Unpacking the Joint Standards on Cyber Security

Unpacking the Joint Standards on Cyber Security 🧭

Joint Standard 1

👉Joint Standard 1 of 2023 focuses on IT Governance and Risk Management for financial institutions. Published by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA), it sets out principles and minimum requirements for managing IT governance and risk within financial institutions. The standard is designed to enhance the robustness of IT frameworks within financial institutions, ensuring they can effectively manage IT risks and support their business operations.

Key aspects of Joint Standard 1 include:

1. IT Governance Framework: Financial institutions must establish a robust IT governance framework that aligns with their overall business strategy. This includes defining roles and responsibilities for IT management and ensuring continuous oversight of IT operations
2. Risk Management: Institutions are required to implement a comprehensive IT risk management framework. This involves identifying, assessing, and mitigating IT-related risks to ensure the security and reliability of IT systems
3. Strategic Alignment: The IT strategy must be aligned with the institution’s business objectives. This ensures that IT investments and initiatives support the overall goals of the organization
4. Continuous Monitoring and Review: Regular monitoring and review of IT systems and processes are mandated to ensure they remain effective and aligned with evolving risks and business needs
5. Compliance and Reporting: Institutions must ensure compliance with relevant laws and regulations and report on their IT governance and risk management practices to the responsible authorities
6. Independent Reviews: Regular independent reviews of the IT governance and risk management framework are required to assess its effectiveness and identify areas for improvement.

💡 To comply with Joint Standard 1 of 2023 and Joint Standard 2 of 2024, organizations can implement the following controls and steps:

1. • Define roles and responsibilities for IT management.
   • Align IT strategy with business objectives.
   • Ensure continuous oversight of IT operations
   • Identify and assess IT-related risks
   • Develop and implement risk mitigation strategies
   • Regularly review and update risk management practices.
   • Create detailed plans for responding to IT incidents
   • Assign roles and responsibilities for incident management
   • Conduct regular drills and simulations
   • Implement tools for real-time monitoring of IT systems
   • Conduct regular audits and assessments
   • Review and update IT policies and procedures.
   • Ensure adherence to relevant laws and regulations
   • Report IT governance and risk management practices to authorities
   • Maintain documentation of compliance efforts
   • Schedule regular independent reviews of IT governance
   • Address findings and recommendations from reviews
   • Continuously improve IT governance practices.

Joint Standard 2

👉The Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience was published by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) on May 17, 2024. This standard sets out comprehensive requirements for financial institutions to ensure robust cybersecurity and cyber resilience practices. The Joint Standard is set to commence on June 1, 2025. 

Key highlights include:

• Risk Mitigation: Financial institutions must mitigate and manage risks related to cybersecurity and cyber resilience, including those from associated entities.
• Incident Reporting: Institutions are required to notify the responsible authority of any material cyber incidents
• Cybersecurity Strategy: A regularly reviewed cybersecurity strategy must be established to manage cyber risks and adapt to changes in the threat landscape.
• Risk Assessments: Institutions must identify critical operations and information assets, conduct risk assessments, and maintain an inventory of these assets.
• Access Control: Access to information must be limited to authorized users and devices, with strong password security and multi-factor authentication for critical functions.
• Data Protection: Policies and measures must be in place to prevent unauthorized use of sensitive data.
• Awareness Programs: A cybersecurity awareness program should be implemented to maintain high awareness among all users.
• Resilience Capabilities: Institutions must maintain effective capabilities to monitor, detect, respond to, and recover from cyberattacks.
• Backup Strategy: A data backup strategy is required to secure sensitive information stored in backup media.
• Testing and Review: Regular testing of cybersecurity controls and resilience capacities is necessary to assess vulnerabilities and effectiveness.

Joint Standard 1 of 2023 and Joint Standard 2 of 2024 are complementary standards that together enhance the overall IT governance, cybersecurity, and cyber resilience framework for financial institutions.

• Joint Standard 1 focuses on establishing a robust IT governance framework, ensuring that IT strategies align with business objectives and that risks are effectively managed whereas Joint Standard 2 builds on this by specifically addressing cybersecurity and cyber resilience, ensuring that the IT governance framework includes strong measures to protect against and respond to cyber threats.
• Both standards emphasize risk management. Joint Standard 1 requires a comprehensive IT risk management framework while Joint Standard 2 focuses on identifying, assessing, and mitigating cybersecurity risks. Together, they ensure that financial institutions have a thorough approach to managing all IT-related risks.
• Joint Standard 1 mandates the development of incident response plans for IT-related incidents. Joint Standard 2 extends this by requiring detailed reporting of material cyber incidents to the responsible authorities. This ensures a coordinated and transparent approach to managing and reporting incidents.
• Both standards require regular monitoring and review of IT systems and processes. Joint Standard 1 focuses on the overall IT governance framework, while Joint Standard 2 emphasizes the need for continuous monitoring of cybersecurity controls and resilience capacities.
• Joint Standard 1 includes provisions for training and awareness related to IT governance and risk management
  1. Joint Standard 2 specifically mandates cybersecurity awareness programs to maintain high levels of awareness among all users. This ensures that employees are well-informed about both general IT governance and specific cybersecurity practices.

By working together, these standards provide a comprehensive framework that covers all aspects of IT governance, risk management, cybersecurity, and cyber resilience, ensuring that financial institutions are well-prepared to handle the complex and evolving landscape of cyber threats.

Let us help you navigate the cybersecurity landscape. Find out more here.