’s a push towards a risk-based approach. This means identifying and prioritising controls based on potential impact, ensuring resources are allocated where they’re most needed.
To navigate these changes effectively, institutions should start with board engagement. Educating and involving the board in cybersecurity discussions sets the tone for the organisation. They need to understand not just the risks but also their role in mitigating them.
Next, there should be a thorough discovery and prioritisation process. This involves mapping out all critical assets, processes and dependencies, especially those involving third parties. Prioritising these based on risk ensures that the most important and most vulnerable areas receive the most attention.
Updating policies to reflect these new requirements is essential. This isn’t about creating new policies but enhancing existing ones to include the additional regulatory demands, making them practical and effective.
Clarity on roles and responsibilities across the ecosystem is vital. Everyone involved, from internal staff to external vendors, must understand their part in maintaining compliance. This clarity fosters a collective responsibility towards cybersecurity.
Establishing mechanisms for continuous monitoring is also crucial. This could be through dashboards or regular compliance reports that provide real-time insights into the organisation’s security posture, ensuring compliance isn’t a one-time event but an ongoing process.
One of the biggest mistakes is treating compliance as a tick-box exercise. True compliance should lead to a cultural shift towards cybersecurity, not just a checklist to be completed. Relying solely on existing frameworks without adapting them to the new regulations can lead to gaps in compliance. These frameworks are a starting point, not the finish line.
Approaching compliance as a one-time effort is another pitfall. Compliance should be seen as a journey of improvement, not a destination. A one-size-fits-all approach to controls can be inefficient. Tailoring controls to specific risks ensures that resources are used effectively, neither overprotecting nor leaving vulnerabilities exposed.
Lastly, ignoring the broader ecosystem can be detrimental. Cybersecurity is a chain; if one link such as a third-party vendor is weak, the entire chain is compromised.
The new regulatory environment in financial services is not just about meeting minimum standards, it’s about preparing for a future where digital threats are as common as digital opportunities.
By viewing these regulations as a chance to enhance cybersecurity practices financial institutions do not only comply but also strengthen their overall security posture. This approach, rooted in board engagement, risk assessment, policy enhancement and continuous improvement, ensures that organisations are not just compliant today but are also resilient against tomorrow’s challenges.
This proactive stance not only satisfies regulatory bodies but also builds trust with all stakeholders, safeguarding the integrity and future of financial operations in an increasingly digital world.
• Wilson is EY partner and Western Cape consulting leader.
