Understanding your regulatory obligations

The frequency, sophistication and impact of cyber-attacks is increasing and the impact of a successful attack can be significant.

Common risks involve:

  • data / information theft
  • misappropriation of client assets
  • reputational damage

These all carry financial costs, which may be significant and may also result in breaches of the law and / or, for registered persons, regulatory action.

As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers.

This will differ from firm to firm, depending on its risk profile. A firm’s risk profile will be influenced by a number of factors, such as:

  • the size of the firm
  • the size of its customer base
  • the business it conducts
  • the records it holds
  • the likelihood of a cyber-security breach / attack

Guidance on understanding and mitigating cyber security risk

Given the potential impact on businesses, the public and the reputation of Jersey, we want to ensure that you have the appropriate cyber-security measures in place. To help with this, we have identified a number of resources that can help you identify and managing these risks.

Cyber essentials

The Cyber Essentials scheme is a cyber-security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber-security effectively and mitigating the risk from internet-based threats.

This is likely to be a core resource that is appropriate to most registered persons, especially smaller and medium sized firms.

http://www.cyberessentials.org

National Institute of Standards and Technology (NIST)

The framework is voluntary guidance, based on existing standards, guidelines, and practices for organisations to better manage and reduce cyber-security risk. It is a detailed methodology for understanding risks and designing appropriate mitigation and control mechanisms.

https://www.nist.gov/cyberframework

ISO standards

The International Standards Organisation has developed standards on information security (ISO 27001) and cyber-security (ISO 27032).

https://www.iso.org/isoiec-27001-information-security.html https://www.iso.org/standard/44375.html

You should consider which standard, or combination of standards, is most relevant to them and be aware that the standards may be updated from time to time.

JFSC cyber-security survey 2016

The JFSC Cyber-Security Survey provides some further information about the steps that you can take to help to understand and manage the risks.

Guidance on reporting an incident

You should contact the following:

Jersey Financial Services Commission

The relevant laws  and / or Codes of Practice require registered persons to disclose certain information to the JFSC.

Information that

  1. is relevant to the JFSC’s supervisory role
  2. might reasonably be expected to affect the person’s registration
  3. might be in the interests of its clients / investors to disclose

As a minimum, we would expect you to report any cyber-security incident that:

  • results in or risks client information being accessed by third parties without appropriate authorisation
  • results in or risks client assets being misappropriated (banks or other registered persons that process significant volumes of transactions should take a risk-based approach, focussed on reporting incidents that appear to be significant or persistent in nature and do not arise solely as a result of customer-initiated payments)
  • involves a significant or widespread compromise of the registered person’s computer systems
  • may have a material detrimental impact on the registered person or the jurisdiction or
  • results in, or is likely to result in, non-compliance with financial services laws or Codes of Practice.

The JFSC is not in a position to provide technical support to persons who have experienced, or are experiencing, a cyber-security incident.

States of Jersey Police

Any crime or suspicion of a crime can be reported to the States of Jersey Police. The Police have a High Tech Crime Unit which is equipped to undertake the forensic examination and retrieval of evidence or intelligence from computers, computer-related media and other digital devices.

Jersey Office of the Information Commissioner (OIC)

A notification to the JOIC may be required in the event of a personal data breach. The JOIC has produced guidance on breach reporting requirements:

How to report a breach to the Jersey Office of the Information Commissioner

Complete a breach notification Form

Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cyber-crime.

https://www.actionfraud.police.uk/

Receiving updates about threats

Although we aren’t in a position to actively monitor threats and alert registered persons to them, we do occasionally issue alerts and updates when we become aware of significant imminent threats.

Subscribe to our updates

Follow us on Twitter

Follow us on Facebook

Follow us on LinkedIn

Other ways to stay up-to-date with threats include

Subscribe to Action Fraud

Subscribe to CISP updates