In recent years, the rapid digitisation of financial services has increasingly heightened the vulnerability of financial institutions, including pension funds, to a growing array of cyber threats. These threats encompass not only data breaches but also sophisticated attacks that can compromise the integrity of financial operations. South Africa’s regulatory landscape has adapted to these pressing challenges by introducing the Joint Standard 2 of 2024 (“the Joint Standard”), a comprehensive framework specifically aimed at bolstering cybersecurity resilience within financial institutions such as pension funds.
Cybersecurity and Cyber Resilience Requirements (The Joint Standard)
The Joint Standard is a pivotal document which outlines critical requirements and best practices that financial institutions including pension funds must abide by to safeguard against cyber-attacks and prepare them to recover from attacks. This is done by mandating that institutions implement certain cyber processes and have the right cyber protection tools and technologies in place. The framework in the Joint Standard establishes a robust defence mechanism against the evolving threat landscape. A successful implementation of the regulation is essential to ensure the security and integrity of the financial systems that underpin the country’s pension funds industry.
The Requirements for Pension Funds (and their board of Trustees) in terms of the Joint Standard
The Joint Standard is principle-based. Pension Funds must implement its requirements in accordance with their risk appetite, nature, size and complexity. The standard specifies information security measures that apply to all pension funds, highlighting the importance of a proactive approach to risk management.
The board of trustees is responsible for overseeing cybersecurity policies and ensuring that cybersecurity considerations are incorporated into the overall governance structure of the pension fund. In a nutshell, the board of trustees must:
- Ensure that the pension fund complies with the standard.
- Oversee cyber risk management.
- Establish a sound and robust cybersecurity strategy and framework.
- Collaborate with other stakeholders (such as fund administrators, investment managers, actuarial valuators etc) to ensure cyber resilience.
- Clearly define roles and responsibilities for cyber security in contracts and Service Level Agreements with third-party service providers.
The cybersecurity regulatory framework for pension funds in South Africa, particularly as articulated in the Joint Standard, represents a proactive and comprehensive approach to managing cybersecurity risks. By establishing clear guidelines for governance, risk management, incident response, and data protection, the standard aims to enhance the resilience of pension funds against cyber threats. Ensuring compliance with these regulations not only protects the interests of fund members but also contributes to the stability and integrity of the broader financial system. As the cyber threat landscape continues to evolve, ongoing adaptation and improvement of these standards will be crucial for maintaining trust and security in financial service management.
Possible consequences of non-compliance with the Joint Standard
The penalties for non-compliance with the Joint Standard can differ based on the regulatory framework and the circumstances of the violation. Some possible consequences for pension funds that do not adhere to these regulations could include regulatory sanctions (fines and penalties) by the Financial Sector Conduct Authority (FSCA), legal action from affected members or stakeholders, reputation damage resulting in long-term financial implications, increased regulatory scrutiny and more frequent audits. Furthermore, the penalties could lead to additional operational burdens and in some cases the regulator may impose or mandatory remediation plans.
The Camargue Solution: Trustees Liability Policy and the Cyber Risk Endorsement
The Pension Fund board of trustees have an oversight duty and accountability in terms of the Joint Standard 2 and the insurance protection provided by the Camargue Pension Fund Trustees Liability Policy (“the Camargue Policy”) safeguards this obligation
The Camargue Policy protects the fund and its officers (trustees, principal officer, information officer, treasurer, employee of the fund) for legal liability resulting from a claim following an alleged wrongful act. A wrongful act is any actual or alleged breach of duty, statutory duty or trust, neglect, error, misstatement, misleading statement, omission, defamation, injuria, unintentional breach of confidentiality or other act wrongfully committed, omitted or attempted by an officer and which arises by reason of them being an officer of the Pension Fund.
The Cyber Risk Endorsement in the Camargue Policy confirms this protection for the officers’ legal liability resulting from a claim following an alleged wrongful act, from cyber related incidents. This means cyber related claims against the insured, are covered, provided that the insured is held liable for a loss as a result of a wrongful act. The Cyber Risk Endorsement is applicable to Pension Funds that have an administrator in place. Self-administered funds face different higher risks as they manage their own systems and data, so should therefore take stand-alone Cyber risk cover.
While most pension funds do not operate their own hardware, software or store data, should there be a data breach, the officers cannot abdicate the responsibility for ensuring compliance. It is still their responsibility to oversee cybersecurity policies and ensure that cybersecurity considerations are incorporated into the overall governance structure of the pension fund. This means it is the duty of the officers to ensure that there are clearly defined roles and responsibilities for cyber security in the contracts and Service Level Agreements with third-party service providers. If they fail to do so and there are allegations of breach of duty or non-compliance, the Camargue Policy may respond subject to all terms and conditions of the policy being met.
The Cherry on top aka Risk Management Services
Camargue’s approach is not only to provide an insurance safety net against wrongful acts, but also to provide funds with tools that can minimise the risks that South African Pensions Funds face. Camargue’s unique M³ approach to insurance is geared towards managing, mitigating, and migrating critical business risks – an outcome achieved through the provision of value-added risk benefits to policyholders.
In relation to cyber risk, the Camargue Policy comes with the following additional Risk Management Services available to all policyholders at no additional cost:
Cyber Vulnerability Scan (CVS)
A Cyber Vulnerability Scan (CVS), which is an inspection of the potential weaknesses in the security of a computer network. Any weakness can then be remedied before they are discovered by someone else who might attempt to hack the fund’s systems. Think of it as checking your locks, alarm and motion detectors at your home or office. Camargue has partnered with cyber security experts, Cybersafe Consultants who provide the CVS.
Crisis Communication & Public Relations
In the event of a data breach requiring crisis management, this is likely to be handled by the administrator or the employer and would not necessarily require the input or involvement of the trustees. None the less the Camargue Policy, provides an additional layer of proactive risk management which includes Crisis Communication, a skilled support in managing public relations crises and avoid online media disasters.
Camargue | FQ Conference – Cybersecurity: Contain or Fail 2025
All too often the appointed board of trustees do not have the knowledge and expertise to handle the various complexities of the pension fund and instead third-party service providers are instated to carry out the business of the fund. In this regard, Camargue offers trustee and principal officer education. We have one such training conference coming up. The conference is entitled “CYBERSECURITY – CONTAIN OR FAIL”. To register for the conference, you can click on the link here.