As cyber threats intensify globally, South Africa’s financial sector is bolstering its defences with Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements, published by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) on 17 May 2024, with a compliance deadline of 1 June 2025. This standard mandates robust cybersecurity frameworks for financial institutions, including retirement funds and their service providers, to protect members’ savings and ensure operational continuity. Once implemented, it outlines specific requirements for monitoring and mitigating cyber risks, operational measures to prevent attacks, and ongoing training for trustees. This article examines these mandates, drawing lessons from recent cyber-attacks on Australian pension funds to underscore their urgency.
Monitoring and mitigating cyber risks
Joint Standard 2 adopts a proactive, risk based approach, requiring retirement funds to continuously monitor and mitigate cyber risks. Funds must identify critical business processes and information assets through regular risk assessments, maintaining an inventory to prioritise protection. A cybersecurity strategy, reviewed regularly, ensures alignment with evolving threats and the fund’s risk profile. Real time detection systems, such as intrusion detection tools, are mandated to identify anomalies promptly, with material cyber incidents reported to the FSCA or PA within 24 hours using a specified template. The standard also encourages financial institutions to share information on threats and trends to improve sector wide resilience.
Mitigation requires defence-in-depth strategies, including multi-factor authentication (MFA), encryption, and access controls, to prevent unauthorised data access. Regular penetration testing and vulnerability assessments are mandatory to validate security controls, with swift remediation of weaknesses. A comprehensive incident response plan must outline procedures to contain, respond to, and recover from cyber incidents, minimising disruption and financial loss.
This applies to retirement funds and their service providers.
Lessons from Australian pension fund attacks
The urgency of Joint Standard 2 is underscored by recent cyber-attacks on Australian pension funds, which highlight the devastating potential of inadequate cybersecurity. In April 2025, coordinated credential-stuffing attacks targeted major Australian funds, compromising over 20,000 accounts and stealing approximately A$500,000. These attacks exploited weak authentication measures, with hackers using stolen passwords to access accounts, particularly those in the pension draw-down phase allowing lump sum withdrawals. The breaches caused widespread disruption, with members facing account lockouts and some seeing zero balances, eroding trust in the A$4.2 trillion retirement savings sector. Cybersecurity experts criticised the funds for not mandating MFA, a measure Joint Standard 2 enforces, emphasising the need for South African funds to implement robust safeguards to prevent similar losses and maintain member confidence.
Operational measures to prevent cyber attacks
For illustrative purposes, let’s consider a hypothetical South African retirement fund, called the Cyber-strong Retirement Fund, illustrating compliance with the standard. It embeds security-by-design principles in IT systems, minimising vulnerabilities during development. Network security devices secure third party connections, while data loss prevention measures protect member data. Cryptographic key management policies ensure secure encryption, and access to information assets is restricted to authorised users, with quarterly reviews of privileged access. Contracts with service providers mandate secure data handling and compliance, ensuring data deletion upon contract termination. A data backup strategy enables rapid recovery post-attack.
To enhance resilience, the Cyber-strong Retirement Fund conducts continuous monitoring and biannual penetration testing, simulating real world threats. These measures reduce the attack surface, aligning with the standard’s goal of preventing cyber incidents.
Trustee training requirements and importance
The standard holds the board of trustees accountable for compliance, even when outsourcing cybersecurity. Trustees must undergo ongoing cybersecurity training to understand evolving threats, regulatory requirements, and best practices, fulfilling their fiduciary duties under the Pension Funds Act. Training covers cyber risk governance, incident response, and legal precedents, which highlighted liability for inadequate cybersecurity. Awareness programs equip trustees to recognise phishing, deepfake scams, and AI-driven frauds, critical amid risks like those targeting the Two-Pot retirement system.
Ongoing training is vital as cyber threats evolve rapidly, ensuring trustees can oversee service providers and comply with the Protection of Personal Information Act (POPIA). Non-compliance risks personal liability for trustees, especially in cases of negligence leading to breaches or losses.
Insurance
Cyber insurance is a critical tool for retirement funds in South Africa to mitigate financial losses from cyber incidents, such as data breaches or ransomware, covering costs like legal fees, recovery expenses, and member compensation. Understanding policy details – specific coverage, exclusions, and conditions like timely reporting or security prerequisites – is essential to ensure adequate protection and avoid claim denials. However, while cyber insurance provides a financial safety net, it does not constitute compliance with Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements.
Conclusion
Joint Standard 2 of 2024 equips South Africa’s retirement funds to counter cyber threats through vigilant monitoring, robust mitigation, and operational safeguards. The Australian pension fund attacks serve as a stark warning, reinforcing the need for measures like MFA and proactive defences. Ongoing trustee training ensures fiduciary accountability in a dynamic threat landscape. As the 1 June 2025 deadline approaches, funds must align swiftly to protect members’ savings and maintain trust in an increasingly digital world.