What SA's New Cyber Rules Mean for Financial Firms

South African financial institutions are now supervised against two dedicated standards for technology risk: Joint Standard 4 of 2023 on IT governance and risk management, in effect since 15 November 2024, and Joint Standard 2 of 2024 on cybersecurity and cyber resilience. Both were issued jointly by the Prudential Authority (PA) and the Financial Sector Conduct Authority (FSCA).
The PA's 2025/26 annual report, published in June, gives the first clear picture of how these standards are being supervised in practice. If you operate in or around the financial sector, it is worth understanding what the regulator is actually doing, because it signals where compliance conversations are heading.
The two standards in brief
Joint Standard 4 of 2023 (IT governance and risk management) makes technology governance a board-level responsibility. Financial institutions are expected to manage IT risk within a formal framework: clear accountability, an IT strategy aligned to the business, and controls that match the institution's risk profile. The PA's report describes ongoing engagement with institutions to "advance IT governance maturity" and strengthen preparedness for emerging digital risks.
Joint Standard 2 of 2024 (cybersecurity and cyber resilience) goes further than asking for defences. The PA describes its approach as proactive and forward-looking: institutions should be able to detect, respond to and recover from cyber incidents, not merely try to prevent them. Resilience, not just protection, is the test.
If you are unsure whether the standards apply to your organisation, that is a question for your compliance function or legal adviser. But the supervisory direction matters even to firms outside their formal scope, because regulated clients increasingly pass these expectations down to their suppliers.
How the PA supervised in 2025/26
Three things stand out from the report.
Simulations instead of checklists
In 2025 the PA observed cyber simulation exercises across banks, insurers and market infrastructures: tabletop, technical and hybrid formats testing governance, escalation, crisis communication and regulatory reporting. Scenarios covered phishing, ransomware, data breaches and third-party compromises. The regulator explicitly welcomed board and senior management involvement, reinforcing its view of cyber risk as a business risk rather than an IT issue alone.
Breathing room, with expectations attached
The PA chose not to issue its operational risk, IT risk and cyber surveys in 2025, to give institutions time to embed fixes for gaps identified previously. That is not a relaxation. It is a regulator saying: you know what needs remediating, show progress.
Third parties under the spotlight
The PA's 2025 "flavour-of-the-year" focus was third-party risk management. Its findings noted extensive reliance on single or limited suppliers for critical operations, and the difficulty of managing cybersecurity and resilience across those relationships. Outsourcing arrangements also featured in its supervision of insurers. The message is consistent: you can delegate the work, not the accountability.
What good looks like
Reading across the report, the institutions that impressed the regulator shared habits any firm can adopt:
- Named ownership. Cyber and IT risk owned at board and executive level, with clear delegation below.
- Documented frameworks. IT governance, risk appetite and incident response written down, current and actually used.
- Tested resilience. Simulations and recovery tests run, documented and followed by formal debriefs with assigned remediation.
- Visibility of weaknesses. A live view of vulnerabilities and unpatched systems, rather than an annual snapshot.
- Third-party oversight. Knowing which suppliers are critical, what access they hold and how their security posture is monitored.
South Africa is not alone in this direction. The EU's Digital Operational Resilience Act (DORA) applies similar logic to financial entities in Europe, so firms with UK or European ties will recognise the pattern.
Closing the gap without building a department
For smaller regulated firms, and for the many businesses that serve them, the practical question is how to meet these expectations without a dedicated security team. The building blocks map neatly onto managed services: continuous vulnerability management (our Vikelus platform exists for exactly this), 24/7 managed detection and response for the detect-and-respond obligations, immutable backup and disaster recovery for the recover leg, third-party risk monitoring through platforms such as Panorays, and security awareness training to cover the human layer.
None of that removes accountability, which stays with your board. It does make the evidence, the monitoring and the response capacity achievable at a sensible cost.
The takeaway
The PA's first full year of supervising against the Joint Standards shows a regulator focused on demonstrated resilience: rehearsed responses, documented governance and managed third parties. Whether you fall under the standards directly or supply someone who does, those three themes are a sound checklist for where to invest next.
Want this handled for you?
Talk to the F1 team about managed IT, cybersecurity and cloud for your business.

