Cyber/Information Security Information Pack for Boards
30th October 2018The Guernsey Financial Services Commission (“The Commission”) recognises that cyber and information security is a high priority risk area for organisations of all sizes. The Commission considers that all financial services firms and prescribed businesses in the Bailiwick of Guernsey should have a structured approach to managing cyber and information security. Cyber and information security should be taken seriously by the Board and included along with more established risks within a firm’s overall strategy for risk management. Although cyber threats are constantly evolving, and are not limited by geographical borders, most attacks from cyber-criminals are not sophisticated and the likelihood of being a victim of data theft or ransomware attack can be dramatically reduced by basic business operational and cyber hygiene policies. Good cyber security is therefore necessary and appropriate to ensure the sustainability of businesses and the reputation of the financial services sector within the Bailiwick.
Concurrent to this communication, which builds upon the existing Cyber Security Regulatory Guidance issued in March 2016, the Commission is undertaking a thematic review of cyber/information security across supervised firms. The outcomes of this thematic will form the basis for further amendment to our existing guidance.
In the meantime, the Commission strongly supports firms considering guidance published by the UK National Cyber Security Centre (NCSC), including the “10 Steps to Cyber Security” (which provides guidance on why protecting your information is a board-level responsibility and gives details on how organisations can protect themselves in cyberspace) and the recently released “Board toolkit: five questions for your Board’s agenda”. Links to these, and other recommended resources for company Boards, are listed below;
1. NCSC 10 Steps to Cyber Security, providing guidance on why protecting your information is a board-level responsibility and giving details on how organisations can protect themselves in cyberspace.
https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
2. NCSC Board toolkit: five questions for your Board’s agenda
https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-your-boards-agenda
3. NCSC Small Business Guide, providing guidance on the steps small business can take to improve cyber security quickly, easily and at minimal cost.
https://www.ncsc.gov.uk/smallbusiness
4. NCSC Threats to the Legal Sector – we have included this document as many of the threats faced by legal firms will be the same threats facing a lot of financial services firms in the Bailiwick given the nature and sensitivity of data held.
https://www.ncsc.gov.uk/legalthreat
Definitions
“Firms” includes all entities subject to supervision by the GFSC.
“Board” in relation to a body, includes the board of directors (including those who occupy or fulfil the position of directors by whatever name called) or the committee or other similar governing body.