FSCA JOINT STANDARD 2 OF 2024: CYBERSECURITY AND RESILIENCE

ONGOING REQUIREMENTS FROM RETIREMENT FUNDS AND TRUSTEES

Although Joint Standard (JS) 2 of 2024 took effect on 1 June 2025, ongoing compliance requires continued efforts beyond the implementation date. JS 2 of 2024 outlines specific obligations for financial institutions, like retirement funds, to make sure they stay compliant with cybersecurity and cyber resilience standards. It goes to great lengths to set out detailed roles and responsibilities to safeguard members from potential cyber threats, attacks and/or breaches.

Trustees must be aware that if they have drafted a policy and ticked the corresponding box, that is not the end of the story; ongoing responsibilities are still required. We have summarised below the trustees’ ongoing responsibilities:

1. Review the fund’s cybersecurity strategy

The fund’s cybersecurity strategy must be reviewed at least annually to:

    • address changes in the cyber threat landscape; and
    • incorporate cyber risk management into the fund’s governance structures with independent oversight: and
    • ensure that it remains aligned with the fund’s other policies and other applicable laws (for example, the Protection of Personal Information Act).

2. Update policies, processes and controls

The fund’s cybersecurity policies, standards, processes and procedures must be continuously updated to reflect evolving risks, updates in technology and increased sophistication of cyber threats, including the ability to recover from cyber events.

3. Conduct regular testing and assurance

The Fund must undertake systematic testing, ongoing monitoring and validation of their cybersecurity measures to evaluate the effectiveness of their security protocols – including regular penetration testing, vulnerability assessments and other cybersecurity exercises to identify and address weaknesses.

4. Incident management and reporting

Retirement funds must maintain effective detection and response capabilities, including the ability to manage and mitigate cyber incidents.

Funds are required to notify the FSCA or Prudential Authority of material cyber incidents within 24 hours, using the prescribed template.

5. Ongoing training and awareness

Ongoing trustee training is mandatory to make sure trustees remain abreast of evolving cyber risks and incidents. Training programmes must be relevant in the rapidly changing fintech landscape.

6. Governance and oversight

Ongoing reporting is required to ensure that the trustees, or a relevant sub-committee, are kept meaningfully informed of the fund’s cyber security and resilience position.

7. Third-party risk management

Funds must conduct ongoing monitoring of third-party service providers to manage supply chain vulnerabilities. This includes maintaining an inventory of critical service providers and ensuring business continuity plans are in place.

8. Continuous improvement

The regulators expect retirement funds to continuously improve their cybersecurity and cyber resilience practices, adapting to new threats and regulatory guidance. This includes integrating lessons learned from incidents, either their own or incidents in the wider industry.

Remember, your retirement fund is a financial institution as defined and runs the risk of incurring administrative penalties if it does not comply with JS 2 of 2024. Your fund administrators are referenced separately, and they must also comply with JS 2 of 2024. The FSCA has specifically noted that retirement funds cannot simply rely on their administrator’s cybersecurity controls alone.

Stay Compliant. Stay Secure.
If you’re unsure about your fund’s compliance with FSCA Joint Standard 2 of 2024 or need support in strengthening your cybersecurity governance, contact us today. Our team is ready to assist trustees and retirement funds in meeting their ongoing obligations with confidence and clarity.

Contact Us

COOKIE POLICY

Welcome to our website.

1. Introduction

This Cookie Policy explains how we use cookies and similar technologies on our website axioconsult.com. This policy is designed to help you understand what cookies are, how we use them, and the choices you have regarding their use.

2. What Are Cookies

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.

3. How We Use Cookies

We use cookies for various purposes, including:

    • Essential Cookies: These cookies are necessary for the basic functioning of our website. They enable you to navigate our site, use its features, and access secure areas.
    • Analytical/Performance Cookies: These cookies help us understand how visitors use our website. They provide information about which pages are visited most frequently, how long visitors stay on each page, and whether they encounter any error messages. This data helps us improve the performance and usability of our website.
    • Functionality Cookies: These cookies allow our website to remember choices you make (such as your username, language, or region) and provide enhanced, personalised features.
    • Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are relevant to your interests. They may also limit the number of times you see an ad and help measure the effectiveness of ad campaigns.

 

4. Your Cookie Choices

You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.

5. Third-Party Cookies

We may allow third-party service providers to use cookies on our website for the purposes outlined in Section 3. These providers may also collect information about your online activities over time and across different websites.

6. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our data practices. Any changes will become effective when we post the revised policy on our website.

7. Contact Us

If you have any questions about our Cookie Policy or how we use cookies on our website, please contact us at

By continuing to use our website, you consent to the use of cookies as described in this Cookie Policy.