National Payment System Act, 1998 (Act No. 78 of 1998)

Notices

Directive in respect of Cybersecurity and Cyber-Resilience within the National Payment System

5. Directive

Purchase cart Previous page Return to chapter overview Next page

 

5.1 Payment institutions and operators must develop and maintain cybersecurity and cyber-resilience frameworks that include the following:

 

5.1.1 Cyber-governance

 

5.1.1.1 Payment institutions, and operators must have written effective cyber-governance arrangements that:
a. define the cybersecurity and cyber-resilience objectives;
b. outline the people, processes and technology requirements for protecting information systems, managing cyber-risks, and providing timely communication and effective responses to, and recovery from, cyber-attacks;
c. require the board of directors (board) or senior management of the payment institution and the operator to:
i. determine the cyber-risk tolerance levels of the payment institution, operator, a payment, clearing or settlement system, or payment system FMI;
ii. approve the cybersecurity policies and strategy, and cybersecurity and cyber-resilience framework;
iii. oversee the development and implementation of the cybersecurity policies and strategy, and cybersecurity and cyber-resilience framework;
iv. ensure that there is an annual review of the cybersecurity policies and strategy, and cybersecurity and cyber-resilience framework;
v. ensure that the cybersecurity and cyber-resilience framework is aligned to the operational risk management framework, operational resilience plan and business continuity plan of the payment institution or operator;
vi.ensure that the cybersecurity and cyber-resilience framework is based on industry standards and international best practices, and complies with legislative and regulatory requirements; vii. ensure that the cybersecurity and cyber-resilience framework clearly articulates the identification of cyber-risks and the required controls to manage and mitigate the cyber-risks;
viii. ensure the appointment of a senior executive and technical experts with the relevant skills, expertise and experience accountable for cybersecurity and cyber-resilience; and
ix. ensure that the cybersecurity and cyber-resilience framework makes provision for information sharing and collaboration, where necessary, with the SARB and other relevant payment industry stakeholders in terms of applicable laws.
d. require the senior management of the payment institution, the operator to:
i. regularly keep the board informed and updated on the cybersecurity and cyber-resilience status of the payment institution, operator or payment system FMI, and report any material developments relating to cyber-threats within the NPS;
ii. ensure that the payment institution, the operator or payment system FMI complies with this directive and any other applicable cyber-resilience legislation and regulations;
iii. ensure that the payment institution or operator conducts due diligence on the entities they introduce or sponsor, or admit as participants in the NPS;
iv. ensure that the payment institution conducts third-party risk assessments on third-party service providers prior to onboarding as well as on an annual basis; and
v. ensure that the roles and responsibilities in respect of cybersecurity and cyber-resilience are clearly outlined in agreements entered into with third-party service providers.

 

5.1.2 Identification of critical operations and information assets

 

5.1.2.1.Payment institutions and operators must:
a. identify critical technology, operations, processes, supporting information and assets that require protection against cyber-compromise;
b. identify internal processes, procedures, information assets and external dependencies that will strengthen the security and resilience to cyber-threats of the payment institution or operator, including:
i. the identification , classification, prioritisation of technology, processes and information assets in terms of criticality and sensitivity and functions in a risk-based approach to ensure that protective, detective response and recovery efforts are facilitated in a timely manner;
ii. the identification of technology, information assets, system configurations and access rights to information assets;
iii. the regular review and updating of critical business processes that will ensure that information remains current and accurate;
iv. the identification of cyber-risk interconnectedness within the NPS; and
v. the identification of access rights to information assets by third-party service providers.

 

5.1.3 Cybersecurity measures

 

5.1.3.1. Payment institutions and operators must ensure that cybersecurity frameworks include security controls, processes and systems that effectively protect and safeguard the confidentiality, integrity and availability of services provided as well as the information handled by payment institutions, operators, payment, clearing or settlement systems, or payment system FMIs. These measures should, however, be proportionate to the threat landscape, risk tolerance and systemic role of the payment institution, operators, payment, clearing or settlement systems or payment system FMIs in the NPS, and must include the following:
a. the embedding of protective controls that minimise the likelihood and impact of a successful cyber-attack on identified critical business functions and information assets;
b. the development and implementation of measures to protect critical and sensitive information, which should, at a minimum, include access control, multi-factor authentication (MFA) or encryption;
c. the development and implementation of protective measures to mitigate risks arising from the interconnectedness with other payment institutions, operators, payment, clearing or settlement systems, or payment system FMIs within the NPS;
d. the development and implementation of measures that mitigate cyber-risk and address anomalous behaviour by staff with access to the system;
e. the continuous training of all relevant staff to develop and maintain awareness and to ensure that staff are knowledgeable in detecting and addressing cyber-risk;
f. the development and design of cyber-secure and cyber-resilient payment instruments and services that ensure that software, network configurations and hardware supporting or connected to critical systems are tested against security standards and cyber-attacks; g. the development and implementation of cyber-hygiene measures that include the following:
i. ensure that access management policies and processes include strong password security controls, access rights and privileges, MFA and periodic access reviews;
ii. ensure that third-party service providers that have access to information assets payment institutions, operators, payment, clearing and settlement systems, or payment system FMIs are subject to access restrictions and monitoring;
iii. establish processes to manage access to privileged accounts and monitor the use of IT systems for suspicious and unauthorised activities;
iv. implement MFA for access to critical systems and for accounts used to access payments institutions’ or operators’ sensitive information through the internet;
v. ensure the implementation of network perimeter defense controls;
vi. implement multiple-layer security controls to curb the effect of security compromises;
vii. ensure the application of security patches to address vulnerabilities of systems;
viii. ensure that security patches are tested and compatible with existing IT systems;
ix. ensure there are security standards applicable to software, systems and devices;
x. develop processes to monitor the application of security standards and ensure that the standards are continually reviewed for relevance to an evolving threat landscape;
xi. implement malware protection through defense and response mechanisms, and
xii. ensure regular scanning of information assets for malicious activities.
h. the development and implementation of data security measures that include the following:
i. data loss prevention policies which should include measures that will enable the payment institutions or operators to detect and prevent the unauthorised access and transmission of sensitive data;
ii. ensuring the encryption of data storage systems and endpoint devices to protect sensitive data; and
iii. ensuring that IT systems that are managed by third-party service providers are protected and subject to security standards.

 

5.1.4 Detection

 

5.1.4.1.Payment institutions and operators must ensure that cyber-resilience frameworks include cyber-attack trigger points and detection measures to continuously detect and monitor anomalous events and activities. The cyber-attack detection measures must include the following:
a. multi-layered trigger indicators and detection controls that accommodate processes, people and technology, ensuring that each layer serves as a safety net; and
b. security measures that identify and facilitate the analysis of irregular behaviour by persons with access to the payment institution or operator’s information assets and network.

 

5.1.5 Response and recovery

 

5.1.5.1. Payment institutions or operators must have arrangements in place designed to enable the resumption of critical operations safely and swiftly, including:
a. early detection of cyber-attack attempts and/or successful cyber-attacks;
b. immediate initiation of recovery efforts to restore operations upon detection of a successful cyber-attack;
c.incident response processes to ensure that there is efficient recovery from incidents that could not be prevented;
d. adequatemeasures in place, including the design and testing of systems, to enable the return and resumption of critical operations within two (2) hours or any extended timelines with the prior approval of the SARB for payment, clearing and settlement systems and payment system FMIs; within the timelines specified by the PSMB for the payment institutions that are members of, registered or authorised by the PSMB, or as per the timelines specified by operators of payment, clearing and settlement systems for payment institutions that participate in such systems, which shall not, without prior approval by the SARB, exceed eight (8) hours of recovery/resumption time for all payment institutions;
e. recovery measures, upon detection and investigation of a cyber-attack, are in place that enable compliance with payment and settlement obligations to minimise the likelihood of a systemic event;
f. planning for extreme scenarios, including an analysis of critical functions and interdependencies to prioritise resumption and recovery actions in a contingency mode while remedial efforts are in progress where the resumption of critical operations may not be possible within two (2) hours;
g. developing and testing response, resumption and recovery plans on a quarterly basis;
h. continuous update of plans based on information sharing, current cyber-threat intelligence and information from previous cyber-events;
i. the inclusion of third-party management plans in their cyber-resilience frameworks to provide for the following:
i. extensive due diligence to evaluate the cyber-resilience measures that relevant third parties have in place;
ii. an assessment of the criticality of processes that may be outsourced prior to entering into envisaged outsourcing contracts;
iii. obtaining independent security attestation reports from third parties as an additional layer of assurance of the security posture of the third-party service providers; and
iv. implementing and testing their business continuity plans and ensuring coordination with the third-party service providers for their business continuity.
j. in the event of outsourcing to a cloud service provider (CSP), ensure compliance with any regulatory requirements imposed by the SARB relating to cloud computing and data offshoring in the NPS, including adherence to the following principles:
i. identify, monitor and mitigate any jurisdiction risk relating to the data transmitted, stored and processed in the cloud; and
ii. the payment institution shall remain accountable for the data stored and processed, and for the overall security and resilience of the solutions developed on the cloud.
5.1.6 Testing

 

5.1.6.1. Payment institutions or operators must develop and implement cyber- -resilience testing programmes and methodologies which include the following:
a. different test scenarios and simulations of various cyber-attacks;
b. internal and external penetration testing on systems and processes through the simulation of cyber-attacks on their systems with relevant stakeholders, including critical service providers in order to identify the vulnerabilities in their systems;
c. testing of systems after implementation of significant system changes to identify any security vulnerabilities due to a system change; and
d. regular vulnerability assessments that enable the identification and assessment of security vulnerabilities in the systems.

 

5.1.7 Information sharing

 

5.1.7.1. Payment institutions or operators must:
a. include access, collection and the sharing or exchange of cyber threat, and cyber risk information with regulators and cybersecurity agencies, and trusted internal and external parties in the cybersecurity and cyber-resilience frameworks;
b. plan arrangements for information sharing through trusted channels;
c. participate in information-sharing groups and organisations such as the Cybersecurity Hub and Computer Incident Response Teams to assist the payment institution or operator in gathering, distributing and assessing information about cyber-practices, cyber-threats and early warning indicators relating to cyber-threats; d. ensure that information-sharing arrangements comply with the Protection of Personal Information Act 4 of 2013 and/or any other applicable data protection legislation, and that the personal data of clients of payment institutions or operators is protected and not compromised during the information-sharing process; and e. ensure that information-sharing arrangements comply with relevant provisions of the Cybercrimes Act 19 of 2020 relating to the disclosure of information.

 

5.1.8 Situational awareness

 

5.1.8.1. Payment institutions or operators must:
a. understand the cyber-threat landscape of the environment within which they operate, and the adequacy of their risk mitigation measures;
b. develop cyber-threat intelligence processes that include gathering and analysing cyber-threat information to identify the potential impact of cyber-threats on the payment institution or systems, payment, clearing or settlement systems, or payment system FMIs and promote cyber-situational awareness; and
c. ensure that the scope of the cyber-threat information gathering process includes the collection and interpretation of information about cyber-threats arising from other payment institutions, operators, payment clearing or settlement system, or payment system FMIs, to enable the identification of cyber-threats emanating from other payment institutions, operators, payment, clearing or settlement systems, or payment system FMIs and the development of relevant detection, protection and recovery measures.

 

5.1.9 Learning and evolving

 

5.1.9.1. Payment institutions or operators must:
a. ensure that cybersecurity and cyber-resilience frameworks are adaptive and evolve with the dynamic nature of cyber-risk, to identify, assess and manage security threats;
b. ensure continuous learning from previous cyber-incidents and events to ensure that their security systems are improved to increase resilience;
c. keep abreast of new cyber-risk management processes and continually monitor technological developments that effectively counter existing and emerging forms of cyber-attacks; and
d. ensure there are reasonable measures to include predictive and anticipatory capabilities that extend beyond reactive controls and include proactive protection against future cyber-events in the risk management practices.

 

5.2 Cyber-incident reporting requirements

 

5.2.1 Payment institutions or operators must report material cyber- incidents to the SARB within 24 hours and provide the SARB with a report within 48 hours of the cyber-attack. The report must include the:
a. date and time of the incident;
b. cause and source of the incident;
c. type and nature of the incident;
d. impact on the provision of services;
e. expected recovery period;
f. impact on stakeholders;
g. improvement action plan;
h. possible systemic effect of the incident on other payment institutions, operators, payment, clearing or settlement systems, or payment system FMIs; and
i. any other information as may be requested by the SARB relating to the cyber-incident.

 

5.2.2 Payment institutions or operators must provide regular updates to the SARB, as well as further details once the incident has been remediated and operations have resumed.