What do GFSC’s set of cyber security rules mean to firms?
With the GFSC seeking industry views on the introduction of a set of cyber security rules, Chris Eaton, director and risk assurance lead, PwC in the Channel Islands, looks at what this means for regulated firms
THE Guernsey Financial Services Commission has issued proposed cyber security rules and guidance consultation papers applying to all firms licensed under the GFSC regulatory laws.
The issuance of the rules follows on from the commission’s 2019 cyber risk thematic, which was previously presented to industry.
The rules and accompanying guidance adopt the five core principles of identify, protect, detect, respond and recover, which are found within the US Department of Commerce, National Institute of Standards and Technology framework. This was established in 2014 in order to reduce cyber risk to critical infrastructure.
Those tasked with compliance should now assess the extent to which their organisations meet these proposed new regulatory obligations, and consider preparing a road map of activities necessary to complete in order to meet those requirements in a timely manner.
The key features of the rules require licensed firms to ‘have in place appropriate policies, procedures and controls to mitigate the risk posed by cyber security events’.
Within the guidance, there is emphasis that the rules are not intended to be prescriptive, but rather a pragmatic, risk-based approach has been adopted.
Accordingly, the methods that a licensee uses to establish, implement and maintain its cybersecurity framework in compliance with the rules are expected to take into consideration the size and complexity of their business and the nature of their cyber risk exposure.
There is an expectation that firms will have in place measures that not only identify assets at risk and protect and mitigate those cyber risks, but to also detect when events occur and allow for licensees to respond to and recover from cyber-attacks effectively.
This aligns with the NIST framework and allows organisations to develop a response based on established standards and best practice.
At the outset, there is an obligation on firms to be able to provide evidence that they have considered and implemented the requirements contained in the rules. Importantly, those measures which are then adopted must also be reviewed periodically, and in response to a trigger event or an identified cyber security event.
Cyber security framework
The rules and guidance set out a non-exhaustive list of factors that should be included in the identify, protect, detect, respond and recover categories. The main areas of focus follow the logical flow of the framework.
The identification of material systems, people and data assets is identified as a key requirement, along with subsequent risk assessment considering the potential damage that may occur in the event of a loss of confidentiality, integrity or availability related to those assets. This is set out as an asset-based risk assessment, with explicit recognition that cyber risk extends beyond those classic IT assets that might historically have been considered.
There is a need to retain documentation that is sufficient to illustrate how the risk treatment options were assessed and how the appropriate selection of controls to address the cyber security risks was undertaken. This is to span a range of control areas including certain technical controls, people controls and administrative policy/governance controls.
Among the technical controls that are identified for consideration are network monitoring tools; vulnerability management, patch management, two/multi factor authentication; email protection tools; anti-malware; mobile device management and data loss prevention. The people controls called out within the guidance include the routine provision of end user awareness cyber security training and phishing testing.
Finally, the administrative policy and governance controls require creation and maintenance of a set of policies and procedures, covering at a minimum nine core identified elements; the periodic review of tools, products and services; and the production of management information reporting to the board, to include specific metrics and overall compliance status.
In addition, there is a need for firms to establish clear, documented and effective processes for responding to, containing and recovering from cyber-attacks, breaches and incidents. This necessitates the creation, maintenance, exercising and rehearsal of documented cyber incident response and recovery plans and playbooks based on prioritised cyber scenarios.
Complementing those requirements is the related obligation to have a demonstrable understanding of the steps needed to be taken in order to restore business capabilities following a cyber security event.
Responsibility
The rules make it clear that it is the board of directors, or equivalent, that is responsible for ensuring that the cyber rules are followed. The specific obligations of the board or equivalent span the lifecycle from evaluation of cyber risk and impact through to periodic review of compliance and assessment of associated management information reporting of cyber risk.
The consultation closes on 2 November and firms should take the opportunity to review the maturity of current cyber security programmes relative to the NIST standard as part of their broader risk management processes, identify any potential gaps and plan for remediation ahead of the implementation date.
n The proposed rules and guidance can be found here: https://bit.ly/3oBLOxC.
https://consultationhub.gfsc.gg/banking-and-insurance-supervision-and-policy/cyber-security-rules-and-guidance-consultation-pap/