The Prudential Authority ("PA") has issued a new Directive, the Directive 2/2019 Reporting on Material Information Technology and/or Cyber Incidents. The Directive sets out minimum reporting requirements that must be made by a bank to the PA in relation to material information technology and/or cyber incidents. The Directive can be accessed on the PA’s website.
The PA has indicated that the Directive flows from its awareness of the Bank for International Settlements’ Financial Stability Institute’s ("FSI") paper highlighting the disruptions to operations of a bank caused by general IT and cyber incidents (a copy of which can be accessed here.). The FSI has a mandate to assist supervisors around the world (namely, the PA in South Africa) in improving and strengthening their financial systems. The FSI’s paper indicates that “recent high profile cyber-attacks on financial institutions have focused attention on the need to strengthen cyber-security” and despite this, “only a handful of jurisdictions have specific regulatory and supervisory initiatives on banks’ cyber-risk; these include, Hong Kong SAR, Singapore, the United Kingdom and the United States.”
The Directive sets out the meaning the PA has attributed to what would constitute: (i) a ‘material incident’; (ii) an ‘IT incident’; (iii) a ‘cyber incident’; and (iv) an ‘information system. These definitions will provide guidance to the bank as to when the Directive will and will not apply. It should be noted in this regard that these definitions are widely drafted.
The Directive will require banks to:
- comply with the reporting requirements set out in the Directive in relation to material IT and/or cyber incidents;
- establish and maintain robust governance structures, which includes the coverage of IT, to ensure adequate management and operational oversight over critical business functions, resources and infrastructure;
- implement a sufficiently robust incident management framework to manage and report IT and cyber incidents; and
- notify the PA, as soon a practically possible but not later than one day, following the discovery of a material IT and/or cyber incident.
After an incident has been reported to the PA, the bank will then need to complete the “Material IT and cyber incident report” (Annexure A to the Directive) and further within 14 (fourteen) calendar days submit a root cause and impact analysis report to the PA.
The FSI’s paper reports that there are two opposing views when it comes to whether there is a need for supervisory bodies to regulate cyber-risk. The one view is that the evolving nature of cyber-risk is not amenable to specific regulation. This view may seem drastic, but the reporting requirements expected by the PA in this Directive will place additional strain on a bank which already has to manage a material incident. On the other hand, the opposing view is that regulatory structure is needed to deal with the unique nature of cyber-risk, given the growing threats resulting from an increasingly digitised financial sector. Regulation and oversight in this regard may be important to ensure that our financial sector and those who manage the various banks are properly motivated to ensure that the proper security and other systems are in place to avoid potential liability in the event that an incident occurs and the bank has not adequately protected itself and its customers.
Placing even more strain on a bank during the crucial time of managing the impact of a material incident, is the fact that banks will soon have a triple reporting obligation for security incidents. This will include, in the first instance, notifying and reporting to the PA in terms of the Directive (as explained above), in the second instance, notifying the Information Regulator under the Protection of Personal Information Act, 2013 and, in the third instance, reporting of security incidents, within 72 hours, (in the prescribed form) in terms of the Cybercrimes Bill (B6-2017, currently with the National Council of Provinces).
It is imperative that regulated institutions have in place proper policies and procedures to deal with incidents as and when they occur, including developing cohesive and comprehensive incident response plans, as well as training staff on how to react when an incident does occur. Further, as a practical guideline, institutions should also test the plan from time-to-time through simulated security incidents almost on a “fire drill” type basis.