Cyber Security Examinations

The JFSC has announced that cyber security is to be one of the themes to be assessed next year as part of their onsite examination programme. However, because this is a new theme, and indeed a relatively new risk facing the industry, the JFSC’s expectations in terms of cyber security are unclear albeit that there were a few hints made in their Dear CEO letter of February 2016.

Nausicaa Delfas, Director of Specialist Supervision at the Financial Conduct Authority, spoke at the FT Cyber Security Summit last month. Her speech explained what the FCA will be looking for in their cyber security examinations and, consequently, may provide an indication of areas the JFSC, in turn, might examine.

The elements highlighted by Ms Delfas were:

Governance – are senior management engaged, with clear lines of responsibility and effective challenge of cyber security matters at a board level? Locally, the JFSC have said they would expect the business’s Business Risk Assessment to document its analysis of cyber security risk and how the risk is managed;

Identification and protection of key assets – this should include regular testing of IT defences, security screening of personnel and staff training so they can recognise phishing emails;

Detection capabilities – the business’s ability to detect attacks, its intelligence capabilities and systems;

Recovery and response – is the business prepared for continuity and preservation of data in the event of a disruption, as well as timely communication (where appropriate) to clients and markets?

Regulator – the FCA expects to be notified of any material breaches of a business’s cyber security so that it can identify and tackle patterns of attacks to help protect industry as a whole. The JFSC has the same expectation, especially where the breach might reasonably be expected to affect the business’s registration or be in the interests of clients to disclose.

In her speech, Ms Delfas also explained three emerging cyber security risks:

1. Ransomware – highlighted by Ms Delfas as the first emerging risk, we are aware from clients that a number of businesses in Jersey have recently been subject to ransomware attacks. The FCA expects businesses to consider how they would address self-replicating ransomware which could spread through their IT systems, whether their backups would work in such a scenario and how effectively staff are trained, in particular to identify phishing emails;
2. Data storage – a business must understand how its data is protected, for example where cloud storage is used, and the associated risks;
3. Skills – there is an industrywide shortage of skilled staff to analyse data and respond to threats and the FCA wants to understand how businesses are responding to this issue.

The FCA has observed that most security breaches were caused by basic failings such as poor perimeter defences, old systems and a lack of staff awareness. They have already published some guidance on their website and have promised to issue more. The full text of Ms Delfas’s speech is available at https://www.fca.org.uk/news/speeches/our-approach-cyber-security-financial-services-firms. The JFSC’s Dear CEO letter contains a list of sources of further information and is published on their website.

The Panama Papers and increasing level of ransomware attacks have made cyber security a priority for both regulators and regulated businesses. By considering the points raised in Ms Delfas’s speech and the JFSC’s Dear CEO letter, and putting in place some practical measures in response, businesses will hopefully be able to enhance their cyber protection and, secondly, be confident they are prepared for a cyber security themed examination.