Cybersecurity is as much about technology as it is about people, including the Board of Directors. Board members have a unique responsibility to protect their company’s assets and customer information. They no longer have the luxury to keep cybersecurity on the side-lines for IT to manage. They must work to integrate the cybersecurity strategy with the overarching business strategy and make sure risks are appropriately addressed.

Furthermore Board members are now facing lawsuits and regulatory sanctions including fines in the event of cybersecurity breaches because these events will be considered a failure to uphold fiduciary and regulatory duties.

In consideration of regulatory risks it should be noted both the JFSC AND GFSC have issued their thoughts on what is needed.

JFSC

On 22 February, the Jersey Financial Services Commission (JFSC) issued a Dear CEO letter to highlight the growing importance of cybersecurity arrangements and the Commission’s expectations of registered persons in this regard – http://bit.ly/1VBkOsP

The letter provides examples of some of the common risks related to cybersecurity (i.e. data theft, reputational damage and misappropriation of client assets) and a list of online material for managing cybersecurity risks, including US and UK guidance.

Although the Commission has not developed its own principles and/or guidance (unlike Guernsey see below), it is expected that registered persons will take appropriate steps to manage their cybersecurity arrangements. As with other operational risks, the management, monitoring and mitigation of cyber security risks will be subject to the relevant Codes of Practice. In most cases, Principle 3 of the JFSC’s Codes of Practice states will be applicable: “a registered person must organise and control its affairs effectively for the proper performance of its business activities and be able to demonstrate the existence of adequate risk management systems”. As per the additional guidance and in order to comply with this Principle, appropriate arrangements are required in the areas of corporate governance, internal systems and controls and record keeping.

GFSC

The GFSC have ISSUED Regulatory Guidance (http://bit.ly/1WqGjNq) where they say;

The Commission wishes to impress on firms the need for them to ensure that they take their responsibilities in respect of cyber security, seriously. Firms are reminded of their obligation to keep the Commission informed of matters involving financial crime and other serious operational problems. Any serious or significant incident involving data loss, financial loss or denial of service type attacks, whether actual or prevented, should be reported to the Commission in a timely manner.

The ability for firms to provide a secure and uninterrupted service should form an important part of their operational risk considerations. The increasing frequency and sophistication of cyber-attacks means that this is something which requires constant monitoring. Firms not only need to build defensive resilience to such attacks but also need to have the capability to recover quickly from the impact of a successful breach.

There is a considerable amount of professional guidance available on this subject. There is no regulatory obligation to follow the guidance contained in the links below but they do provide some very helpful practical assistance:

Centre for the Protection of National Infrastructure:  http://bit.ly/1Ynvc8Q

CERT-UK:  http://bit.ly/1VUgV62

GCHQ:   http://bit.ly/1QZTf8f

What does this mean in practice?

As a minimum, BOTH Commissions would expect their regulated persons to:

1. Understand and document the risk of a cyber-attack on their business and take appropriate documented measures to mitigate this risk
2. Have in place appropriate contingency arrangements that they can deploy in the event of a cyber-attack and their effectiveness should be tested at appropriate intervals
3. Boards of Directors (or equivalent) should take overall responsibility for ensuring that their firm adequately addresses cyber-security risks
4. Notify the Commission in a case of a cyber-attack where such attack might reasonably be expected to affect its registration or be in the interests of its clients/investors to disclose

Action

In consideration of the above matters its clear CIO now has a responsibility to communicate the cybersecurity strategy to board members and make them aware of critical risks to help avoid personal liability.

Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the Board. However, at a minimum, the Board should understand how cybersecurity failures can impact the business.

The Board should know how critical business processes could be affected by a breach, how decisions are made during an emergency situation, and how company compliance can impact a breach.

1. How critical business processes would be affected by a breach:

It is important for the CIO to review the results of regularly scheduled security assessments with the Board, so members are aware of potential threats to critical business processes and the steps being taken to safeguard against those risks. The Board is responsible for acting on information presented in risk assessments. When members take steps to address risk appropriately, they are fulfilling their fiduciary duties.

Some of the critical business processes to monitor are those that involve the customer, those that involve a breach of company IP and those that related to financial transactions. These processes are the channels through which company and customer information move back and forth, which makes it an ideal target for an attack.

2. How decisions are made in an emergency:

In addition, the Board needs to know how decisions will be made during an incident. The CIO should review current internal compliance policies and review how the company rates against industry standard compliance policies with the Board. This information can be used to help to Board prioritize risks and identify areas where the most harm could be caused.

Like in any emergency situation, having an internal and external communication plan is imperative. Depending on the nature of the situation, it may be necessary to involve specialized outside legal counsel. The Board should be involved in selecting an outside firm and should know what their role will be. In addition, the Board should understand how information would be documented, tracked and communicated in the event of a breach. Miscommunicated information related to a data breach, or withheld information, can mean the company and Board have failed to uphold their duties and they would assume liability for the incident.

3. How company compliance can impact a breach:

A cybersecurity breach is not the time to find out that basic compliance policies are not being followed. If external vendors are accessing internal systems, their access and permissions in the systems should be monitored and controlled just like company employees. The CIO should be aware of vendor compliance policies and know how vendors are securing company data. This type of compliance is something that companies simply cannot afford to ignore.