Copyright Page
IMF Country Report No. 22/181
SOUTH AFRICA
FINANCIAL SECTOR ASSESSMENT PROGRAM
TECHNICAL NOTE ON CYBERSECURITY RISK SUPERVISION AND OVERSIGHT
June 2022
This technical note on Cybersecurity Risk Supervision and Oversight was prepared by a staff team of the International Monetary Fund in the context of a joint IMF-World Bank Financial Sector Assessment Program (FSAP). It is based on the information available at the time it was completed in June 2021.
Copies of this report are available to the public from
International Monetary Fund • Publication Services
PO Box 92780 • Washington, D.C. 20090
Telephone: (202) 623–7430 • Fax: (202) 623–7201
E-mail: publications@imf.org Web: http://www.imf.org
Price: $18.00 per printed copy
International Monetary Fund
Washington, D.C.
© 2022 International Monetary Fund
Title Page
SOUTH AFRICA
FINANCIAL SECTOR ASSESSMENT PROGRAM
June 2, 2022
TECHNICAL NOTE
CYBERSECURITY RISK SUPERVISION AND OVERSIGHT
Prepared By
Monetary and Capital Markets Department
This Technical Note was prepared in the context of the Financial Sector Assessment Program in South Africa during June 2021 mission led by Jennifer Elliott, IMF and Eva Gutierrez, World Bank and overseen by the Monetary and Capital Markets Department, International Monetary Fund, and the Finance, Competitiveness and Innovation Global Practice, World Bank. It contains technical analysis and detailed information underpinning the FSAP’s findings and recommendations. Further information on the FSAP can be found at http://www.imf.org/external/np/fsap/fssa.aspx
Contents
Glossary
EXECUTIVE SUMMARY
INTRODUCTION
CYBERSECURITY RISK SUPERVISION AND OVERSIGHT
A. Overview of the South African Financial System
B. Institutional Structure for Cyber Resilience
C. Cybersecurity Risk Regulatory Framework and Supervisory Practice
D. Third-Party Vulnerabilities and Vendor Risk Management
E. Response and Recovery Capabilities
FIGURES
1. Systemically Important Financial Market Infrastructures in South Africa
2. Prudential Authority’s Regulatory Framework for Cyber for Financial Institutions
3. Prudential Authority’s Approach to Information Technology Risk Supervision
TABLE
1. Key Recommendations
ANNEXES
I. Commonly Used Terminology in Cyber (Cyber Lexicon)
II. Overview of Approaches to Cybersecurity Risk Supervision and Operational Resilience
Glossary
| BCBS | Basel Committee on Banking Supervision |
| BCM | Business Continuity Management |
| BCP | Business Continuity Plan |
| CABS | Community of African Banking Supervisors |
| CCP | Central Counterparty |
| CERES | Central Bank and Regulator Supervisor Forum |
| CERT | Community Emergency Response Team |
| CLS | CLS Bank International |
| CPMI | Committee on Payments and Market Infrastructures |
| CRS | Cybersecurity Resilience Sub-Committee |
| CSD | Central Securities Depository |
| CSP | Critical Service Provider |
| DDoS | Distributed-Denial-of-Service |
| DD4BC | Distributed-Denial-of-Service for Bitcoin |
| FIC | Financial Intelligence Centre |
| FinStab | Financial Stability Department |
| Fl | Financial Institution |
| FMI | Financial Market Infrastructure |
| FSC | Financial Stability Committee |
| FSCA | Financial Sector Conduct Authority |
| FS-ISAC | Financial Services Information Sharing and Analysis Center, Inc |
| FSCF | Financial Sector Contingency Forum |
| IOSCO | International Organization of Securities Commissions |
| IT | Information Technology |
| JSE | Johannesburg Stock Exchange |
| Ml | Market Infrastructure |
| MISP | Malware Information Sharing Platform |
| NPS | National Payment System |
| NPSD | National Payment Systems Department |
| OSINT | Open-Source Intelligence |
| OTC | Over the Counter |
| PRA | Prudential Regulation Authority |
| PASA | Payments Association of South Africa |
| PCH | Payment Clearing House |
| PFMI | Principles for Financial Market Infrastructures |
| PS | Payment Systems |
| PSMB | Payment System Management Body |
| RAM | Risk Assessment Matrix |
| RTGS | Real-Time Gross Settlement |
| SABRIC | South African Bank Risk Information Centre |
| SADC-RTGS | South African Development Community Real-Time Gross Settlement |
| SAM OS | South African Multiple Option Settlement |
| SARB | South African Reserve Bank |
| SIFI | Systemically Important Financial Institutions |
| SIPI | Systemically Important Payment Systems |
| SSS | Securities Settlement System |
| SWIFT | Society for Worldwide Interbank Financial Telecommunication |
| ZAR | South African Rand |