A third of Jersey financial services businesses are not prepared for a cyber incident

According to a cyber-security survey conducted by the Jersey Financial Services Commission (JFSC), 32% of local financial services companies which responded did not have a cyber incident response plan in place. Equally a third of respondents did not have a documented risk-assessment of cyber-security risks for their firm.

The survey, which was completed by 129 firms both on a mandatory and voluntary basis, also revealed the top five threats perceived by companies to be unintentional and deliberate information leaks, fraud, malicious code, and social engineering attacks.

The JFSC undertook the survey to establish the overall maturity of local financial businesses’ cyber-security practices. The regulator identified a cross-section of 75 licensed firms which were required to complete the survey, while a further 54 volunteered to respond to the 42 questions.

John Harris, JFSC Director General commented:
“The frequency, sophistication and impact of cyber-attacks is increasing so it is vitally important to ensure that Jersey has, and maintains, a reputation for sound cyber-security. We do not explicitly regulate local firms’ cyber-security practices but we do monitor how companies are assessing and mitigating risks to their businesses, and we expect them to notify us if a cyber incident has taken place. On the whole, the findings of our survey were mainly positive. The areas of concern are the relatively large proportion of firms that are yet to make cyber-security a business priority and the significant number that are not implementing controls around third parties, such as contractors, suppliers and customers.”

Darren Boschat, Head of Supervisory Risk added:
“The findings of our survey very much reflects the results of a recent UK Government survey. We approached a wide spectrum of firms both in terms of size and regulated sectors which naturally led to a spread in the level of cyber-security maturity. While we recognise that the results are not necessarily representative of the industry as a whole, overall they do suggest that Jersey’s financial services sector has a reasonably high level of cyber-security maturity, albeit it developing. It is positive to note that more than two thirds of those companies surveyed do expect to spend more money on cyber-security in the coming year so it is clearly becoming more of a priority.”

Following the results of the survey, the JFSC is now developing further its own cyber-security strategy in addition to devising a bespoke toolkit for its supervisors so that they can better oversee and monitor local firms in this regard. The JFSC will also provide some guidance on where to seek further help for those firms unfortunate enough to be subject to an incident.

Additional Information

For the full results of the JFSC’s cyber-security thematic results click here
For a summary report of the cyber-security thematic results click here

Survey highlights

• The survey sample was made up of firms who were required to respond and those who responded voluntarily. The mandatory sample was selected in order to include a range of firms across the various regulated sectors. However, statistical inferences, margins of error and confidence intervals cannot be applied to this data given our sample was not statistically selected.
• 42% of firms completing the survey did so on a voluntary and anonymous basis and it is therefore possible that those firms that chose not to respond may be substantially different from those that chose to respond.
• All data is based upon the responses provided by firms and no attempt has been made to validate or seek evidence for the responses given.
• While every effort has been made to verify the accuracy of the information in this report and the Appendices, the JFSC cannot accept any liability for reliance by any person on this report or any of the information, opinions or conclusions herein.