Contact us
Login
Register

Blog

The Joint Standard 2 for Cyber Security and Resilience – beneficial or burdensome?

Abstract

The FCSA’s mandatory Joint Standard 2 for Cyber Security and Resilience has received a mixed reception in the financial sector. From Big Business to SMEs, South Africa’s increasingly complex regulatory environment is increasing costs and straining resources. The flip side of this equation is South Africa’s rising cyber vulnerability and the damaging effect of cyber crime on GDP and consumers. In the absence of any discernible national cyber security interventions, the JS2 regulators would have recognised that for financial sector stability something had to done.

Is the JS2 the answer? It’s probably too soon to tell – but here’s what we know so far.

Beneficial or burdensome?

In May 2024, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the Joint Standard 2 of 2024 – “Cyber Security and Cyber Resilience” (JS2). While this fundamental initiative went largely unnoticed in terms of national headlines, it constituted a quantum leap in South Africa’s cyber security eco-system.

The introduction of the JS2, which came into effect on 1 June 2025, is a sectoral first in terms of mandated sector-wide cyber security standards. The ambit of the JS2 is wide, applying to almost all financial institutions from banks, insurers and pension funds through to credit rating agencies and FSPs. The JS2, which was proceeded by its stablemate, the Joint Standard 1 of 2023 for IT Governance and Risk Management (JS1), are indicative of a concentrated focus on digital risk, resilience and governance by the sector’s Regulators and the SA Reserve Bank.

Why the Joint Standard 2?

Many entities in the financial sector regard the Joint Standards as burdensome, requiring yet more resources to operationalise and maintain. Implementing and meeting the standards is a demanding process, requiring levels of expertise that most companies do not have in-house.

The flip side of the equation is that the regulatory intervention is critical to safeguard consumers, business continuity, protect data assets and build investor confidence. South Africa reflects significant levels of accumulated cyber security risk due to long-term underinvestment in cyber security and strategic deficit outside of the major corporates. This risk is further amplified for both the consumer and companies during an adverse cyber event as there is no national cyber security centre to help or provide remediation advice.

The JS1 and 2 intervention is therefore crucial in building out sectoral cyber security resilience, thereby reducing cyber risk at a systemic level as opposed to purely at an organisational level. The systemic dimension is fuelled by improved sector wide cyber awareness, a mandated minimum cyber security standard across the board, improved security governance and third-party scrutiny.

That being said, it is essential to recognise that, for smaller entities in particular, the deployment and implementation of the JS2 can be onerous and complex, particularly when being rolled out under regulatory time pressures. Hopefully, the regulators are conscious of these challenges and will adopt an empathetic approach during what is turning out to be a protracted period of JS2 adoption on the ground.

Implementing the JS2 – common organisational challenges

The Cyber Security Institute has assisted many entities, ranging from the enterprise level to the micro businesses, in achieving JS1 and JS2 compliance. For CSI, working across the financial sector over the past 15 months on both standards has provided us with specific insights into sectoral level security challenges.

Some of our key takeaways are:

  • SMEs experiencing significantly more difficulty in fully implementing the JS2. The overarching reason for this is that SMEs seldom have an in-house security team. Some make use of external security partners – but these are typically for technical and monitoring solutions and not for security governance functions. The introduction of the Joint Standards has changed that, with cyber security risk and compliance now becoming a focus point.
  • Many companies genuinely didn’t know how to get started. The JS2 is not straightforward to implement and requires the establishment of measurable security controls.
  • Critical security governance is often overlooked, with some companies assuming that the deployment of technical interventions is sufficient. Achieving good governance is further impacted by sub-optimal policy architectures in organisations.
  • Security awareness programmes are often lacking in SMEs.

On the upside we found positives too:

  • Since embarking on the JS2 pathway, more companies take cyber risk seriously and are willing to go the extra mile to enhance their security and resilience.
  • For many entities, increased cyber security expenditure over the medium was probably an unforeseen grudge purchase. However, with the JS2 bringing greater organisational cyber risk awareness and vulnerability visibility, an increase in future expenditure via SMEs is foreseeable.
  • Across the board, the people we worked with were dedicated and committed to implementing the JS2. Overall, they demonstrated a keen interest in building their organisation’s security posture.
  • While regulatory compliance has driven companies to build out their security programmes, they also displayed a genuine will to grow their cyber security programmes beyond compliance.

The really hard part – third-party risk management

For large or small entities, third-party risk management (TPRM) is undoubtedly the single biggest security hurdle. In terms of building a more secure financial sector eco-system, this is a critical element of the JS2. Each third-party actor presents an unquantified potential liability and risk to an organisation. The regulators have targeted the fact that previous multiple breaches by third-party actors (in this case various credit bureaus) in the sector have resulted in millions of South African citizens’ highly personal data finding a permanent home on the dark web.

Many companies in the sector have hundreds of third-party links. This makes getting to grips with the cyber security maturity of each third-party a very large undertaking – to put it lightly! Implementing a successful TPRM programme therefore takes major time and effort. From our experience, a substantial number of third parties are either unresponsive or minimally responsive, whilst others are naturally guarded, all of which complicate the TPRM process further. Against this background, many companies are finding out that their SLAs with suppliers are woefully insufficient to cover cyber and data risk. Suffice to say that building digital supply chain trust and integrity was always going to be a difficult exercise.

The scale and criticality of TPRM makes it a resource intensive operation for all organisations. Going forward we foresee that the ongoing management of third-party risk and reporting will become a predominant cyber security theme in all sectors with regards to both security and data privacy.

Getting the most from the Independent Review

The Independent Review is the final step towards complying with the JS2. According to CSI’s Director, Prof Elmarie Biermann: “It is vital that entities engage a credible provider with the necessary expertise and proven track record in the implementation of ISO/IEC 27001, the NIST Cyber Security Framework, the JS2 and POPIA for this process.”

The Independent Review entails three major aspects. Firstly, an in-depth review of your company’s governance framework, including policies. The second, an assessment of your cyber security controls and their maturity. The final aspect is your third-party risk assessment. The findings in the review report will highlight areas of strength, weakness and priorities for remediation. An expert assessment will indicate what actions need to be taken to improve the maturity of your cyber security programme. As the assessment is an annual exercise, building a sound relationship with the team conducting the assessment will ensure the annual reviews become an easier, more frictionless process over the ensuing years.

Futureproofing your cyber security programme – the JS2 lowdown

Apart from meeting regulatory prescriptions, being JS2 compliant offers several advantages for organisations. These range from enhanced reputation and stronger client relationships to operational resilience and leveraging competitive advantage through good governance.

The JS2 is, however, not a one and done exercise and the implementation challenges together with third party risk management, ongoing monitoring and reporting requirements demand significant effort and skill. It is therefore advisable to seek expert advice. Timely investment in governance and compliance technologies will streamline and support the processes required to achieve and maintain compliance with both the JS1 and 2 Standards.

Editor’s note:

The Cyber Security Institute is a well-established information security company which is renowned for its high levels of expertise and client care. CSI specialises in information security Governance, Risk and Compliance consulting and cyber security training. Our highly regarded security consultancy to the public and private sectors provides expert leadership in ISO 270001, NIST CSF, J1 & JS2 Standards and Data Privacy regulations.

The CSI Academy offers fully accredited, bespoke cybersecurity training programs, offered in partnership with universities. CSI also offers the full range of PECB Certifications.

CSI is the proud host of the annual Southern Africa-Netherlands Cyber Security Talent Accelerator and the Cyber Range partner to the Arctic University of Norway & Stellenbosch University.

 

Written by: Noëlle van der Waag-Cowling, Strategy and Innovation Officer, Cyber Security Institute

Certificate in Cyber Security

Course Details

This practical, hands-on course focuses on establishing a foundation in Cyber Security by introducing candidates to cyber-crime, attack methods, and managing cyber risks.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for individuals embarking on a career in Cyber Security or performing security functions.

Requirements

Applicants should have a Matric certificate or equivalent qualification with suitable IT knowledge, Internet access, and a PC or laptop on which applications can be installed and services accessed.

Costs:

R12,500 all inclusive

Duration:

5-months

Intake:

We have two main intakes, one at the end of February and another at the end of June. Additional intakes may be scheduled depending on application volumes and requirements.

Course Overview:
Cyber-crime‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎
  • Introduction to cyber-crime
  • Cyber-attack methods (e.g., ransomware, sextortion, email fraud)
  • Cyber criminology (actors behind the attacks, criminal networks, state-sponsored entities, etc.)
  • Tracing the online trail
  • Dark web (criminal forums)
  • Case studies of attacks in SA & Global.
  • Crime-as-a-Service
  • Internet of (Criminal) Things.
Practical Cryptography
  • Introduction to cryptography.
  • Encryption and Decryption.
  • Hash functions
  • Blockchain
  • Virtual Currencies
  • Digital signatures
  • Digital certificates
  • Cryptographic Protocols (SSL, SSH, etc.)
Course Overview:
Cyber Governance, Risk & Compliance
  • Overview of cyber governance, risk, and compliance
  • POPIA & GDPR
  • Data Privacy
  • Policies in action
  • NIST, ISO27001
  • Controls
  • Planning for contingencies
  • Developing the security program
  • Risk analysis and management
Cyber Intelligence‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎ ‎
  • Introduction to Cyber Intelligence
  • Attack Tools
  • Attack process
  • Reconnaissance and Footprinting
  • OSINT services and tools
  • Threat and vulnerability feeds and assessments
APPLY NOWDOWNLOAD BROCHURE

Cyber Investigations

Course Details

This course is suitable for investigators and investigation teams within the corporate environment and public sectors who are required to track online trails or utilise tools to solve online crimes. It is also intended for professionals and investigative journalists involved in investigations such as fraud, espionage, data theft, and cyber vetting.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for investigation officers, cyber-crime investigators, investigative journalists, etc.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R12,500 all inclusive

Duration:

5-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Reconnaissance
  • Online services and tools
  • Metadata Encryption & Decryption
  • Digital signatures
  • Online investigations
  • Crime Scene Management
  • Documenting evidence
  • Investigation Process
  • Chain of Evidence
  • Protocols and emails
  • URLs & DNS information
  • Timelines
  • Decryption and deciphering
  • Virtual Currencies
  • Cyber criminology
  • Introduction to the attack process
  • Introduction to attack vectors
  • Social networks (i.e., attacks via Facebook, Twitter, etc.)
  • Dark and hidden web
  • Threat actors
  • Data Collection
  • Social Media
  • OSINT
  • HUMINT
  • SOCMINT
APPLY NOWDOWNLOAD BROCHURE

Cyber Intelligence

Course Details

The main objective is to equip delegates with the necessary competencies and practical skills to assist in compiling an intelligence-driven cyber security strategy to provide proactive solutions to a plethora of cyber threats.

Mode of Offering: The course is presented via facilitated        e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for persons responsible for the security function, CISOs, as well as Data Protection Officers.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R12,500 all inclusive

Duration:

5-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Cyber Security Environment
  • Cyber Landscape
  • Cyber Threats and Exploits
  • Cyber Actors and Criminology Aspects
  • Obtaining Data
  • Sources of Data
  • Collection Operations
  • Applications, Tools, and Services
  • Analysis of Cybercriminals’ Modus Operandi
  • Analysis Techniques (Data to Information)
  • Indicators of Compromise
  • Cyber Intelligence
  • Intelligence Platforms, Applications, and Services
  • Data – Information – Intelligence
  • Intelligence Strategy
  • Incident Management
  • Cyber Warfare
  • Political and Commercial
  • Developing an Intelligence-Driven Strategy
  • Strategic and Tactical Intelligence Function
  • Risk Management
APPLY NOWDOWNLOAD BROCHURE

Cyber Governance

Course Details

Establishing a security strategy and defining a suitable implementation plan focused on managing cyber risks in a volatile and dynamic environment requires a solid understanding of the threat space and frameworks. This course unpacks cyber governance and approaches to manage risk and adhere to compliance regulations.

Mode of Offering: The course is presented via facilitated    e-learning, utilising an e-learning platform and virtual classes.

Intended Audience:

This course is designed for Managers and C-Suites responsible for security, Board members, as well as prospective leaders in the Cyber Security space.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Although a formal IT qualification or certification is not required, some knowledge of computer systems would be beneficial. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R12,500 all inclusive

Duration:

5-months

Intake:

Applications are accepted throughout the year, with course starting dates in February, May, and August.

Course Overview:
  • Security Management Program
  • Cyber-crime
  • Threat Environment
  • Cyber Criminology
  • Regulations – GDPR, POPI, Electronic Act, PCI-DSS
  • Skills Frameworks
  • Cyber Awareness Programs
  • Risk management
  • Controls – Choice, Implementation, and Management
  • Security Frameworks and Models
  • Policies and Procedures
  • Data Protection
  • The road to ISO 27001 Compliance and Certification
APPLY NOWDOWNLOAD BROCHURE

IT and Cyber Security Program

Course Details

Our courses combine essentials from both industry and academia to provide valid, unique, practical content that is innovatively presented via facilitated e-learning.

The IT and Cyber Security Program is a practical course consisting of coursework, virtual classes, and practical cyber range exercises.

Mode of Offering: Learning will be conducted through a facilitated online format, utilising an e-learning platform to provide an interactive and engaging educational experience. Additionally, hands-on practical sessions and virtual labs will be conducted every Friday from 9:00 AM to 12:00 PM, offering participants the opportunity to apply theoretical knowledge in a real-world context. This blend of online facilitated learning and scheduled virtual sessions aims to create a comprehensive and dynamic learning environment, ensuring a well-rounded educational experience for participants.

Intended Audience:

This course is designed for school leavers, those on a gap year, graduates looking to add industry credentials, and individuals looking to make a career change.

Requirements

Applicants should have a Matric certificate or equivalent qualification. Internet access and a PC or laptop on which applications can be installed and services accessed are required.

Costs:

R 31,350 all inclusive

Duration:

12-months

Intake:

25 February 2026

Course Overview:
IT Foundation for Cyber Security
  • IT Hardware Fundamentals
  • Network Fundamentals
  • Introduction to Operating Systems (Windows and Linux) 
  • Introduction to Cloud Computing (Office 365 and MS Azure) 
  • Protocols 
  • Technical Research and Writing
  • Algorithms and Problem Solving
  • File and Database Systems
  • Scripting
  • New Technologies: AI and Quantum Computing
  • Soft Skills
Certificate in Cyber Security
  • Cyber Security Fundamentals 
  • The Cybercrime Eco-System
  • Actors in Cyber Space – State and Non-State Actors
  • Cyber Incidents: Attacks, Breaches, and Espionage
  • Understanding Tactics, Techniques, and Procedures (TTPs) using the Mitre Attack Framework
  • Cryptography (Symmetric/Asymmetric/Hashes)
  • Secure Protocols
  • Reconnaissance and OSINT (Open-Source Intelligence)
  • Cyber Security Frameworks and Standards: Introduction to the NIST CS Framework and ISO 27000 Series
  • Cyber Risk Management, Cyber Governance, and the Implementation of Security Controls
Facilitated online course with virtual classes, and practical training and skills development on the cyber range platform.
APPLY NOWDOWNLOAD BROCHURE