In the ever-evolving landscape of financial regulation, the Financial Sector Conduct Authority and the Prudential Authority have introduced two pivotal standards aimed at enhancing the robustness of financial institutions’ IT frameworks. These are the Joint Standard 1 of 2023 – IT Governance and Risk Management Requirements, published in November 2023, and the Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience Requirements, published in May 2024.

Financial institutions will have embarked on their compliance journey with Joint Standard 1, which comes into effect on 15 November 2024. This standard focuses on establishing comprehensive IT governance and risk management protocols. Following this, Joint Standard 2, which will come into effect in June 2025, aims to bolster cybersecurity and cyber resilience measures.

Below is a table summarising the key differences between these two standards:

 IT Governance and Risk Management (Joint Standard 1 of 2023):Cybersecurity and Cyber Resilience (Joint Standard 2 of 2024)
Who must complyBanks and related entities, insurance entities, managers of collective investment schemes, market infrastructures, discretionary and administrative FSPs.While the same entities are included, Joint Standard 2 of 2024 also includes additional entities like pension funds and administrators, OTC derivative providers, registered credit rating agencies, and Category I FSPs, reflecting a broader scope in the context of cybersecurity and cyber resilience.
Scope and Focus  This standard primarily focuses on the governance and risk management aspects of IT within financial institutions. It outlines the principles and minimum requirements for IT governance and risk management. The emphasis is on establishing a robust IT strategy, risk management framework, and ensuring the continuous oversight of IT operations.In contrast, this standard is dedicated to cybersecurity and cyber resilience. It addresses the specific requirements for protecting IT systems and information assets from cyber threats. The focus is on establishing a cybersecurity strategy, implementing cybersecurity hygiene practices, and ensuring the institution’s ability to respond to and recover from cyber incidents.
Governance and RolesOverall responsibility for compliance with this standard is assigned to the governing body of the institution. The standard mandates the governing body and senior management to ensure the establishment and maintenance of a sound IT risk management framework and IT strategy. It emphasizes the roles and responsibilities of all management, execution, oversight, and control functions in managing IT risks.This standard also places the ultimate compliance responsibility on the governing body but extends the focus to include the oversight of cyber risk management (although primary oversight may be delegated to an existing or new committee). It requires that cyber and information security function(s) be established with adequate resources and authority, and the integration of cyber risk management into the overall governance and risk management structures.
Strategy and FrameworkFinancial institutions are required to develop an IT strategy that aligns with their overall business strategy. The IT  strategy must be reviewed regularly (at least once a year) in consideration of market, industry, technology and other relevant developments. A financial institution must: Develop and communicate action plans to achieve its IT strategy, reviewing them at least quarterly for relevance. Implement processes to monitor and measure the effectiveness of the IT strategy. Notify the responsible authority if any deviations from the IT strategy that may violate financial sector laws are discovered, following the specified form, manner, and timeframe.  Here, the requirement is to establish a cybersecurity strategy that is also aligned with the business strategy but with a specific focus on addressing changes in the cyber threat landscape. The cybersecurity framework must include policies, standards, processes, and procedures informed by industry standards and best practices. It must be reviewed regularly (at least annually), for adequacy and effectiveness through an independent review.
Risk ManagementThe IT risk management framework must incorporate policies, standards, and procedures for managing IT risks, identifying and prioritizing IT assets, and implementing risk mitigation strategies. It also includes periodic updates and monitoring of risk assessments.This standard requires a more detailed approach to cyber risk management, including identity and access management, data security, application and system security, network security, and cryptography. It also mandates regular vulnerability assessments, penetration testing (at least once a year), and simulation exercises to ensure the effectiveness of cybersecurity controls. Financial institutions must ensure that their cyber risk management practices not only include reactive controls but also proactive measures to protect against future cyber events.
Incident Response and RecoveryThe focus is on ensuring IT resilience and business continuity. Financial institutions must define system recovery and business resumption priorities, establish disaster recovery sites, and conduct business impact assessments. It also requires regular testing of the institution’s backup and restoration procedures, at least once a year.This standard goes further by requiring the implementation of capabilities to rapidly respond to and recover from cyber-attacks as well mitigating the potential systemic risks. It mandates the establishment of a cyber incident response and management plan, data backup strategies, and clear communication strategies for impacted financial customers.
Assurance and ReportingFinancial institutions must ensure independent reviews of their IT risk management practices and report any material incidents to the responsible authority. The standard also requires maintaining an IT assurance plan to evaluate the adequacy and effectiveness of IT systems and controls.Similarly, this standard requires independent reviews of cybersecurity practices and mandates reporting of material cyber incidents and information security compromises. It also emphasizes the need for continuous improvement through learning and evolving with the dynamic nature of cyber risks.
Third Party ManagementThis standard specifies that the IT risk management framework must incorporate (amongst other things) people management processes in relation to IT staff, service providers and contractors to ensure: careful screening and selection; that they are fit and proper and have the requisite technical knowledge; they be contractually required to protect sensitive or confidential information and provide regular, updated training.The governing body is required to ensure that roles and responsibilities for security are clearly defined in the contract / service level agreement with third party service providers. Additionally a financial institution must subject third-party service providers and contractors who are given access to its IT systems and information assets, to the same monitoring and access restrictions as the financial institution’s employees.

Conclusion 

While both Joint Standard 1 of 2023 and Joint Standard 2 of 2024 aim to enhance the IT frameworks of financial institutions, they do so from different angles. The former focuses on the broader aspects of IT governance and risk management, ensuring that financial institutions have robust IT strategies and risk management frameworks. The latter zeroes in on cybersecurity and cyber resilience, addressing the specific threats posed by the cyber landscape and ensuring that institutions can effectively respond to and recover from cyber incidents. Together, these standards provide a comprehensive approach to managing IT risks in the financial sector.