1. Along with the 2016 Panama Papers news and increasing level of ransomware attacks have made cyber security a priority for both regulators and regulated businesses.
2. With this in mind, the JFSC has announced in 2016 that cyber security is to be one of the themes to be assessed next year as part of their onsite examination programme in 2017.

WHAT SHOULD YOU EXPECT?

1. There are a few hints made in the JFSC Dear CEO letter of February 2016 – LINK BELOW and
2. Also looking across to the JFSC peer regulator the FCA, Nausicaa Delfas, Director of Specialist Supervision at the Financial Conduct Authority, spoke at the FT Cyber Security Summit last month. In the speech Nausicaa Delfas explained what the FCA would be looking for in their cyber security examinations and, consequently, may provide an indication of areas the JFSC, in turn, might examine. – SPEECH LINK BELOW.

THE ELEMENTS TO CONSIDER WERE HIGHLIGHTED BY MS DELFAS:

1. Regulatory requirements in this area stem from rules and principles around effective management of risk and controls – SYSC – and these apply over a range of issues from information security to business continuity, to outsourcing.
2. As you might expect the regulator (FCA/JFSC/Other) see firms taking a number of different strategies to compliance – there is no absolutes but the regulator (FCA/JFSC/Other) do have some expectations in this area and they will be looking at such matters as:

1. Governance – are senior management engaged, with clear lines of responsibility and effective challenge of cyber security matters at a board level? Locally, the JFSC have said they would expect the business’s Business Risk Assessment to document its analysis of cyber security risk and how the risk is managed;
2. Identification and protection of key assets – this should include regular testing of IT defences, security screening of personnel and staff training so they can recognise phishing emails;
3. Detection capabilities – the business’s ability to detect attacks, its intelligence capabilities and systems;
4. Recovery and response – is the business prepared for continuity and preservation of data in the event of a disruption is there timely communication (where appropriate) to clients and markets?
5. Regulator – the FCA expects to be notified of any material breaches of a business’s cyber security so that it can identify and tackle patterns of attacks to help protect the industry as a whole. The JFSC has the same expectation, especially where the breach might reasonably be expected to affect the business’s registration or be in the interests of clients to disclose.

IN HER SPEECH, MS DELFAS EXPLAINED THREE EMERGING CYBER SECURITY RISKS:

1. Ransomware – highlighted by Ms Delfas as the first emerging risk, the regulator (FCA/JFSC/Other) are aware from clients that some businesses in Jersey have recently been subject to ransomware attacks. The FCA expects businesses to consider how they would address self-replicating ransomware which could spread through their IT systems, whether their backups would work in such a scenario and how effectively staff are trained, in particular, to identify phishing emails;
2. Data storage – a business must understand how its data is protected, for example where cloud storage is used, and the associated risks;
3. Skills – there is an industrywide shortage of skilled staff to analyse data and respond to threats, and the FCA wants to understand how businesses are responding to this issue.

REGULATORY GUIDANCE

1. The full text of Ms Delfas’s speech is available at:  http://bit.ly/2dfXSnZ
2. The FCA already published some guidance on their web site and had promised to issue more:  http://bit.ly/2dfXSnZ
3. The JFSC’s Dear CEO letter contains a list of sources of further information and is published on their web site:  http://bit.ly/2jeQFFR

CONCLUSION

1. By considering the points raised in Ms Delfas’s speech and the JFSC’s Dear CEO letter, and putting in place some practical measures in response, businesses will hopefully be able to enhance their cyber protection and, secondly, be confident they are prepared for a cyber security themed examination.
2. So to conclude, cyber is a threat that is ever evolving and ever increasing, and I would like to leave you with an observation:
   1. Most attacks are caused by basic failings –
      1. You can trace the majority back to poor perimeter defences, unpatched, or end-of-life systems, or just a plain lack of security awareness within an organisation.
      2. So the regulator (FCA/JFSC/Other) strongly encourage firms to evolve and instil within them a holistic ‘security culture’ – covering not just technology, but people and processes too.
   2. You can expect to hear more from us on cyber resilience.
      1. The regulator (FCA/JFSC/Other) will be reaching out to a much wider range of firms have to date, and focussing on those in which a successful attack might pose the greatest risk to our objectives.
      2. The regulator (FCA/JFSC/Other) will be looking closely at the cyber practices of these firms.
   3. Cyber remains a priority for the FCA –
      1. The regulator (FCA/JFSC/Other) remain keen to work with industry to drive up standards and to help the UK [Jersey ETC.] remain a safe place to do business