This page provides a resource for registered persons to help them with a number of aspects of cyber security, including:
- understanding their regulatory obligations;
- guidance on understanding and mitigating the risk;
- guidance on reporting an incident; and
- sharing information about threats.
Understanding regulatory obligations
The Dear CEO Cyber-Security Letter makes it clear that the Codes of Practice require registered persons to understand and manage risks, including cyber security risks, that could affect their business or customers.
What this involves will differ from firm to firm, depending on its risk profile. A firm’s risk profile will be influenced a number of factors, such as the size of the firm, the size of its customer base, the business it conducts, the records it holds and the likelihood of a cyber security breach / attack.
The JFSC Cyber-Security Survey of cyber-security arrangements carried out in mid-2017 provides some further information about how registered persons are managing this risk and notes some areas requiring further focus.
Guidance on understanding and mitigating cyber security risk
The Dear CEO Cyber-Security Letter includes links to a number of resources that firms can use to help them understand and mitigate their cyber security risks. In summary, these resources include:
- Cyber essentials - http://www.cyberessentials.org
- National Institute of Standards and Technology (NIST) - https://www.nist.gov/cyberframework
- ISO 27001 / 27032 - https://www.iso.org/isoiec-27001-information-security.html / https://www.iso.org/standard/44375.html
Registered persons should consider which standard, or combination of standards, is most relevant to them and be aware that the standards may be updated from time to time.
The JFSC Cyber-Security Survey of cyber-security arrangements provides some further information about the steps that registered persons may take to help them to understand and manage the risks.
Guidance on reporting an incident
Firms often ask who to call when they become aware of, or suspect, a cyber security breach. We have produced a non-exhaustive list below:
JFSC: The relevant laws (Article 28(3) of the Financial Services (Jersey) Law 1998, Article 22(3) of the Banking Business (Jersey) Law 1991) and / or Codes of Practice require registered persons to disclose certain information to the JFSC. That information is, generally speaking, information which i) is relevant to the JFSC’s supervisory role, ii) might reasonably be expected to affect the person’s registration, or iii) be in the interests of its clients / investors to disclose. As a minimum, we would expect registered persons to report any cyber security incident that:
- results in or risks client information being accessed by third parties without appropriate authorisation;
- results in or risks client assets being misappropriated (banks or other registered persons that process significant volumes of transactions should take a risk-based approach, focussed on reporting incidents that appear to be significant or persistent in nature and do not arise solely as a result of customer-initiated payments);
- involves a significant or widespread compromise of the registered person’s computer systems;
- may have a material detrimental impact on the registered person or the jurisdiction; or
- results in, or is likely to result in, non-compliance with financial services laws or Codes of Practice.
Please note that the JFSC is not in a position to provide technical support to persons who have experienced, or are experiencing, a cyber security incident.
States of Jersey Police: Any crime or suspicion of a crime can be reported to the States of Jersey Police. The Police have a High Tech Crime Unit who are equipped to undertake the forensic examination and retrieval of evidence or intelligence from computers, computer-related media and other digital devices.
Office of the Information Commissioner: Although there is currently no legal obligation on data controllers to report breaches of security, the Office of the Information Commissioner would encourage reporting of serious breaches of security that put personal data at risk. The legal position on reporting, amongst other things, will change with the implementation of the General Data Protection Regulation (an EU Regulation, which comes into effect on 25 May 2018) and the new proposed Jersey Data Protection Laws.
Action Fraud: Action Fraud is the UK’s national reporting centre for fraud and cyber crime.
Sharing information about threats
The JFSC supports the sharing of information about threats or potential threats. Although the JFSC is not in a position to actively monitor threats and alert registered persons to them, we do occasionally issue alerts when we become aware of significant imminent threats. The alerts issued by the JFSC can be found here.
Other ways to stay up to date with threats include subscribing to Action Fraud, the Cyber Security Information Sharing Partnership (CiSP), using social media (e.g. Twitter feeds) or other newsletters. Further details about the CiSP are available here: https://www.ncsc.gov.uk/cisp. In order to become a CiSP member, firms will need to be sponsored by an existing CiSP member or certain other organisations. As an existing CiSP member, the JFSC is able to sponsor other firms to become members.