Understanding your regulatory obligations
The frequency, sophistication and impact of cyber-attacks is increasing and the impact of a successful attack can be significant.
Common risks involve:
- data / information theft
- misappropriation of client assets
- reputational damage
These all carry financial costs, which may be significant and may also result in breaches of the law and / or, for registered persons, regulatory action.
As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers.
This will differ from firm to firm, depending on its risk profile. A firm’s risk profile will be influenced by a number of factors, such as:
- the size of the firm
- the size of its customer base
- the business it conducts
- the records it holds
- the likelihood of a cyber-security breach / attack
Guidance on understanding and mitigating cyber security risk
Given the potential impact on businesses, the public and the reputation of Jersey, we want to ensure that you have the appropriate cyber-security measures in place. To help with this, we have identified a number of resources that can help you identify and managing these risks.
The Cyber Essentials scheme is a cyber-security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber-security effectively and mitigating the risk from internet-based threats.
This is likely to be a core resource that is appropriate to most registered persons, especially smaller and medium sized firms.
National Institute of Standards and Technology (NIST)
The framework is voluntary guidance, based on existing standards, guidelines, and practices for organisations to better manage and reduce cyber-security risk. It is a detailed methodology for understanding risks and designing appropriate mitigation and control mechanisms.
The International Standards Organisation has developed standards on information security (ISO 27001) and cyber-security (ISO 27032).
You should consider which standard, or combination of standards, is most relevant to them and be aware that the standards may be updated from time to time.
JFSC cyber-security survey 2016
The JFSC Cyber-Security Survey provides some further information about the steps that you can take to help to understand and manage the risks.
Guidance on reporting an incident
You should contact the following:
Jersey Financial Services Commission
The relevant laws and / or Codes of Practice require registered persons to disclose certain information to the JFSC.
- is relevant to the JFSC’s supervisory role
- might reasonably be expected to affect the person’s registration
- might be in the interests of its clients / investors to disclose
As a minimum, we would expect you to report any cyber-security incident that:
- results in or risks client information being accessed by third parties without appropriate authorisation
- results in or risks client assets being misappropriated (banks or other registered persons that process significant volumes of transactions should take a risk-based approach, focussed on reporting incidents that appear to be significant or persistent in nature and do not arise solely as a result of customer-initiated payments)
- involves a significant or widespread compromise of the registered person’s computer systems
- may have a material detrimental impact on the registered person or the jurisdiction or
- results in, or is likely to result in, non-compliance with financial services laws or Codes of Practice.
The JFSC is not in a position to provide technical support to persons who have experienced, or are experiencing, a cyber-security incident.
States of Jersey Police
Any crime or suspicion of a crime can be reported to the States of Jersey Police. The Police have a High Tech Crime Unit which is equipped to undertake the forensic examination and retrieval of evidence or intelligence from computers, computer-related media and other digital devices.
Jersey Office of the Information Commissioner (OIC)
A notification to the JOIC may be required in the event of a personal data breach. The JOIC has produced guidance on breach reporting requirements:
Action Fraud is the UK’s national reporting centre for fraud and cyber-crime.
Receiving updates about threats
Although we aren’t in a position to actively monitor threats and alert registered persons to them, we do occasionally issue alerts and updates when we become aware of significant imminent threats.
Other ways to stay up-to-date with threats include