JFSC Issues Dear CEO Letter on Cybersecurity
On 22 February, the Jersey Financial Services Commission (JFSC) issued a Dear CEO letter to highlight the growing importance of cybersecurity arrangements and the Commission’s expectations of registered persons in this regard. Although the Commission has not developed its own principles and/or guidance, it is expected that registered persons will take appropriate steps to manage their cybersecurity arrangements. As with other operational risks, the management, monitoring and mitigation of cyber security risks will be subject to the relevant Codes of Practice.
The letter provides examples of some of the common risks related to cybersecurity (i.e. data theft, reputational damage and misappropriation of client assets) and a list of online material for managing cybersecurity risks, including US and UK guidance.
What is the applicable regulation?
In most cases, Principle 3 of the JFSC’s Codes of Practice states will be applicable: “a registered person must organise and control its affairs effectively for the proper performance of its business activities and be able to demonstrate the existence of adequate risk management systems”. As per the additional guidance and in order to comply with this Principle, appropriate arrangements are required in the areas of corporate governance, internal systems and controls and record keeping.
What does this mean in practice?
As a minimum, the Commission would expect the registered person to:
- Understand and document the risk of a cyber-attack on their business and take appropriate documented measures to mitigate this risk
- Have in place appropriate contingency arrangements that they can deploy in the event of a cyber-attack and their effectiveness should be tested at appropriate intervals
- Boards of Directors (or equivalent) should take overall responsibility for ensuring that their firm adequately addresses cyber-security risks
The registered person will also need to notify the Commission in a case of a cyber-attack where such attack might reasonably be expected to affect its registration or be in the interests of its clients/investors to disclose.
How can Duff & Phelps help?
Our experienced team will work with your firm to help understand your business workflow and deliver the appropriate risk management approach. This approach will help create a robust Cybersecurity framework with the following components:
- Sensitive and critical data Identification
- Penetration Testing & Vulnerability Assessment
- Create a Written Information Security Policy (WISP)
- Development of an Incident response plan (IRP)
- Deliver an Acceptable Use Policy
- Identify critical third parties and provide a comprehensive risk management review (RMR)
- End User Cybersecurity Training ( In-person or Online )
- Phishing and spear-phishing email tests
- Ongoing Cybersecurity advisory services