Description

Cyber Security Policy Template for South African FSPs

The Cyber Security Policy Template is an editable downloadable document designed for Financial Services Providers that need a practical framework for protecting client information, business records, systems, devices, cloud platforms and digital communication channels.

This Cyber Security Policy Template helps an FSP document reasonable cyber security controls for access management, passwords, multi-factor authentication, phishing, email safety, secure data transfer, remote work, backups, cyber incident response, third-party ICT due diligence and cyber awareness training.

For related compliance templates, you may also view our Recordkeeping Policy Template, Disaster Recovery Policy and Procedures and Business Continuity Policy and Procedures.

For official regulatory context, you can also visit the FSCA FAIS regulated entities page.

What Is Included In This Cyber Security Policy Template?

This template is designed to help FSPs move away from informal cyber security practices and create a documented control framework that supports operational ability, client confidentiality, POPIA safeguards and business continuity.

The policy includes sections for:

• Policy review and version control sheet
• Change log
• Training and implementation record
• Introduction to cyber security governance
• Purpose and objectives
• Scope of application
• Regulatory and governance context
• Definitions, including cyber security, confidential information, incident, phishing, malware, MFA and operator
• Governance and responsibilities
• Classification and protection of information
• Device and endpoint security
• Password, MFA and authentication controls
• Email, phishing and messaging security
• Secure data transfer and storage
• Remote work and personal device controls
• Access management
• Backups and restoration
• Cyber incident reporting and response
• Third-party and outsourced IT controls
• Cyber security training and awareness
• User onboarding, change and offboarding procedures
• Password reset procedure
• Suspicious email or phishing procedure
• Lost or stolen device procedure
• Secure information transfer procedure
• Backup and restore testing procedure
• Cyber incident response procedure
• Monitoring, assurance and review
• Breaches, disciplinary action and policy review

Cyber Security Policy Template Annexures Included

The Cyber Security Policy Template includes practical annexures that help the FSP evidence cyber security implementation, access control, incident reporting, backup testing and staff awareness.

The annexures include:

• Annexure A: Cyber Security User Acknowledgement
• Annexure B: Cyber Asset Register
• Annexure C: System Access Rights Register
• Annexure D: User Access Request / Change / Removal Form
• Annexure E: Password and MFA Compliance Checklist
• Annexure F: Email / Phishing Incident Report Form
• Annexure G: Cyber Security Incident Register
• Annexure H: Data Transfer Approval Register
• Annexure I: Device Allocation and Return Register
• Annexure J: Backup and Restore Test Log
• Annexure K: Third-Party ICT Due Diligence Questionnaire
• Annexure L: Monthly Cyber Security Review Checklist
• Annexure M: Cyber Security Awareness Training Register

Why FSPs Need a Cyber Security Policy Template

FSPs rely on digital systems to store client records, advice records, FICA documents, financial records, emails, call recordings, CRM notes, compliance evidence and personal information. If these systems are not protected, the FSP may face data loss, client harm, business interruption, POPIA risk, fraud, cybercrime and reputational damage.

A written Cyber Security Policy Template helps the FSP show that cyber security is managed as part of governance, operational ability, recordkeeping, data protection, business continuity and compliance.

This template helps address common weaknesses such as:

• No written cyber security policy
• No cyber asset register
• No system access rights register
• No formal user access request, change or removal process
• No password and MFA compliance checklist
• No phishing incident report form
• No cyber security incident register
• No data transfer approval register
• No device allocation and return register
• No backup and restore test log
• No third-party ICT due diligence questionnaire
• No monthly cyber security review checklist

Password, MFA and Access Management Controls

The template includes practical controls for passwords, multi-factor authentication and access management. It guides the FSP to ensure that users only receive access required for their role, administrator access is limited, leaver access is removed promptly and high-risk systems are reviewed regularly.

The system access rights register and user access request form help the FSP evidence who had access, why access was granted, who approved it and when it was changed or removed.

Phishing, Email and Secure Data Transfer Controls

The Cyber Security Policy Template includes procedures for suspicious emails, phishing, secure data transfer and incorrect disclosure risks. It reminds users not to click suspicious links, not to open unknown attachments, and to verify payment or banking detail changes using a trusted second channel.

The data transfer approval register helps the FSP record sensitive or high-volume information transfers, including the recipient, purpose, transfer method and approval.

Cyber Incident Response and Backup Testing

The pack includes a cyber incident response procedure covering identification, reporting, containment, assessment, eradication, recovery, notification and post-incident review.

The backup and restore test log helps the FSP evidence that backups are not only performed, but can also be restored and verified. This supports disaster recovery readiness and helps reduce the impact of ransomware, system failure, data corruption or accidental deletion.

Third-Party ICT Due Diligence

Where an outsourced IT provider, cloud service, CRM provider, website developer, LMS provider or other technology supplier accesses the FSP’s systems or personal information, the FSP should understand the security and POPIA risks.

The third-party ICT due diligence questionnaire helps the FSP record what services the provider performs, whether personal information is accessed, whether security controls are in place, whether backups are tested, whether incident response procedures exist and whether contracts include confidentiality, POPIA operator and breach notification duties.

Who Should Use This Cyber Security Policy Template?

• Authorised Financial Services Providers
• Small and owner-managed FSPs
• Key Individuals responsible for operational ability
• FSPs using cloud storage, CRM, email, websites, LMS platforms or accounting systems
• FSPs with remote workers or approved personal device use
• FSPs processing client information, FICA records, advice records or financial records electronically
• Compliance officers assisting FSPs with cyber, POPIA and operational resilience controls

Editable and Customisable Cyber Security Template

This Cyber Security Policy Template is editable and must be customised before use. The FSP must insert its name, FSP number, policy owner, Information Officer, IT support provider, systems used, devices, access review process, backup arrangements, incident response contacts and evidence storage location.

The annexures should be completed and aligned to the FSP’s actual systems, users, cloud platforms, outsourcing arrangements and cyber risk profile before the policy is approved and implemented.

Important Compliance Note

This Cyber Security Policy Template is a compliance and governance support document. It does not replace IT security advice, cybersecurity consulting, POPIA breach advice, forensic investigation, legal advice, software configuration or a full cyber risk assessment. Each FSP remains responsible for ensuring that the final policy is accurate, practical, implemented, monitored and aligned with its actual systems, devices, service providers and regulatory obligations.