On 22 February, the Jersey Financial Services Commission (JFSC) issued a Dear CEO letter to highlight the growing importance of cybersecurity arrangements and the Commission’s expectations of registered persons in this regard.

• http://bit.ly/1VBkOsP

 Although the Commission has not developed its own principles and/or guidance, it is expected that registered persons will take appropriate steps to manage their cybersecurity arrangements. As with other operational risks, the management, monitoring and mitigation of cyber security risks will be subject to the relevant Codes of Practice.

The letter provides examples of some of the common risks related to cybersecurity (i.e. data theft, reputational damage and misappropriation of client assets) and a list of online material for managing cybersecurity risks, including US and UK guidance.

What is the applicable regulation?

In most cases, Principle 3 of the JFSC’s Codes of Practice states will be applicable: “a registered person must organise and control its affairs effectively for the proper performance of its business activities and be able to demonstrate the existence of adequate risk management systems”. As per the additional guidance and in order to comply with this Principle, appropriate arrangements are required in the areas of corporate governance, internal systems and controls and record keeping.

What does this mean in practice?

As a minimum, the Commission would expect the registered person to:

• Understand and document the risk of a cyber-attack on their business and take appropriate documented measures to mitigate this risk
• Have in place appropriate contingency arrangements that they can deploy in the event of a cyber-attack and their effectiveness should be tested at appropriate intervals
• Boards of Directors (or equivalent) should take overall responsibility for ensuring that their firm adequately addresses cyber-security risks

The registered person will also need to notify the Commission in a case of a cyber-attack where such attack might reasonably be expected to affect its registration or be in the interests of its clients/investors to disclose.