Cyber Security Rules 2021 - One Year On
It’s been a whole year since the GFSC’s Cyber Security Rules and Guidance 2021 came into force on 8th February 2021, with all Guernsey licensees required to demonstrate compliance by 9th August 2021. It can be easy to assume that this is “someone else’s problem” and delegate the issue to the IT department, or more frequently, an external IT provider.
However, these are important matters both for Boards and Compliance Officers to actually comprehend, and it is not enough to simply delegate away.
Material Assets and Risk Assessment
The overarching aim of the Rules is to ensure the members of the Board truly understand the risks relating to cyber security as applicable to the firm. To enable this, the GFSC expects Boards themselves to have reviewed a risk assessment connected to the material assets of the firm.
While details of the firm’s assets are likely to have come from your IT department/provider, the risk assessment element should be a Board responsibility. The IT team’s perspective of risk may vary from the Board’s own perspective, with a focus towards the purely technical side of things, divorced from the wider context of the business risk management programme that the Board has sight of.
It’s not enough to say that the firm complies with a certain technical security standard, without knowing at least in basic terms what the standard means to the business in practical terms; Simply knowing you meet certain criteria, does not necessarily translate to actually understanding your Board-level cyber risks.
Cyber risk management is not just about your own physical assets (e.g. your company laptops, servers etc), we also need to look holistically at where your company and client data lies, as well as which parties have access. While your IT provider may be able to give you a list of your own IT assets, don’t forget elements that they may not have oversight of.
For example, do you appoint external independent non-executive directors? What devices do they use to access their Board packs? The software they use (for example, Board Intelligence) may be owned/licensed by the firm, but the access from external devices should also be considered within a risk assessment. What happens if a NED’s laptop is hacked? Would any hacker be able to get into your Board packs?
If your firm is administered by another firm, and you are therefore reliant on their internal IT systems, you should request information from your administrator on their own risk assessment and be able to use this to inform your own assessment.
In essence, cyber risk management (just like any other risk management) is about allowing the decision makers to make informed decisions based on the perceived risk. Therefore, each Board should be able to identify their key cyber risks, and understand any gaps in the effectiveness of the related controls. Ideally, the Board would undertake its own risk assessment, with help from the Compliance Officer, which is substantially supported and informed by the IT provider’s risk assessment of the technical aspects.
As mentioned above, the Compliance department is a huge part of the risk management framework within a firm, and is integral to fostering a positive culture. With an effective compliance culture, the firm should have an easier time in encouraging staff to do the right thing, and to comply with new requirements. As one of the biggest cyber security risks to a firm is human error, ensuring your staff are aware of their obligations is paramount. While we don’t expect Compliance Officers to be cyber experts, they can certainly help to bridge the gap between the Board and the IT department.
If either the Compliance department or the Board do not feel confident enough to interpret what the IT professionals are saying, they might consider talking to an independent advisor experienced in both Cyber risk and Board-level risk management for an opinion. Remember also that an internal department or outsourced IT provider, tasked by the Board with completing a cyber risk assessment is to a certain degree being asked to mark their own homework.
Another reason for Compliance involvement in cyber risk, is that Compliance and AML/CFT data can often get missed when discussing the ability to recover from a cyber event. All too often, firms focus on financial and client data, and protecting the client facing side of the business to ensure clients can be serviced without interruption. But don’t forget your Compliance department. Does your Compliance Officer have remote access to your systems to continue their monitoring and respond to regulatory issues? What are the cyber and data controls around any software holding your customer due diligence information?
While in an ideal world, a business would run smoothly without Compliance supervision, the stresses of getting a business back on track after an interruption event, including a cyber attack, can lead to corners being cut, or even AML software being left out of recovery planning. You must be able to demonstrate that the firm will not fall foul of its regulatory obligations while using a cyber attack as an excuse for non-compliance.
The GFSC guidance includes the expectation for a periodic review, not less than every 24 months. However, on top of this guidance is the additional expectation that Boards should report to their shareholders that they are comfortable with their cyber policies, controls and reporting on an annual basis.
Is this on your schedule of events for 2022 Board meetings? Is there a plan in place for triggering the review, and how long will this take? Who will complete this?
At Horsepool Consulting, we have the capability to undertake a truly independent audit of your cyber and data controls, policies and procedures, and advise the Board on your high-level risk assessment. We will provide you with independent comfort that your controls are effective, and will ensure the Board members understand the key cyber risks to your business. Get in touch with Jim, at firstname.lastname@example.org for more information.